Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    223s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 20:50

General

  • Target

    Tournament_Fixer/AdditionalRuntimes/hwinfo32.exe

  • Size

    235KB

  • MD5

    65aba33aa73bd605e877e0902babeda5

  • SHA1

    fe4f38d59f1c40492fa02fe22027079b75e2c181

  • SHA256

    6221daf26a75208044156a28c43bed209741059ae402a7859735ac789e9005dd

  • SHA512

    0028a26fa3c77906afcd3f14d5f67c17eda9fda6f397ac4cf88e0fe520e4a1bf6f60f60b9c67f876c3232e3a4b299fb1471e81e5dfea82e0774c4e0e3001f842

  • SSDEEP

    6144:BBlkZvaF4NTBPrwaPBzKs6AkJLx8AogS/pFgELQX:BoSWNTd1t+aAQgELK

Score
1/10

Malware Config

Signatures

  • Kills process with taskkill 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe
    "C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F0C.tmp\3F0D.tmp\3F0E.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\hwinfo32.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im epicgameslauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:956
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3520
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4008
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im OneDrive.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1552
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3216
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EpicGamesLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im UnrealCEFSubProcess.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1412
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im CEFProcess.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EasyAntiCheat.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4108
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BEService.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:556
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BEServices.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4584
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BattleEye.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3592
      • C:\Windows\system32\reg.exe
        reg delete "HKEY_USERS\.DEFAULT\Software\Epic Games" /f
        3⤵
          PID:4528
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
          3⤵
            PID:1628
          • C:\Windows\system32\reg.exe
            reg delete "HKEY_CURRENT_USER\System\GameConfigStore\Children\204ecad0-2ffb-4b38-b78e-9abdba56e0ca" /f
            3⤵
              PID:4728
            • C:\Windows\system32\reg.exe
              reg delete "HKEY_CURRENT_USER\System\GameConfigStore\Children\6b64878b-0bcf-41ea-9d66-e883da2aae74" /f
              3⤵
                PID:1636
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.eos" /f
                3⤵
                  PID:2656
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
                  3⤵
                    PID:1108
                  • C:\Windows\system32\reg.exe
                    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                    3⤵
                      PID:4064
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                      3⤵
                        PID:3204
                      • C:\Windows\system32\reg.exe
                        reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
                        3⤵
                          PID:1340
                        • C:\Windows\system32\reg.exe
                          reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
                          3⤵
                            PID:2720
                          • C:\Windows\system32\reg.exe
                            reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                            3⤵
                              PID:5052
                            • C:\Windows\system32\reg.exe
                              reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                              3⤵
                                PID:5044
                              • C:\Windows\system32\reg.exe
                                reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
                                3⤵
                                  PID:4400
                                • C:\Windows\system32\reg.exe
                                  reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
                                  3⤵
                                    PID:3764
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
                                    3⤵
                                      PID:4332
                                    • C:\Windows\system32\reg.exe
                                      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
                                      3⤵
                                        PID:2436
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v SystemStartOptions /f
                                        3⤵
                                          PID:820
                                        • C:\Windows\system32\reg.exe
                                          reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                          3⤵
                                            PID:2396
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                                            3⤵
                                              PID:5100
                                            • C:\Windows\system32\reg.exe
                                              reg delete "HKEY_CURRENT_USER\Software\WOW6432Node\Epic Games" /f
                                              3⤵
                                                PID:2288
                                              • C:\Windows\system32\reg.exe
                                                reg delete "HKEY_CURRENT_USER\Software\Classes\com.epicgames.launcher" /f
                                                3⤵
                                                  PID:4496
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
                                                  3⤵
                                                    PID:4036
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
                                                    3⤵
                                                      PID:404
                                                    • C:\Windows\system32\reg.exe
                                                      reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
                                                      3⤵
                                                        PID:4104
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
                                                        3⤵
                                                          PID:368
                                                        • C:\Windows\system32\reg.exe
                                                          reg delete "HKEY_CLASSES_ROOT\com.epicgames.launcher" /f
                                                          3⤵
                                                            PID:4912
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\com.epicgames.launcher" /f
                                                            3⤵
                                                              PID:3944
                                                            • C:\Windows\system32\reg.exe
                                                              reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Epic Games" /f
                                                              3⤵
                                                                PID:3676
                                                              • C:\Windows\system32\reg.exe
                                                                reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\EpicGames" /f
                                                                3⤵
                                                                  PID:2732
                                                                • C:\Windows\system32\reg.exe
                                                                  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\EpicGames" /f
                                                                  3⤵
                                                                    PID:1572
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Epic Games" /f
                                                                    3⤵
                                                                      PID:4408
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg delete "HKEY_CURRENT_USER\SOFTWARE\Epic Games" /f
                                                                      3⤵
                                                                        PID:3600
                                                                      • C:\Windows\system32\reg.exe
                                                                        reg delete "HKEY_CURRENT_USER\SOFTWARE\EpicGames" /f
                                                                        3⤵
                                                                          PID:4196
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg delete "HKEY_CURRENT_USER\Software\Classes\Installer\Dependencies" /v MSICache /f
                                                                          3⤵
                                                                            PID:448
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg delete "HKEY_CURRENT_USER\Software\Microsoft\Direct3D" /v WHQLClass /f
                                                                            3⤵
                                                                              PID:3288

                                                                        Network

                                                                        MITRE ATT&CK Matrix

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Users\Admin\AppData\Local\Temp\3F0C.tmp\3F0D.tmp\3F0E.bat

                                                                          Filesize

                                                                          146KB

                                                                          MD5

                                                                          406afe5c97eebaea133bdc5d9daff887

                                                                          SHA1

                                                                          aaf7ef4e090c23a0ea516e4a9a78491a55001d24

                                                                          SHA256

                                                                          96aa8694fa31eb10195e148c3eb9dc15fb6247a7174cfc0b3794c805fbd5de14

                                                                          SHA512

                                                                          7d7a8beb15493fc9443bfb08bb9fd25715f51deb5b3bf2e0ea22b2ae354db1959836cafcb888b59773a3a720593fca606f06176e8dcbbf0c79182a37ed30c08d