Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
Cheater.Pro.1.6.0.msi
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Cheater.Pro.1.6.0.msi
Resource
win10v2004-20231215-en
General
-
Target
Cheater.Pro.1.6.0.msi
-
Size
2.9MB
-
MD5
eecb590907a5720bba1c7483f5178081
-
SHA1
3dbded201fca12d8162705cd0c19312fb01b1216
-
SHA256
bd9ddcb74f8eb5078d3be35af96b1b796bb4cfbc5572325cacda5fe40a2e75a8
-
SHA512
442ee9b069d1f62910aba0e9ca1589d644751cafd432dd1fd36231bff23a87c226c616a621d85d14e3ececc54296771f072f9fbe1e554963b70348f56caeb355
-
SSDEEP
49152:Qwp9ib+ZKumZr1q4Fb6HXr1iWnYs4ntHurpllQ6atuxtZcTreUuyZD6lvVz9VSDZ:gYKFFnWnkuxUTgvV/+lfh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 940 compiler.exe -
Loads dropped DLL 20 IoCs
pid Process 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 1832 MsiExec.exe 1832 MsiExec.exe 1832 MsiExec.exe 1832 MsiExec.exe 1832 MsiExec.exe 1872 MsiExec.exe 1832 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Cheater Pro Inc\Cheater Pro\compiler.exe msiexec.exe File created C:\Program Files\Cheater Pro Inc\Cheater Pro\config msiexec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI781D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7793.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI81C4.tmp msiexec.exe File created C:\Windows\Installer\f775090.msi msiexec.exe File opened for modification C:\Windows\Installer\f775090.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI79A5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB16E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI77A4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7860.tmp msiexec.exe File opened for modification C:\Windows\Installer\f775091.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7927.tmp msiexec.exe File created C:\Windows\Installer\f775091.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2564 MsiExec.exe 1832 MsiExec.exe 2592 msiexec.exe 2592 msiexec.exe 2408 powershell.exe 840 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2816 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2816 msiexec.exe Token: SeIncreaseQuotaPrivilege 2816 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeSecurityPrivilege 2592 msiexec.exe Token: SeCreateTokenPrivilege 2816 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2816 msiexec.exe Token: SeLockMemoryPrivilege 2816 msiexec.exe Token: SeIncreaseQuotaPrivilege 2816 msiexec.exe Token: SeMachineAccountPrivilege 2816 msiexec.exe Token: SeTcbPrivilege 2816 msiexec.exe Token: SeSecurityPrivilege 2816 msiexec.exe Token: SeTakeOwnershipPrivilege 2816 msiexec.exe Token: SeLoadDriverPrivilege 2816 msiexec.exe Token: SeSystemProfilePrivilege 2816 msiexec.exe Token: SeSystemtimePrivilege 2816 msiexec.exe Token: SeProfSingleProcessPrivilege 2816 msiexec.exe Token: SeIncBasePriorityPrivilege 2816 msiexec.exe Token: SeCreatePagefilePrivilege 2816 msiexec.exe Token: SeCreatePermanentPrivilege 2816 msiexec.exe Token: SeBackupPrivilege 2816 msiexec.exe Token: SeRestorePrivilege 2816 msiexec.exe Token: SeShutdownPrivilege 2816 msiexec.exe Token: SeDebugPrivilege 2816 msiexec.exe Token: SeAuditPrivilege 2816 msiexec.exe Token: SeSystemEnvironmentPrivilege 2816 msiexec.exe Token: SeChangeNotifyPrivilege 2816 msiexec.exe Token: SeRemoteShutdownPrivilege 2816 msiexec.exe Token: SeUndockPrivilege 2816 msiexec.exe Token: SeSyncAgentPrivilege 2816 msiexec.exe Token: SeEnableDelegationPrivilege 2816 msiexec.exe Token: SeManageVolumePrivilege 2816 msiexec.exe Token: SeImpersonatePrivilege 2816 msiexec.exe Token: SeCreateGlobalPrivilege 2816 msiexec.exe Token: SeCreateTokenPrivilege 2816 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2816 msiexec.exe Token: SeLockMemoryPrivilege 2816 msiexec.exe Token: