Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

4cd8586d09...68.exe

windows7-x64

8

4cd8586d09...68.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe

  • Size

    2.4MB

  • MD5

    ba7445dd6438c2097c1c5b2ce173c064

  • SHA1

    24873c5c09152806caa71b6bb990ef0797e626ae

  • SHA256

    4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768

  • SHA512

    6cf7d18b51d2ec88d9c76470800cf9b8c1fcb30fe02041be3f3694eb7e2a708a9d96ed7b9aafd5e7fdff5b618d6b1796a80c78c74204e7272b58a7b4f7a84ace

  • SSDEEP

    49152:zgwRBNhWLwbYdMsr37tl5oaSeaduub9vdcOMigvOQowQEJHQJPT5NuEj3uWNtiT:zgwRBNhmwbirt02q1r4PFJwJ1fjeWNk

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe
    "C:\Users\Admin\AppData\Local\Temp\4cd8586d09ba9e97b4e50bb2d9d1e671a50bfe79bcd29ebf851ae6defc8d1768.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\install.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\sc.exe
        Sc delete GameServerClient
        3⤵
        • Launches sc.exe
        PID:4212
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService remove GameServerClient confirm
        3⤵
        • Executes dropped EXE
        PID:4064
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameClient.exe"
        3⤵
        • Executes dropped EXE
        PID:2448
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService start GameServerClient
        3⤵
        • Executes dropped EXE
        PID:1448
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Windows\SysWOW64\sc.exe
        Sc delete GameServerClientC
        3⤵
        • Launches sc.exe
        PID:1152
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService remove GameServerClientC confirm
        3⤵
        • Executes dropped EXE
        PID:3560
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameClientC.exe"
        3⤵
        • Executes dropped EXE
        PID:1652
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService start GameServerClientC
        3⤵
        • Executes dropped EXE
        PID:2788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
        PID:4620
    • C:\Program Files (x86)\GameServerClient\GameService.exe
      "C:\Program Files (x86)\GameServerClient\GameService.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Program Files (x86)\GameServerClient\GameClient.exe
        "C:\Program Files (x86)\GameServerClient\GameClient.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Windows\Temp\373091.exe
          "C:\Windows\Temp\373091.exe" --points 512 --out xxx.txt --keyspace 25efb6df800000000:25efb6e0000000000 13zb1hQbWVsc2S7ZTZnP2G4undNNpdh5so 16cJHB8WboGoPCmL28pEsbkJMeMixK56tR
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:644
    • C:\Program Files (x86)\GameServerClient\GameService.exe
      "C:\Program Files (x86)\GameServerClient\GameService.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Program Files (x86)\GameServerClient\GameClientC.exe
        "C:\Program Files (x86)\GameServerClient\GameClientC.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Windows\Temp\771208.exe
          "C:\Windows\Temp\771208.exe" --coin BTC -m ADDRESSES -t 0 --range 25efb6df800000000:25efb6e0000000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
          3⤵
          • Executes dropped EXE
          PID:3744
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4936

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\GameServerClient\GameClient.exe
        Filesize

        2.5MB

        MD5

        0fac9d21508e154127a9fd4b90a1ca39

        SHA1

        cb9df00888a37443e6b4f87daf74e591b4dc373a

        SHA256

        6fb647a3af04d0bb02d9925cf974c21be48512ee56eb3275be575dadd1a7aec0

        SHA512

        fdd75a3dceb4dd9083f46ba09a51213779958e440b0f6cf61d63ed9b65964b912bd270f3cc616e795c4d8d36daf19b15ee3f99fbaa827c113ff47477a604480d

        Download Submit

      • C:\Program Files (x86)\GameServerClient\GameClientC.exe
        Filesize

        13.2MB

        MD5

        fc63d47dd6b9847ab82f4dd05ed7cb99

        SHA1

        cac41f14caaabef4d89d3311e2314a09f602e256

        SHA256

        864f529a4618eec7e5eff997c66dd5001c75beed21b587bcc492e944fb059a49

        SHA512

        190102bdc8f5794f9fc20ee3402dc1e03e4f8af9c7992a55766e1bfe3a77c8910efc96c63ce2c5c1f0f9429c233cd62420479ca8a53b788e637bee14f9bcc72d

        Download Submit

      • C:\Program Files (x86)\GameServerClient\GameClientC.exe
        Filesize

        10.6MB

        MD5

        226061ef93cff7a505f361a82faeff42

        SHA1

        372626582d886512767c1a4998d834f2c1c918f8

        SHA256

        a0ad6913560f5af2ede5b74cfa096239d1b1b4fb3a4335513dec4eb191cbdaa7

        SHA512

        51dd8a09a4d0e28554e89163056d9ba617d21765c20bf4dd9cd69f6326fe7511b6bf163eee6b7b0e935e1a096e28607454771db59b78acf17f74fd42e15b82a2

