Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

11/02/2023, 18:10

230211-wscc9aed57 8

11/02/2023, 18:06

230211-wp5kmaec83 6

Analysis

  • max time kernel
    327s
  • max time network
    335s
  • platform
    windows7_x64
  • resource
    win7-20221111-es
  • resource tags

    arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    11/02/2023, 18:10

General

  • Target

    Lunar Cracked 2.0/2.0/Lunar Cracked 2.0 JCrick.exe

  • Size

    155KB

  • MD5

    a47d2d310133c49379968408966623f9

  • SHA1

    1023eb2a64197189f8e3d0c425ef33d8b275f189

  • SHA256

    28a56c6f5e69db9da87e986c263f267294ca2ea6da7612ff688094925440e561

  • SHA512

    5a5f54e8d161a8567826822222d7af99023bcfc10c7688236ef0f80f1df6f473d14a89f663df7a504dbaa6d252fb956326584105836979ead2a7a97680b6bbd9

  • SSDEEP

    3072:YahKyd2n31/5GWp1icKAArDZz4N9GhbkrNEk13NT:YahOXp0yN90QEe

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lunar Cracked 2.0\2.0\Lunar Cracked 2.0 JCrick.exe
    "C:\Users\Admin\AppData\Local\Temp\Lunar Cracked 2.0\2.0\Lunar Cracked 2.0 JCrick.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File launcher.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\launcher.ps1

    Filesize

    2KB

    MD5

    34971e3999e85fc1e4ac673815febf05

    SHA1

    4041d1e879cd8cc7c686cb7218df8341c5a6a6ab

    SHA256

    15bacbb40d3e20de76c1e0062ebd167ef39a65eb476a38ae7da7d2df8880d562

    SHA512

    04c4e8eac629209785e115fcc78a8c99a7e65ef49f47044ff8929ad5c5584108fd6a4b8a12c4c37645f4566ecee8133a03153302aeab68aa9d1e917275190cd0

  • memory/1092-57-0x000007FEF30D0000-0x000007FEF3AF3000-memory.dmp

    Filesize

    10.1MB

  • memory/1092-58-0x0000000002564000-0x0000000002567000-memory.dmp

    Filesize

    12KB

  • memory/1092-59-0x000007FEEE320000-0x000007FEEEE7D000-memory.dmp

    Filesize

    11.4MB

  • memory/1092-60-0x000000001B730000-0x000000001BA2F000-memory.dmp

    Filesize

    3.0MB

  • memory/1092-62-0x000000000256B000-0x000000000258A000-memory.dmp

    Filesize

    124KB

  • memory/1092-63-0x0000000002564000-0x0000000002567000-memory.dmp

    Filesize

    12KB

  • memory/1092-64-0x0000000002564000-0x0000000002567000-memory.dmp

    Filesize

    12KB

  • memory/1092-65-0x000000000256B000-0x000000000258A000-memory.dmp

    Filesize

    124KB

  • memory/1244-54-0x000007FEFB551000-0x000007FEFB553000-memory.dmp

    Filesize

    8KB