Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
327s -
max time network
335s -
platform
windows7_x64 -
resource
win7-20221111-es -
resource tags
arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows -
submitted
11/02/2023, 18:10
Static task
static1
Behavioral task
behavioral1
Sample
Lunar Cracked 2.0/2.0/Lunar Cracked 2.0 JCrick.exe
Resource
win7-20221111-es
Behavioral task
behavioral2
Sample
Lunar Cracked 2.0/2.0/Lunar Cracked 2.0 JCrick.exe
Resource
win10v2004-20221111-es
General
-
Target
Lunar Cracked 2.0/2.0/Lunar Cracked 2.0 JCrick.exe
-
Size
155KB
-
MD5
a47d2d310133c49379968408966623f9
-
SHA1
1023eb2a64197189f8e3d0c425ef33d8b275f189
-
SHA256
28a56c6f5e69db9da87e986c263f267294ca2ea6da7612ff688094925440e561
-
SHA512
5a5f54e8d161a8567826822222d7af99023bcfc10c7688236ef0f80f1df6f473d14a89f663df7a504dbaa6d252fb956326584105836979ead2a7a97680b6bbd9
-
SSDEEP
3072:YahKyd2n31/5GWp1icKAArDZz4N9GhbkrNEk13NT:YahOXp0yN90QEe
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Lunar Cracked 2.0 JCrick.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Lunar Cracked 2.0 JCrick.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1092 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1092 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1244 wrote to memory of 1092 1244 Lunar Cracked 2.0 JCrick.exe 28 PID 1244 wrote to memory of 1092 1244 Lunar Cracked 2.0 JCrick.exe 28 PID 1244 wrote to memory of 1092 1244 Lunar Cracked 2.0 JCrick.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lunar Cracked 2.0\2.0\Lunar Cracked 2.0 JCrick.exe"C:\Users\Admin\AppData\Local\Temp\Lunar Cracked 2.0\2.0\Lunar Cracked 2.0 JCrick.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File launcher.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD534971e3999e85fc1e4ac673815febf05
SHA14041d1e879cd8cc7c686cb7218df8341c5a6a6ab
SHA25615bacbb40d3e20de76c1e0062ebd167ef39a65eb476a38ae7da7d2df8880d562
SHA51204c4e8eac629209785e115fcc78a8c99a7e65ef49f47044ff8929ad5c5584108fd6a4b8a12c4c37645f4566ecee8133a03153302aeab68aa9d1e917275190cd0