Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
LauncherFenix-Minecraft-v7.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
LauncherFenix-Minecraft-v7.exe
Resource
win10v2004-20240412-en
General
-
Target
LauncherFenix-Minecraft-v7.exe
-
Size
397KB
-
MD5
d99bb55b57712065bc88be297c1da38c
-
SHA1
fb6662dd31e8e5be380fbd7a33a50a45953fe1e7
-
SHA256
122bfbb9f67e355340991deeacb167be9c12ad726b5a7c5779448dd0cc4af0cb
-
SHA512
3eb5d57faea4c0146c2af40102deaac18235b379f5e81fe35a977b642e3edf70704c8cedd835e94f27b04c8413968f7469fccf82c1c9339066d38d3387c71b17
-
SSDEEP
3072:puzvch1rugYc4wqYSRR756K7ItBjgXHUYCnlK:Wch1aIqYSRVM+unlK
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3256 icacls.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb javaw.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2177723727-746291240-1644359950-1000\{27B77FE1-4DD5-4472-A7AF-8DF43CC6F4DB} svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4316 OpenWith.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3360 javaw.exe 3360 javaw.exe 4316 OpenWith.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4756 wrote to memory of 3360 4756 LauncherFenix-Minecraft-v7.exe 83 PID 4756 wrote to memory of 3360 4756 LauncherFenix-Minecraft-v7.exe 83 PID 3360 wrote to memory of 3256 3360 javaw.exe 85 PID 3360 wrote to memory of 3256 3360 javaw.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\LauncherFenix-Minecraft-v7.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:3256
-
-
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵PID:2076
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
PID:3052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD56531b8c1a296c0fd80dedea0f62bdf5e
SHA1d30a752c6201ab708a9b5ee3ad13e725f068a799
SHA256930c3fb931f3aeb163c06b8713c61a40fc9a87ee70d2bb22025ff880a815bd7a
SHA512fafc323adc85b6e6712195db23dd2cf998d723cfd3a827edf10cf96d216a234f0abf250f0f419403227f47a9ce15c703ae8ecac58d80213761098452a0c7e766