Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3GalaxiaViva.exe
windows7-x64
7GalaxiaViva.exe
windows10-1703-x64
7GalaxiaViva.exe
windows10-2004-x64
7GalaxiaViva.exe
windows11-21h2-x64
7Installer.exe
windows7-x64
7Installer.exe
windows10-1703-x64
7Installer.exe
windows10-2004-x64
7Installer.exe
windows11-21h2-x64
7resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-1703-x64
1resources/elevate.exe
windows10-2004-x64
1resources/elevate.exe
windows11-21h2-x64
1Resubmissions
09/04/2024, 22:11
240409-131wtaea38 809/04/2024, 21:43
240409-1k5r2scg65 709/04/2024, 21:18
240409-z5mxasbe59 706/04/2024, 10:55
240406-mz7nashc59 806/04/2024, 10:41
240406-mrjaqsgd6z 7Analysis
-
max time kernel
3s -
max time network
235s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 21:43
Static task
static1
Behavioral task
behavioral1
Sample
GalaxiaViva.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
GalaxiaViva.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
GalaxiaViva.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
GalaxiaViva.exe
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
Installer.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Installer.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
Installer.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Installer.exe
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
resources/elevate.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
resources/elevate.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
resources/elevate.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
resources/elevate.exe
Resource
win11-20240221-en
windows11-21h2-x64
General
-
Target
Installer.exe
-
Size
147.0MB
-
MD5
2fcb65fc8b2bc9505da8dd94033cc7ad
-
SHA1
ff12916a1d57eb26d9e5856d91c450b155a35f65
-
SHA256
708543f3ca34ffe8e4d33c09560d4e190fe35bd2aa7a57369291174d537ffc32
-
SHA512
4927ede0dead3f947513add783a150245185ae1872b0f59d8159448423b33e636956e69b8278c37f62dd9a6a4ca59247f83beea4d59d1a6832ce5ce4533ed585
-
SSDEEP
1572864:EgGRqQdeZ4K5M0PmL0g6dKXPRYGO1QwOVnMKVbmd6LpL28nHQ5OneFBlwb:OV6msmCUhN4lS
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2012 Installer.exe 2012 Installer.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2612 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2612 tasklist.exe Token: SeShutdownPrivilege 2012 Installer.exe Token: SeShutdownPrivilege 2012 Installer.exe Token: SeShutdownPrivilege 2012 Installer.exe Token: SeShutdownPrivilege 2012 Installer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2568 2012 Installer.exe 28 PID 2012 wrote to memory of 2568 2012 Installer.exe 28 PID 2012 wrote to memory of 2568 2012 Installer.exe 28 PID 2568 wrote to memory of 2612 2568 cmd.exe 30 PID 2568 wrote to memory of 2612 2568 cmd.exe 30 PID 2568 wrote to memory of 2612 2568 cmd.exe 30 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2316 2012 Installer.exe 32 PID 2012 wrote to memory of 2756 2012 Installer.exe 33 PID 2012 wrote to memory of 2756 2012 Installer.exe 33 PID 2012 wrote to memory of 2756 2012 Installer.exe 33 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34 PID 2012 wrote to memory of 2780 2012 Installer.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1204,i,9119817144374930202,3317385051893675166,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2316
-
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --mojo-platform-channel-handle=1560 --field-trial-handle=1204,i,9119817144374930202,3317385051893675166,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\game" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1172 --field-trial-handle=1204,i,9119817144374930202,3317385051893675166,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654KB
MD536e0027f9e250df48c14d0c46cc69df7
SHA18c8c4dd7725a0ec877541d48ed5ceda97d8a3bd1
SHA2561f6a635c64ef5e04826545b78d4796f2f00493c7fd7b06c9cdea956fd71afeaf
SHA512eba9d6dfe72a7d606159a30968627f6bee22f81f00c722d40058ab6c880c880e040fb9f418e5154f30f20f5f8c9254c3ed9cfa93ea1f2eefa9b5d7ed4e9fea84
-
Filesize
1.8MB
MD5beb8d911d40e8fe94770d9d341e0de11
SHA1d24d31e5b44a4a80969e2a669fb9b0ed42cfd479
SHA256ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7
SHA512079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe