Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
236s -
max time network
245s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10/01/2023, 03:09
Static task
static1
Behavioral task
behavioral1
Sample
LauncherFenix-Minecraft-v7.exe
Resource
win7-20220812-en
9 signatures
300 seconds
Behavioral task
behavioral2
Sample
LauncherFenix-Minecraft-v7.exe
Resource
win10v2004-20221111-en
6 signatures
300 seconds
General
-
Target
LauncherFenix-Minecraft-v7.exe
-
Size
397KB
-
MD5
d99bb55b57712065bc88be297c1da38c
-
SHA1
fb6662dd31e8e5be380fbd7a33a50a45953fe1e7
-
SHA256
122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb
-
SHA512
3eb5d57faea4c0146c2af40102deaac18235b379f5e81fe35a977b642e3edf70704c8cedd835e94f27b04c8413968f7469fccf82c1c9339066d38d3387c71b17
-
SSDEEP
3072:puzvch1rugYc4wqYSRR756K7ItBjgXHUYCnlK:Wch1aIqYSRVM+unlK
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\taskschd.msc mmc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CA7D1B83-909C-11ED-9584-C22E595EE768}.dat = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CA7D1B81-909C-11ED-9584-C22E595EE768} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1784 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe Token: 33 836 mmc.exe Token: SeIncBasePriorityPrivilege 836 mmc.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 1708 iexplore.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe 1784 taskmgr.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1732 javaw.exe 1732 javaw.exe 1708 iexplore.exe 1708 iexplore.exe 1392 IEXPLORE.EXE 1392 IEXPLORE.EXE 1732 javaw.exe 1732 javaw.exe 836 mmc.exe 836 mmc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1412 wrote to memory of 1732 1412 LauncherFenix-Minecraft-v7.exe 27 PID 1412 wrote to memory of 1732 1412 LauncherFenix-Minecraft-v7.exe 27 PID 1412 wrote to memory of 1732 1412 LauncherFenix-Minecraft-v7.exe 27 PID 1412 wrote to memory of 1732 1412 LauncherFenix-Minecraft-v7.exe 27 PID 1732 wrote to memory of 1708 1732 javaw.exe 28 PID 1732 wrote to memory of 1708 1732 javaw.exe 28 PID 1732 wrote to memory of 1708 1732 javaw.exe 28 PID 1708 wrote to memory of 1392 1708 iexplore.exe 30 PID 1708 wrote to memory of 1392 1708 iexplore.exe 30 PID 1708 wrote to memory of 1392 1708 iexplore.exe 30 PID 1708 wrote to memory of 1392 1708 iexplore.exe 30 PID 1708 wrote to memory of 1392 1708 iexplore.exe 30 PID 1708 wrote to memory of 1392 1708 iexplore.exe 30 PID 1708 wrote to memory of 1392 1708 iexplore.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://launcherfenix.com.ar/wope/register/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1708 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1392
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:964
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:836
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1784
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:524
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x56c1⤵PID:440
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" SYSTEM1⤵PID:336
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1260
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1928