Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2023, 09:10 UTC

General

  • Target

    http://game-server.prod.royalmatch.drmgms.com

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://game-server.prod.royalmatch.drmgms.com
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffb0b619758,0x7ffb0b619768,0x7ffb0b619778
      2⤵
        PID:4040
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:2
        2⤵
          PID:236
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:8
          2⤵
            PID:3572
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:8
            2⤵
              PID:2472
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:1
              2⤵
                PID:3180
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:1
                2⤵
                  PID:956
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:8
                  2⤵
                    PID:4388
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:8
                    2⤵
                      PID:2352
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2848 --field-trial-handle=1820,i,16846553324042943947,7849159836162658040,131072 /prefetch:2
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1572
                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                    1⤵
                      PID:4272

                    Network

                    • flag-us
                      DNS
                      assets.msn.com
                      Remote address:
                      8.8.8.8:53
                      Request
                      assets.msn.com
                      IN A
                      Response
                      assets.msn.com
                      IN CNAME
                      assets.msn.com.edgekey.net
                      assets.msn.com.edgekey.net
                      IN CNAME
                      e28578.d.akamaiedge.net
                      e28578.d.akamaiedge.net
                      IN A
                      23.72.248.198
                      e28578.d.akamaiedge.net
                      IN A
                      23.72.248.225
                      e28578.d.akamaiedge.net
                      IN A
                      23.72.248.196
                      e28578.d.akamaiedge.net
                      IN A
                      23.72.248.214
                    • flag-us
                      DNS
                      198.248.72.23.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      198.248.72.23.in-addr.arpa
                      IN PTR
                      Response
                      198.248.72.23.in-addr.arpa
                      IN PTR
                      a23-72-248-198deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      133.211.185.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      133.211.185.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      game-server.prod.royalmatch.drmgms.com
                      chrome.exe
                      Remote address:
                      8.8.8.8:53
                      Request
                      game-server.prod.royalmatch.drmgms.com
                      IN A
                      Response
                      game-server.prod.royalmatch.drmgms.com
                      IN A
                      54.92.160.216
                      game-server.prod.royalmatch.drmgms.com
                      IN A
                      34.235.202.248
                      game-server.prod.royalmatch.drmgms.com
                      IN A
                      52.205.83.254
                      game-server.prod.royalmatch.drmgms.com
                      IN A
                      3.93.244.141
                      game-server.prod.royalmatch.drmgms.com
                      IN A
                      3.223.42.71
                      game-server.prod.royalmatch.drmgms.com
                      IN A
                      52.206.159.164
                      game-server.prod.royalmatch.drmgms.com
                      IN A
                      3.91.128.242
                      game-server.prod.royalmatch.drmgms.com
                      IN A
                      75.101.175.225
                    • flag-us
                      GET
                      http://game-server.prod.royalmatch.drmgms.com/
                      chrome.exe
                      Remote address:
                      54.92.160.216:80
                      Request
                      GET / HTTP/1.1
                      Host: game-server.prod.royalmatch.drmgms.com
                      Connection: keep-alive
                      Upgrade-Insecure-Requests: 1
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                      Accept-Encoding: gzip, deflate
                      Accept-Language: en-US,en;q=0.9
                      Response
                      HTTP/1.1 404
                      Date: Wed, 07 Jun 2023 09:11:12 GMT
                      Content-Type: text/html;charset=utf-8
                      Content-Length: 431
                      Connection: keep-alive
                      Vary: Origin
                      Vary: Access-Control-Request-Method
                      Vary: Access-Control-Request-Headers
                      Content-Language: en
                    • flag-us
                      GET
                      http://game-server.prod.royalmatch.drmgms.com/favicon.ico
                      chrome.exe
                      Remote address:
                      54.92.160.216:80
                      Request
                      GET /favicon.ico HTTP/1.1
                      Host: game-server.prod.royalmatch.drmgms.com
                      Connection: keep-alive
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
                      Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                      Referer: http://game-server.prod.royalmatch.drmgms.com/
                      Accept-Encoding: gzip, deflate
                      Accept-Language: en-US,en;q=0.9
                      Response
                      HTTP/1.1 404
                      Date: Wed, 07 Jun 2023 09:11:12 GMT
                      Content-Type: text/html;charset=utf-8
                      Content-Length: 431
                      Connection: keep-alive
                      Vary: Origin
                      Vary: Access-Control-Request-Method
                      Vary: Access-Control-Request-Headers
                      Content-Language: en
                    • flag-us
                      DNS
                      195.179.250.142.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      195.179.250.142.in-addr.arpa
                      IN PTR
                      Response
                      195.179.250.142.in-addr.arpa
                      IN PTR
                      ams15s42-in-f31e100net
                    • flag-us
                      DNS
                      216.160.92.54.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      216.160.92.54.in-addr.arpa
                      IN PTR
                      Response
                      216.160.92.54.in-addr.arpa
                      IN PTR
                      ec2-54-92-160-216 compute-1 amazonawscom
                    • flag-us
                      DNS
                      232.168.11.51.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      232.168.11.51.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      0.77.109.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      0.77.109.52.in-addr.arpa
                      IN PTR
                      Response
                    • 23.72.248.198:443
                      assets.msn.com
                      tls
                      3.3kB
                      29.2kB
                      36
                      34
                    • 54.92.160.216:80
                      http://game-server.prod.royalmatch.drmgms.com/favicon.ico
                      http
                      chrome.exe
                      1.3kB
                      1.7kB
                      9
                      7

