Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Optimizer 200fps.exe

windows7-x64

7

Optimizer 200fps.exe

windows10-2004-x64

7

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

1

LICENSES.c...m.html

windows10-2004-x64

1

d3dcompiler_47.dll

windows10-2004-x64

1

dragonquest.exe

windows7-x64

1

dragonquest.exe

windows10-2004-x64

7

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

1

resources/elevate.exe

windows10-2004-x64

1

vk_swiftshader.dll

windows7-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows7-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    158s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dragonquest.exe

  • Size

    154.5MB

  • MD5

    09c25311f35ab5a61321513c2f8c8939

  • SHA1

    4321c60fef329b4b1c842f9c000a042f5c082090

  • SHA256

    9c1571dd2c50c4d8f8a971c2c15453958b84e658c8e0717e1c1e652d5c4f696a

  • SHA512

    4626b70bc417f97c178eec0273880ca3469168f740e510aa9539868b4daa887fb18cfe2f0bc174ccc4f400681e629db42a2c6c010abfd3772b118c34d3f16ada

  • SSDEEP

    1572864:uCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:UDAgZi

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dragonquest.exe
    "C:\Users\Admin\AppData\Local\Temp\dragonquest.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:548
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\system32\taskkill.exe
        taskkill /IM msedge.exe /F
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
    • C:\Users\Admin\AppData\Local\Temp\dragonquest.exe
      "C:\Users\Admin\AppData\Local\Temp\dragonquest.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\dragonquest" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1856,i,11851885790595160054,3735192193355676064,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:2836
      • C:\Users\Admin\AppData\Local\Temp\dragonquest.exe
        "C:\Users\Admin\AppData\Local\Temp\dragonquest.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\dragonquest" --mojo-platform-channel-handle=2024 --field-trial-handle=1856,i,11851885790595160054,3735192193355676064,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:3632
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1560
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,67,128,152,204,42,144,123,199,27,4,225,199,13,242,221,149,145,237,55,4,82,7,196,150,250,0,128,217,84,96,26,8,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,188,175,0,30,48,100,67,63,20,53,14,63,134,51,137,84,143,192,102,177,18,51,68,178,124,144,243,152,196,183,26,20,48,0,0,0,190,92,17,173,140,51,159,51,126,190,173,221,142,107,164,37,29,39,195,169,91,212,13,203,156,231,191,1,141,110,214,0,139,166,122,8,193,254,164,18,242,144,199,102,7,229,163,87,64,0,0,0,92,38,111,160,117,159,183,28,107,202,104,26,80,95,112,133,110,70,70,176,97,61,73,244,204,9,167,143,131,188,193,74,240,26,16,153,97,89,242,25,202,30,148,191,238,133,78,74,202,236,9,90,67,15,4,82,38,75,210,234,106,225,0,98), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:4720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,67,128,152,204,42,144,123,199,27,4,225,199,13,242,221,149,145,237,55,4,82,7,196,150,250,0,128,217,84,96,26,8,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,188,175,0,30,48,100,67,63,20,53,14,63,134,51,137,84,143,192,102,177,18,51,68,178,124,144,243,152,196,183,26,20,48,0,0,0,190,92,17,173,140,51,159,51,126,190,173,221,142,107,164,37,29,39,195,169,91,212,13,203,156,231,191,1,141,110,214,0,139,166,122,8,193,254,164,18,242,144,199,102,7,229,163,87,64,0,0,0,92,38,111,160,117,159,183,28,107,202,104,26,80,95,112,133,110,70,70,176,97,61,73,244,204,9,167,143,131,188,193,74,240,26,16,153,97,89,242,25,202,30,148,191,238,133,78,74,202,236,9,90,67,15,4,82,38,75,210,234,106,225,0,98), $null, 'CurrentUser')
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3248
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "start /B cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\Windows\system32\cmd.exe
            cmd /c mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Windows\system32\mshta.exe
              mshta "javascript:new ActiveXObject('WScript.Shell').Popup('An error occurred while downloading files. Please try again later.', 0, 'Error', 16);close()"
              4⤵
                PID:3876
          • C:\Users\Admin\AppData\Local\Temp\dragonquest.exe
            "C:\Users\Admin\AppData\Local\Temp\dragonquest.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\dragonquest" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=1856,i,11851885790595160054,3735192193355676064,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3232

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          f48896adf9a23882050cdff97f610a7f

          SHA1

          4c5a610df62834d43f470cae7e851946530e3086

          SHA256

          3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

          SHA512

          16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d1ba74640acd402c938120ae23285c4f

          SHA1

          2844c0e8b47cfc917cb7f73a901a2621b4dab28a

          SHA256

          68fef826a5bab279678aa5a4547c8eefde51f97cdbf4f54ca880ea1e6e4e9c6d

          SHA512

          40a23a06d39a04ebd0b258e4240bb665ada4a6cf084b54de5034c94c8ee80cf610af2b5b606b2234620a124ac8ea84a97f7d967dee8e713038dbc41deafe401f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\82094dc1-f0a8-43c6-bec0-a8b5e04fc676.tmp.node
          Filesize

          1.8MB

          MD5

          3072b68e3c226aff39e6782d025f25a8

          SHA1

          cf559196d74fa490ac8ce192db222c9f5c5a006a

          SHA256

          7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

          SHA512

          61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wyatvpc.n44.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\a17deaa1-4758-4260-81cb-7a19dfdcd82a.tmp.node
          Filesize

          137KB

          MD5

          04bfbfec8db966420fe4c7b85ebb506a

          SHA1

          939bb742a354a92e1dcd3661a62d69e48030a335

          SHA256

          da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

          SHA512

          4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\lxnny_lol\Browser.zip
          Filesize

          22B

          MD5

          76cdb2bad9582d23c1f6f4d868218d6c

          SHA1

          b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

          SHA256

          8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

          SHA512

          5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

          Download Submit

        • memory/1560-12-0x0000012BD0850000-0x0000012BD0872000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1560-22-0x0000012BD0DA0000-0x0000012BD0DF0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3232-79-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-80-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-81-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-85-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-86-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-91-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-90-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-89-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-88-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3232-87-0x000001BC3CE10000-0x000001BC3CE11000-memory.dmp

          Filesize

          4KB

          Download