SeIncreaseQuotaPrivilege 2816 msiexec.exe Token: SeMachineAccountPrivilege 2816 msiexec.exe Token: SeTcbPrivilege 2816 msiexec.exe Token: SeSecurityPrivilege 2816 msiexec.exe Token: SeTakeOwnershipPrivilege 2816 msiexec.exe Token: SeLoadDriverPrivilege 2816 msiexec.exe Token: SeSystemProfilePrivilege 2816 msiexec.exe Token: SeSystemtimePrivilege 2816 msiexec.exe Token: SeProfSingleProcessPrivilege 2816 msiexec.exe Token: SeIncBasePriorityPrivilege 2816 msiexec.exe Token: SeCreatePagefilePrivilege 2816 msiexec.exe Token: SeCreatePermanentPrivilege 2816 msiexec.exe Token: SeBackupPrivilege 2816 msiexec.exe Token: SeRestorePrivilege 2816 msiexec.exe Token: SeShutdownPrivilege 2816 msiexec.exe Token: SeDebugPrivilege 2816 msiexec.exe Token: SeAuditPrivilege 2816 msiexec.exe Token: SeSystemEnvironmentPrivilege 2816 msiexec.exe Token: SeChangeNotifyPrivilege 2816 msiexec.exe Token: SeRemoteShutdownPrivilege 2816 msiexec.exe Token: SeUndockPrivilege 2816 msiexec.exe Token: SeSyncAgentPrivilege 2816 msiexec.exe Token: SeEnableDelegationPrivilege 2816 msiexec.exe Token: SeManageVolumePrivilege 2816 msiexec.exe Token: SeImpersonatePrivilege 2816 msiexec.exe Token: SeCreateGlobalPrivilege 2816 msiexec.exe Token: SeCreateTokenPrivilege 2816 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2816 msiexec.exe 1808 SndVol.exe 1808 SndVol.exe 2816 msiexec.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1808 SndVol.exe 1808 SndVol.exe 1808 SndVol.exe 1808 SndVol.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2564 2592 msiexec.exe 30 PID 2592 wrote to memory of 2564 2592 msiexec.exe 30 PID 2592 wrote to memory of 2564 2592 msiexec.exe 30 PID 2592 wrote to memory of 2564 2592 msiexec.exe 30 PID 2592 wrote to memory of 2564 2592 msiexec.exe 30 PID 2592 wrote to memory of 2564 2592 msiexec.exe 30 PID 2592 wrote to memory of 2564 2592 msiexec.exe 30 PID 2592 wrote to memory of 1832 2592 msiexec.exe 32 PID 2592 wrote to memory of 1832 2592 msiexec.exe 32 PID 2592 wrote to memory of 1832 2592 msiexec.exe 32 PID 2592 wrote to memory of 1832 2592 msiexec.exe 32 PID 2592 wrote to memory of 1832 2592 msiexec.exe 32 PID 2592 wrote to memory of 1832 2592 msiexec.exe 32 PID 2592 wrote to memory of 1832 2592 msiexec.exe 32 PID 1832 wrote to memory of 2408 1832 MsiExec.exe 33 PID 1832 wrote to memory of 2408 1832 MsiExec.exe 33 PID 1832 wrote to memory of 2408 1832 MsiExec.exe 33 PID 1832 wrote to memory of 2408 1832 MsiExec.exe 33 PID 2408 wrote to memory of 840 2408 powershell.exe 35 PID 2408 wrote to memory of 840 2408 powershell.exe 35 PID 2408 wrote to memory of 840 2408 powershell.exe 35 PID 2592 wrote to memory of 1872 2592 msiexec.exe 36 PID 2592 wrote to memory of 1872 2592 msiexec.exe 36 PID 2592 wrote to memory of 1872 2592 msiexec.exe 36 PID 2592 wrote to memory of 1872 2592 msiexec.exe 36 PID 2592 wrote to memory of 1872 2592 msiexec.exe 36 PID 2592 wrote to memory of 1872 2592 msiexec.exe 36 PID 2592 wrote to memory of 1872 2592 msiexec.exe 36 PID 2564 wrote to memory of 940 2564 MsiExec.exe 38 PID 2564 wrote to memory of 940 2564 MsiExec.exe 38 PID 2564 wrote to memory of 940 2564 MsiExec.exe 38 PID 2564 wrote to memory of 940 2564 MsiExec.exe 38
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cheater.Pro.1.6.0.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2816
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B6ADE9FC20B7DEDC99AA27382957D0D9 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files\Cheater Pro Inc\Cheater Pro\compiler.exe"C:\Program Files\Cheater Pro Inc\Cheater Pro\compiler.exe" "C:\Program Files\Cheater Pro Inc\Cheater Pro\config"3⤵
- Executes dropped EXE
PID:940