                      HTTP Request

                      GET http://game-server.prod.royalmatch.drmgms.com/

                      HTTP Response

                      404

                      HTTP Request

                      GET http://game-server.prod.royalmatch.drmgms.com/favicon.ico

                      HTTP Response

                      404
                    • 54.92.160.216:80
                      game-server.prod.royalmatch.drmgms.com
                      chrome.exe
                      236 B
                      184 B
                      5
                      4
                    • 93.184.220.29:80
                      322 B
                      7
                    • 93.184.220.29:80
                      322 B
                      7
                    • 40.125.122.176:443
                      260 B
                      5
                    • 20.189.173.5:443
                      322 B
                      7
                    • 173.223.113.164:443
                      322 B
                      7
                    • 173.223.113.131:80
                      322 B
                      7
                    • 40.125.122.176:443
                      260 B
                      5
                    • 8.238.177.126:80
                      322 B
                      7
                    • 40.125.122.176:443
                      260 B
                      5
                    • 40.125.122.176:443
                      260 B
                      5
                    • 40.125.122.176:443
                      260 B
                      5
                    • 40.125.122.176:443
                      260 B
                      5
                    • 8.8.8.8:53
                      assets.msn.com
                      dns
                      60 B
                      198 B
                      1
                      1

                      DNS Request

                      assets.msn.com

                      DNS Response

                      23.72.248.198
                      23.72.248.225
                      23.72.248.196
                      23.72.248.214

                    • 8.8.8.8:53
                      198.248.72.23.in-addr.arpa
                      dns
                      72 B
                      137 B
                      1
                      1

                      DNS Request

                      198.248.72.23.in-addr.arpa

                    • 8.8.8.8:53
                      133.211.185.52.in-addr.arpa
                      dns
                      73 B
                      147 B
                      1
                      1

                      DNS Request

                      133.211.185.52.in-addr.arpa

                    • 8.8.8.8:53
                      game-server.prod.royalmatch.drmgms.com
                      dns
                      chrome.exe
                      84 B
                      212 B
                      1
                      1

                      DNS Request

                      game-server.prod.royalmatch.drmgms.com

                      DNS Response

                      54.92.160.216
                      34.235.202.248
                      52.205.83.254
                      3.93.244.141
                      3.223.42.71
                      52.206.159.164
                      3.91.128.242
                      75.101.175.225

                    • 8.8.8.8:53
                      195.179.250.142.in-addr.arpa
                      dns
                      74 B
                      112 B
                      1
                      1

                      DNS Request

                      195.179.250.142.in-addr.arpa

                    • 8.8.8.8:53
                      216.160.92.54.in-addr.arpa
                      dns
                      72 B
                      127 B
                      1
                      1

                      DNS Request

                      216.160.92.54.in-addr.arpa

                    • 224.0.0.251:5353
                      chrome.exe
                      204 B
                      3
                    • 8.8.8.8:53
                      232.168.11.51.in-addr.arpa
                      dns
                      72 B
                      158 B
                      1
                      1

                      DNS Request

                      232.168.11.51.in-addr.arpa

                    • 8.8.8.8:53
                      0.77.109.52.in-addr.arpa
                      dns
                      70 B
                      144 B
                      1
                      1

                      DNS Request

                      0.77.109.52.in-addr.arpa

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      f6bff71cbbb45b4bbe45ba7210a3a960

                      SHA1

                      77babb8533a11d60ff076e4aa7e4fd01758446bd

                      SHA256

                      1ef6b0c1021ac3c0e0b86fdfa6ed195d5f0a179bf767f023b570047295b66cf5

                      SHA512

                      41a586dad732478d43c8d5fb02acc2d2fcad5f43b9fb33599a1e5260a8d7186fad2175f8b607181f9bb68505db776e59437067f0c836c2c5260242291e7c0ce3

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      6KB

                      MD5

                      5cc4b4bac7df3aff8caf71dde9480a28

                      SHA1

                      e8174a8c7e9bc5976b1a95c5869f56b784258066

                      SHA256

                      9631b1895e33c5f5453b9be82bb26310fa477da6779e8d38de9a47e64b03e1e1

                      SHA512

                      7a8f90c0b4973379d634018dbb2b364668fb6f52b8bc68a477f792ebcf61c6d920466d1108fecaae6c60f176317e6c8b52d54e59522690a205c49ded7af663bd

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      5c725def9b637c863738971b3800457e

                      SHA1

                      051e44deb7835523c3df792f1527464c0aa223de

                      SHA256

                      63651fb00cbbba42e9b8b34aebc65599aeb2c9adc8cb15f0d46868e801ce8a67

                      SHA512

                      862daabdf134d206df4911a406f69ba34b04b860a6ac126555d58c43c212d71db2f308f67814c1714175ea4a5e112af5acef588c15a94de3adce6192a7f0e7a0

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                      Filesize

                      158KB

                      MD5

                      0246b473bb911f29ba707eda9adc5811

                      SHA1

                      d361cd03addbb0cb46f9bc888dcb9b5c9f27d2d9

                      SHA256

                      09bd006c0af36b1ff260e8570710914d548f42bd4b3cbbaa93d84b931dbc4034

                      SHA512

                      ead10f0ee8a92da2441d84495e7bbe60fc2e2b8cc3a79871f21bc9de18c9a527ddd3a917d00baaa685cb751ae6efe5d6857bf7853e7afd6e0560133fdf85034b

                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                      Filesize

                      2B

                      MD5

                      99914b932bd37a50b983c5e7c90ae93b

                      SHA1

                      bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                      SHA256

                      44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                      SHA512

                      27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                    We care about your privacy.

                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.