Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
09/01/2024, 20:18
General
-
Target
Cheater.Pro.1.6.0.msi
-
Size
2.9MB
-
MD5
eecb590907a5720bba1c7483f5178081
-
SHA1
3dbded201fca12d8162705cd0c19312fb01b1216
-
SHA256
bd9ddcb74f8eb5078d3be35af96b1b796bb4cfbc5572325cacda5fe40a2e75a8
-
SHA512
442ee9b069d1f62910aba0e9ca1589d644751cafd432dd1fd36231bff23a87c226c616a621d85d14e3ececc54296771f072f9fbe1e554963b70348f56caeb355
-
SSDEEP
49152:Qwp9ib+ZKumZr1q4Fb6HXr1iWnYs4ntHurpllQ6atuxtZcTreUuyZD6lvVz9VSDZ:gYKFFnWnkuxUTgvV/+lfh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 20 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 13 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cheater.Pro.1.6.0.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B6ADE9FC20B7DEDC99AA27382957D0D9 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Cheater Pro Inc\Cheater Pro\compiler.exe"C:\Program Files\Cheater Pro Inc\Cheater Pro\compiler.exe" "C:\Program Files\Cheater Pro Inc\Cheater Pro\config"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DD0C2293285C4F46A87B72EA353DFA32⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss78EA.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi78D8.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr78D9.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr78DA.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A796261F03740E00E1A53A590EE10076 M Global\MSI00002⤵
- Loads dropped DLL
-
-
C:\Windows\system32\SndVol.exeSndVol.exe -f 27919076 196591⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD5fa15847aafeeade4d037a299d4917f8d
SHA1938719c7144309a08212790a95f09d8288479f22
SHA2568d68c94fc38c6ce747c88940da1721a8000290f0b201be8918c9d5df7a49af16
SHA512243ee93a21941b8c51344d9f3953a36e27ab116663d4bdb00e27e524e2af50c44282a1fcb9abdb8bd56698d3320b0e1c42544649c26fb2b292641aafa279984f
-
Filesize
405KB
MD52ce16bb9eab2a00f4be7ead4b657ab04
SHA1ecf53029855fc75d36167a1399344dfadc8f37a5
SHA25659af090caa09a80f1d763fcc6b0f9c533bf374c93d0b90ff64371274f49aa418
SHA512629aac1d935110d498ba763d1bc17e3f241b18d36177bb4dfe4dcb8200321443b096e0c2b3d1fe9f982c32f6877d7dc582c130bf490e2e0bf8bf3a6e92327dc5
-
Filesize
471KB
MD5078cd6632e8e103bb67acc49a8d55c5c
SHA1584a45bab23f41cbcf35b36087c941627b6cf104
SHA25653bc89a8776085ddc4a56f173e152d4123d50dbdf695b5adb3fcc5939ebc0130
SHA5122f35bdb33e60b3fa630ba4255ad5fcde1312ec484b3bb9153a911545723775ca6e2586344f39876243a1de66f213fa1765260bb6c33cc63926f3985e59b3d3e7
-
Filesize
141KB
MD57c4ade2221d6ab37cb3e4b1c1b6ac6cc
SHA160f68619779a702f0c29d1ce2ec346f396ff58c1
SHA25698fd2ae890f7ac2b3a0b596bc6920bd303394f97d1a86cf502bc85c89e307829
SHA512d22abe15c78566a9e3f7b1558f57ade5f7b96cd2cb19f64f40fa7d1e442565bdd4b2296df1060d5cfa4ec694d32a715c5ccc94baa08ff090f9a33a8c4dbb5515
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
897KB
MD56189cdcb92ab9ddbffd95facd0b631fa
SHA1b74c72cefcb5808e2c9ae4ba976fa916ba57190d
SHA256519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783
SHA512ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf
-
Filesize
419KB
MD58df55a08bb7097fd494543e75c560341
SHA12979f57c67a2ae65924774349c797813f2cfe638
SHA256bca784906a09d4abc4a340fa4c70be769c55dc91ec29b558baaf0eb34b6a68e4
SHA512f704ea8225bfb5bf3efdb04fe0d3b354eaa90ffaa98ad0e78648a60e5ef33a831f255631f26d76662cff1e68c1904ce0629e00e7e2954419ab432b8869c412b3
-
Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
Filesize
354B
MD5600bfa83ad3a937d36fb345a0cee05a8
SHA1527cefc6c6fcf5d67920546f2a7bef0db53d43be
SHA256fc1b5b652ee5e91939a8b7113280866de2a31ada0609c47fa3a2951cc96f5507
SHA512cf313d2250fcd98edbcb9c63c3d38ac3a35d7e2935e58ba69d8e488728d930230d05697c840ca82ee2c004e5f19cba3612f324e0d0ef76720ae9b888e0cbf9ba
-
Filesize
7KB
MD5032a3876b564aa8e6397d8966194cff6
SHA1bb29b74182537f847e2f6c1b35536a0b90c59d2b
SHA25692e38d691f5af3019688c15d08a032fe3eed4f36a8881524da81da895f00426b
SHA5124fc6f7ef0f0f9f25a25757684b116f77ac247dcbe839e09aee240683c2228cfe3852c8b55f104b668c18b1154f2d6af5b0b80bbbde94e3a2a118fae294345d09
-
Filesize
187KB
MD5f11e8ec00dfd2d1344d8a222e65fea09
SHA1235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA5126163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3
-
Filesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
Filesize
873KB
MD5df0cb729ae131a4db9bf24e896146731
SHA1b8b0d63cdf4f4ae641c4ba0643975be0980d69b3
SHA2568ca4b8f7fead383aa5ecf8acd13a1fec49e65798d8a72170ecf738f741b0928f
SHA512cb7a38745fecbcd19bd3e4d69db26df85e1e17c62307f285e32aee327619656bc043cbc6aebb6a4798722fa4bfb6c804cb988534f9c6cb41901f4b0c66bef438
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
64KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
2.9MB