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DD0C2293285C4F46A87B72EA353DFA32⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss78EA.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi78D8.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr78D9.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr78DA.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -Command "& { & 'Add-MpPreference' -ExclusionExtension '.dll', '.exe' -ExclusionPath C: -Force }"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:840
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A796261F03740E00E1A53A590EE10076 M Global\MSI00002⤵
- Loads dropped DLL
PID:1872
-
-
C:\Windows\system32\SndVol.exeSndVol.exe -f 27919076 196591⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD5fa15847aafeeade4d037a299d4917f8d
SHA1938719c7144309a08212790a95f09d8288479f22
SHA2568d68c94fc38c6ce747c88940da1721a8000290f0b201be8918c9d5df7a49af16
SHA512243ee93a21941b8c51344d9f3953a36e27ab116663d4bdb00e27e524e2af50c44282a1fcb9abdb8bd56698d3320b0e1c42544649c26fb2b292641aafa279984f
-
Filesize
405KB
MD52ce16bb9eab2a00f4be7ead4b657ab04
SHA1ecf53029855fc75d36167a1399344dfadc8f37a5
SHA25659af090caa09a80f1d763fcc6b0f9c533bf374c93d0b90ff64371274f49aa418
SHA512629aac1d935110d498ba763d1bc17e3f241b18d36177bb4dfe4dcb8200321443b096e0c2b3d1fe9f982c32f6877d7dc582c130bf490e2e0bf8bf3a6e92327dc5
-
Filesize
471KB
MD5078cd6632e8e103bb67acc49a8d55c5c
SHA1584a45bab23f41cbcf35b36087c941627b6cf104
SHA25653bc89a8776085ddc4a56f173e152d4123d50dbdf695b5adb3fcc5939ebc0130
SHA5122f35bdb33e60b3fa630ba4255ad5fcde1312ec484b3bb9153a911545723775ca6e2586344f39876243a1de66f213fa1765260bb6c33cc63926f3985e59b3d3e7
-
Filesize
141KB
MD57c4ade2221d6ab37cb3e4b1c1b6ac6cc
SHA160f68619779a702f0c29d1ce2ec346f396ff58c1
SHA25698fd2ae890f7ac2b3a0b596bc6920bd303394f97d1a86cf502bc85c89e307829
SHA512d22abe15c78566a9e3f7b1558f57ade5f7b96cd2cb19f64f40fa7d1e442565bdd4b2296df1060d5cfa4ec694d32a715c5ccc94baa08ff090f9a33a8c4dbb5515
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
897KB
MD56189cdcb92ab9ddbffd95facd0b631fa
SHA1b74c72cefcb5808e2c9ae4ba976fa916ba57190d
SHA256519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783
SHA512ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf
-
Filesize
419KB
MD58df55a08bb7097fd494543e75c560341
SHA12979f57c67a2ae65924774349c797813f2cfe638
SHA256bca784906a09d4abc4a340fa4c70be769c55dc91ec29b558baaf0eb34b6a68e4
SHA512f704ea8225bfb5bf3efdb04fe0d3b354eaa90ffaa98ad0e78648a60e5ef33a831f255631f26d76662cff1e68c1904ce0629e00e7e2954419ab432b8869c412b3
-
Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
Filesize
354B
MD5600bfa83ad3a937d36fb345a0cee05a8
SHA1527cefc6c6fcf5d67920546f2a7bef0db53d43be
SHA256fc1b5b652ee5e91939a8b7113280866de2a31ada0609c47fa3a2951cc96f5507
SHA512cf313d2250fcd98edbcb9c63c3d38ac3a35d7e2935e58ba69d8e488728d930230d05697c840ca82ee2c004e5f19cba3612f324e0d0ef76720ae9b888e0cbf9ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W3PV7KAVN8B3GFWUR5T6.temp
Filesize7KB
MD5032a3876b564aa8e6397d8966194cff6
SHA1bb29b74182537f847e2f6c1b35536a0b90c59d2b
SHA25692e38d691f5af3019688c15d08a032fe3eed4f36a8881524da81da895f00426b
SHA5124fc6f7ef0f0f9f25a25757684b116f77ac247dcbe839e09aee240683c2228cfe3852c8b55f104b668c18b1154f2d6af5b0b80bbbde94e3a2a118fae294345d09
-
Filesize
187KB
MD5f11e8ec00dfd2d1344d8a222e65fea09
SHA1235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA5126163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3
-
Filesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
Filesize
873KB
MD5df0cb729ae131a4db9bf24e896146731
SHA1b8b0d63cdf4f4ae641c4ba0643975be0980d69b3
SHA2568ca4b8f7fead383aa5ecf8acd13a1fec49e65798d8a72170ecf738f741b0928f
SHA512cb7a38745fecbcd19bd3e4d69db26df85e1e17c62307f285e32aee327619656bc043cbc6aebb6a4798722fa4bfb6c804cb988534f9c6cb41901f4b0c66bef438