Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2023, 07:50

General

  • Target

    52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe

  • Size

    727KB

  • MD5

    c6e3854ce5fd2cc208e0d69323338bae

  • SHA1

    2a55ad9d47b97c3ffee633d81b98721728e61e1a

  • SHA256

    52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba

  • SHA512

    10117b25f7d23760c37e06f498b8e987fb44b7afbb7e39bbe2dcb74dc1a3a8225964ec5f84031e11e0a26b0bc0004bbc2c286eafb031c4c87becad57264eb630

  • SSDEEP

    12288:pNsvD3T7o5cWTeVs/S6NYfLbowrSN2eEbEQK:TsvrT7oSWTi8NYDbfrSIbDK

Score
8/10

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe
    "C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im HTTPDebuggerUI.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4528
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc stop easyanticheat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Windows\system32\sc.exe
        sc stop easyanticheat
        3⤵
        • Launches sc.exe
        PID:624
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc stop bedaisy
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\system32\sc.exe
        sc stop bedaisy
        3⤵
        • Launches sc.exe
        PID:3580
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc stop beservice
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\system32\sc.exe
        sc stop beservice
        3⤵
        • Launches sc.exe
        PID:1628
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:844
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4260
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /f /im EasyAntiCheat.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EasyAntiCheat.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1460
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im HTTPDebuggerSvc.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4188
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /f /im beservice.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4168
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im beservice.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3392
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /f /im EpicGamesLauncher.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicGamesLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:696
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\system32\sc.exe
        sc stop HTTPDebuggerPro
        3⤵
        • Launches sc.exe
        PID:1416
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4312
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3228
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3760
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4184
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\52c402b2e90ab2cde05080da8863ecb5352e3cc07c24db9db3c0e5f465d132ba.exe" MD5
        3⤵
          PID:2748
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:4412
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:4932
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. The request was either tampered with, or your session ended and you need to run the program again. && timeout /t 5"
            2⤵
              PID:3856
              • C:\Windows\system32\cmd.exe
                cmd /C "color b && title Error && echo Signature checksum failed. The request was either tampered with, or your session ended and you need to run the program again. && timeout /t 5"
                3⤵
                  PID:1328
                  • C:\Windows\system32\timeout.exe
                    timeout /t 5
                    4⤵
                    • Delays execution with timeout.exe
                    PID:1864
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 3016 -s 2100
                2⤵
                • Program crash
                PID:4368
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -pss -s 456 -p 3016 -ip 3016
              1⤵
                PID:2112

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads