Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 18:36
Static task
static1
Behavioral task
behavioral1
Sample
MinecraftInstaller.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MinecraftInstaller.exe
Resource
win10v2004-20240221-en
General
-
Target
MinecraftInstaller.exe
-
Size
32.3MB
-
MD5
cfd9316537bf9aebd4c98e4939085948
-
SHA1
2b2e14d098308c0204ab57f4c6abfb230ae19762
-
SHA256
9c00e8dd5a6c9a8d22a4ae2e5a8bdeecf73b7ba6dbe12e787e5e8bf9bbb0c1c9
-
SHA512
cb9fd36106b915811bcfaaa4359ac2cdd8caad562f4954b9cc21b09b60111c0fb3d2ce06714d0de5339ca7fd62cc658c494b873f4a7062e309746e6a92552975
-
SSDEEP
393216:kbekuyo9nMK50UGRXLePuq2ZWy/c5zFviMKe2OHmwv9CsTmsueFFza9y5:/Zn/G4Gqk1cWe2iTVCMue3X
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation MinecraftInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation GamingRepair.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName GamingRepair.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer GamingRepair.exe -
Executes dropped EXE 1 IoCs
pid Process 3848 GamingRepair.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GamingRepair.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz GamingRepair.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GamingRepair.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GamingRepair.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS GamingRepair.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU GamingRepair.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2152 MinecraftInstaller.exe Token: SeSecurityPrivilege 1368 wevtutil.exe Token: SeBackupPrivilege 1368 wevtutil.exe Token: SeSecurityPrivilege 4812 wevtutil.exe Token: SeBackupPrivilege 4812 wevtutil.exe Token: SeSecurityPrivilege 3240 wevtutil.exe Token: SeBackupPrivilege 3240 wevtutil.exe Token: SeSecurityPrivilege 1180 wevtutil.exe Token: SeBackupPrivilege 1180 wevtutil.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2152 wrote to memory of 3848 2152 MinecraftInstaller.exe 90 PID 2152 wrote to memory of 3848 2152 MinecraftInstaller.exe 90 PID 3848 wrote to memory of 1368 3848 GamingRepair.exe 93 PID 3848 wrote to memory of 1368 3848 GamingRepair.exe 93 PID 3848 wrote to memory of 4812 3848 GamingRepair.exe 95 PID 3848 wrote to memory of 4812 3848 GamingRepair.exe 95 PID 3848 wrote to memory of 3240 3848 GamingRepair.exe 97 PID 3848 wrote to memory of 3240 3848 GamingRepair.exe 97 PID 3848 wrote to memory of 1180 3848 GamingRepair.exe 99 PID 3848 wrote to memory of 1180 3848 GamingRepair.exe 99 PID 3848 wrote to memory of 1684 3848 GamingRepair.exe 101 PID 3848 wrote to memory of 1684 3848 GamingRepair.exe 101 PID 1684 wrote to memory of 4064 1684 wscollect.exe 103 PID 1684 wrote to memory of 4064 1684 wscollect.exe 103 PID 1684 wrote to memory of 472 1684 wscollect.exe 104 PID 1684 wrote to memory of 472 1684 wscollect.exe 104 PID 3848 wrote to memory of 3008 3848 GamingRepair.exe 105 PID 3848 wrote to memory of 3008 3848 GamingRepair.exe 105 PID 3848 wrote to memory of 4732 3848 GamingRepair.exe 107 PID 3848 wrote to memory of 4732 3848 GamingRepair.exe 107 PID 3848 wrote to memory of 5096 3848 GamingRepair.exe 109 PID 3848 wrote to memory of 5096 3848 GamingRepair.exe 109 PID 3848 wrote to memory of 3060 3848 GamingRepair.exe 111 PID 3848 wrote to memory of 3060 3848 GamingRepair.exe 111 PID 3848 wrote to memory of 2324 3848 GamingRepair.exe 113 PID 3848 wrote to memory of 2324 3848 GamingRepair.exe 113 PID 3848 wrote to memory of 1136 3848 GamingRepair.exe 115 PID 3848 wrote to memory of 1136 3848 GamingRepair.exe 115 PID 3848 wrote to memory of 4348 3848 GamingRepair.exe 117 PID 3848 wrote to memory of 4348 3848 GamingRepair.exe 117 PID 3848 wrote to memory of 876 3848 GamingRepair.exe 119 PID 3848 wrote to memory of 876 3848 GamingRepair.exe 119 PID 3848 wrote to memory of 560 3848 GamingRepair.exe 121 PID 3848 wrote to memory of 560 3848 GamingRepair.exe 121 PID 3848 wrote to memory of 5076 3848 GamingRepair.exe 123 PID 3848 wrote to memory of 5076 3848 GamingRepair.exe 123 PID 3848 wrote to memory of 3748 3848 GamingRepair.exe 125 PID 3848 wrote to memory of 3748 3848 GamingRepair.exe 125 PID 3848 wrote to memory of 4788 3848 GamingRepair.exe 127 PID 3848 wrote to memory of 4788 3848 GamingRepair.exe 127 PID 3848 wrote to memory of 1244 3848 GamingRepair.exe 129 PID 3848 wrote to memory of 1244 3848 GamingRepair.exe 129 PID 3848 wrote to memory of 3208 3848 GamingRepair.exe 131 PID 3848 wrote to memory of 3208 3848 GamingRepair.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller.exe"C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe"C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe" scenarioMinecraft2⤵
- Checks computer location settings
- Checks system information in the registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" epl Microsoft-Windows-AppXDeploymentServer/Operational C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Microsoft-Windows-AppXDeploymentServer_Operational.evtx /ow:true3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" epl Microsoft-Windows-AppXDeployment/Operational C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Microsoft-Windows-AppXDeployment_Operational.evtx /ow:true3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" epl Microsoft-Windows-AppxPackaging/Operational C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Microsoft-Windows-AppxPackaging_Operational.evtx /ow:true3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" epl Microsoft-Windows-AppModel-Runtime/Admin C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Microsoft-Windows-AppModel-Runtime_Admin.evtx /ow:true3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\system32\wscollect.exe"C:\Windows\system32\wscollect.exe" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\wscollect_gr.cab3⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SIH" "C:\Users\Admin\AppData\Local\Temp\registry_SIH.txt" /y4⤵PID:4064
-
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig" "C:\Users\Admin\AppData\Local\Temp\registry_DNSPolicy.txt" /y4⤵PID:472
-
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\Software\Microsoft\GamingServices" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKLM_GRTS.reg /y3⤵PID:3008
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKCU\Software\Microsoft\GamingServices" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKCU_GRTS.reg /y3⤵PID:4732
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\GamingServices" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\GS_Service.reg /y3⤵PID:5096
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\GamingServicesNet" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\GSNet_Service.reg /y3⤵PID:3060
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\GameFlt" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\GameFlt_Service.reg /y3⤵PID:2324
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\Xvdd" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Xvdd_Service.reg /y3⤵PID:1136
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\XblAuthManager" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\XblAuthManager_Service.reg /y3⤵PID:4348
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\XblGameSave" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\XblGameSave_Service.reg /y3⤵PID:876
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\GameInput Service" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\GameInput_Service.reg /y3⤵PID:560
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKCU_AppModel.reg /y3⤵PID:5076
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKLM_AppModel.reg /y3⤵PID:3748
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKLM_Appx.reg /y3⤵PID:4788
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKCU\SOFTWARE\Classes\ActivatableClasses\Package" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKCU_Package.reg /y3⤵PID:1244
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKLM_WuPolicy.reg /y3⤵PID:3208
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36B
MD5a2d16430534b9a45c2a171809c5f2083
SHA1321f1d6aa9031471d7015000fecaea6790f47cde
SHA25609ebb834be08052e618dfcbf745356ee90c1bb2e946a5c9a4b4b7088004813d5
SHA51247fb6ca3912c9f171a4b2b18e23dbd5a50dbc08cbf2ada57b8b69d6cdb8c21424eabce23783b276ae77fa1c25c959434d2cc79b85b3515d37f1aecea31e0c7ca
-
Filesize
652KB
MD558516279b92d76f3ecaaf7d2e0ef8a82
SHA16868f5e091656921a9b2e3340595324d3863e6e3
SHA25657d2f45b8c50dd9547afff081f1dc8186ee4096708e715fd1cbcd6f3af56aeae
SHA512d75ec2b514521596208eed62f58e294440082157db12a40ff2562b084c19bf09dc2ad6fd56ed097ef214412b303e74e50a8fe75650f29b34d88063cbca7998a2
-
Filesize
573KB
MD50d05a797214e62f36e15d2149e6f4005
SHA1bf634ecf71e833be051672aebb5367392fee44b2
SHA2562dea72909788e997892e7219f859b3361910291eb3feb156dafa8b1ceee20c86
SHA5123b5f3bcb1c54c010bcc9e19a5cbec06061fede5a2a56a730fbf920214af02bdec2c2d602bb51a800c543c011368c4eecbc5aa50fd494e719925d2a80a91283b3
-
Filesize
270B
MD5edcaaed49057b04d804ef38622dcfeca
SHA1200458ae3a380983860136acca9b18d62c5bac76
SHA256b9532ca922a984f207d3a82499308fa038e1d78169b534b8d7fc116aefe5a05e
SHA512052065767b3bf96cf1314dd8c42940ace0d256eb7f536de0b642f5816dc0b5e6db3ce9a10450e9564b7c932e9261a9d78ca7929a4537646cbf7d5ee8c363b5fb
-
Filesize
336B
MD5c3047ec19fe673d02a9d74d9a9d4deba
SHA187a9a959f02252fb5226333fe7b197aecc9dabb5
SHA2566f9fae20e0186b6a5b6946538d57b4ded658ab804f72e6e385e9ee717cfe3fbd
SHA5123c65a1fe5ac2f3418dd1acc74e671dee1caaef5b44b1843f522670640fc09116db58e968274cdee461f9776bfbd60684628613680d2d71fa9d24fdf99c85d33a
-
Filesize
3KB
MD5f90a03d152e8202c3eb57c6e6eb710a8
SHA1cab5b11304ebbb9a1ca9c191fbc737082bcb49b9
SHA25689eb956a0ac5a7ebd558eaaebe485c87c40c47baf1954b272b26b0b8724a6352
SHA5122e3e8c359ee1b97e5a01aff6192fd39236f14cd75812fb9ec2488e938c52db294c859062d89b84f6593d3c492d310fe6b514df235b52dec189e7b62e02bd86fb
-
Filesize
3KB
MD5cca36a379e81a944c607e4f4d544c565
SHA1d09aef7d6cf0bd140f121a85ae2b92307119db89
SHA2568975303228de2bf10d7a55bfbd591bce14e4a124910265eefbeb58229347268c
SHA5128a851c8054c694dcf0b942550de764915f0c860277f910fa0fa6d66962f7e6c7a7c8498a0abd55e51e6725fb585820a957c079351883429242e4c0abf7f79158
-
Filesize
430KB
MD5a81d5a5c3b38dd773343ac8e540cf212
SHA11f2176745bb6695e52b0b1a0af04b151bf4f5e42
SHA25638e998f771b00af885a5d381b2d9af660a7074476281503dff9a3e419509a19c
SHA5124ae172803a42149512d8c94b686b23ff7089961d882bb1612ea602381e062da9c1c286861f456376c9892627872f0f4c87b683cf0c57343ce4a6d0f7ea3c74a7
-
Filesize
4.3MB
MD5dcdd546fe7b591536b3c274d5afdd0ce
SHA18b14eff9e48a3f9291c132265b5e11bb4d096bd6
SHA25649112750313927b0da06f6d733ed9ee5314c27c25c4670572004a32125a10787
SHA51273b83c5b1117e4da57cd1cb34561f08a4b1c88984781915e40804e5a854eeac5055069ad26f6742514058c492bdb9b57ffbab103eb39531dc09518a9375dfe94
-
Filesize
392KB
MD5bf31810f5e9e5a1ad03e9154a9975eb8
SHA1c153dc858f2daf95e058232766e8b11f762d476c
SHA2568b470908be8626812da004bec17b8075cc913a26b8f009a4dff285120b00d13d
SHA51275aa5a0cfac84b1a79419abc5915c23417e7edac1440aff845a06f110b8155bbe1f43020eea3320f0fd6c248791985510fc80e2457fb434c698c55b716d60811
-
Filesize
12KB
MD52d07d0b34d1dd17462658c6c7bba7168
SHA10b3fd4038c4e64c4416d205516776281e210132d
SHA25663ba82b1465971c59973d1bf80d88bedbf67a237e5ef54d040e165aceae8734d
SHA512ac8b8e363c87545009447af1af18e66db8e4a92cfe49e92cb7ee5364399681f0be747a4366af0231ccdb062e923ebfa12a72dcb1f103a322b14d568a5f1c838e
-
Filesize
740B
MD55b20f739acefbfc6237c04f216466883
SHA1738af05cf8a177e14726ae4c4affc6d9b94da6a1
SHA256f787f543d052d4000d007bdcd71bb6b7024293f2ad2d543b02b4121b1da3ebf8
SHA512c82cf736af02ffe5e76b88d802e7800787826bbe5cbc59b64b4f77f9ff1168f9ed43a9c68e3a9d13407e38f16822755660d359b42ae339d0d2bac754f192651f