        Download Submit

      • C:\Program Files (x86)\GameServerClient\GameService.exe
        Filesize

        288KB

        MD5

        d9ec6f3a3b2ac7cd5eef07bd86e3efbc

        SHA1

        e1908caab6f938404af85a7df0f80f877a4d9ee6

        SHA256

        472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

        SHA512

        1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

        Download Submit

      • C:\Program Files (x86)\GameServerClient\install.bat
        Filesize

        231B

        MD5

        b9ecefec035b92492661437972d20a33

        SHA1

        6d694ed7107919baa1da347784b2fb2378f25193

        SHA256

        5c4b3d2bbfc982378155656046dccd2fac16a5f8d2bbf23f5dbc6a6dc8ebfde8

        SHA512

        cf22b003bc370e01c7ce64338bb86dc42a4db4d8357924ba85abd07e2293936ca879d64e35a2b4f3679f281ad112867564ca50054f865525ec7f0cb9c274da99

        Download Submit

      • C:\Program Files (x86)\GameServerClient\installc.bat
        Filesize

        238B

        MD5

        8b1a66e9898c6054903c6fb23d6c197c

        SHA1

        06a2131ac4cd1dcdd7999322e728445e732b265d

        SHA256

        6e36cda60845bbe139f6fa3eaaa71047bb117b74ac47d698bbc526ebf512d025

        SHA512

        0abb0c4214508da7826f604ba164becbd5ea9567595494273c51e4573f3bbe9c51c40e0e5fe0f06d6628743ca55da4ea8b2b9b4348d372c57f0bcbd13449168a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
        Filesize

        300B

        MD5

        8d8c12c40612f3e58d8f8e6bb45f5c9a

        SHA1

        9bab3a51743c885643d3b7f50bbe8c3d4c16c62f

        SHA256

        980b080577f773982b6e79e6311f38c06f18a98c2f0cfa5dd73fee254015dc62

        SHA512

        d6af36a765b1d499be091a61550ed24247be308242f4dd9eb0a9756990aea20cc2d78096798679411cf9a301016d3429b1387889b84114cc0c19300e266c9b5d

        Download Submit

      • C:\Windows\Temp\373091.exe
        Filesize

        2.0MB

        MD5

        5c9e996ee95437c15b8d312932e72529

        SHA1

        eb174c76a8759f4b85765fa24d751846f4a2d2ef

        SHA256

        0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

        SHA512

        935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

        Download Submit

      • C:\Windows\Temp\771208.exe
        Filesize

        13.1MB

        MD5

        bfe6b13011bbba05c28109cf6730f8a1

        SHA1

        28da37544341c3587c11c1f1f294505516434d40

        SHA256

        93fc509fc9fad8d0191ceb7fe43ae7be1ed176862eacf0f905120257b15ecbdd

        SHA512

        d717859dd8b04832588e9ada5f83a8e2953c6214364a189b1b731212a5d4cdd1ac441646339efc9484b38a49d518d70f09624028e0a12921d7f2778fd9982660

        Download Submit

      • C:\Windows\Temp\771208.exe
        Filesize

        10.4MB

        MD5

        b387059915cf7d1a939e1f41f56c4fa7

        SHA1

        b4e71a94dfbe2ba10ab7741d43c40270f465390e

        SHA256

        71d7c069fdefc96908d13699eeeaa57ed5da4994212a463087983d91cde8bc33

        SHA512

        a4fb43568e27c4b5c46ada48b206773dc747b31764858b6bd8770850c98713464af541d602a0a97241ec80e635a4993fe909970a65548e575588e7bbaacc327e

        Download Submit

      • C:\Windows\Temp\cudart64_101.dll
        Filesize

        398KB

        MD5

        1d7955354884a9058e89bb8ea34415c9

        SHA1

        62c046984afd51877ecadad1eca209fda74c8cb1

        SHA256

        111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

        SHA512

        7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

        Download Submit

      • C:\Windows\Temp\curjob.bin
        Filesize

        40B

        MD5

        d935c86a105ddd7787d03e0fd61bb148

        SHA1

        c8a3be929bda73cc9c3d5cd658e47387368aae96

        SHA256

        c1a09eb7a3222a4098149c7bd12616316abb751cb84ee87f98a71c16137e3982

        SHA512

        b719a868f3616e2a635f4de3b71510a83bf3648420ebbc643ab544e39fd2f492e30a142f1f9180715c53646ebf16db1ec51db523638a0a3646c7e52a6e64607b

        Download Submit