Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10FN-TOOLZ-m...AN.bat
windows10-2004-x64
10Tournament...ew.exe
windows10-2004-x64
6Tournament...al.dll
windows10-2004-x64
1Tournament...UI.dll
windows10-2004-x64
1Tournament...cl.exe
windows10-2004-x64
1Tournament...uz.exe
windows10-2004-x64
9Tournament...dc.exe
windows10-2004-x64
1Tournament...ft.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
1Tournament...32.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
4Tournament...fg.exe
windows10-2004-x64
3Tournament...sg.exe
windows10-2004-x64
3Tournament...sr.exe
windows10-2004-x64
10Tournament...wg.exe
windows10-2004-x64
1Tournament...sm.dll
windows10-2004-x64
1Tournament...xy.dll
windows10-2004-x64
7Tournament...ry.dll
windows10-2004-x64
1Tournament...ll.dll
windows10-2004-x64
1Tournament...pi.dll
windows10-2004-x64
1Tournament...32.dll
windows10-2004-x64
1Tournament...da.dll
windows10-2004-x64
1Tournament...ve.dll
windows10-2004-x64
1Tournament...70.dll
windows10-2004-x64
1Tournament...rl.exe
windows10-2004-x64
3Tournament...64.exe
windows10-2004-x64
3Tournament...cs.exe
windows10-2004-x64
8Tournament...64.exe
windows10-2004-x64
10Tournament...tm.exe
windows10-2004-x64
3Tournament...mc.exe
windows10-2004-x64
1FN-TOOLZ-m...er.exe
windows10-2004-x64
9FN-TOOLZ-m...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
2s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 20:50
Behavioral task
behavioral1
Sample
FN-TOOLZ-main/FNCLEAN.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Tournament_Fixer/AdditionalRuntimes/DevManView.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Tournament_Fixer/AdditionalRuntimes/MCCSPal.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Tournament_Fixer/AdditionalRuntimes/MaintenanceUI.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Tournament_Fixer/AdditionalRuntimes/ccl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
Tournament_Fixer/AdditionalRuntimes/cpuz.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Tournament_Fixer/AdditionalRuntimes/ddc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Tournament_Fixer/AdditionalRuntimes/hssft.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Tournament_Fixer/AdditionalRuntimes/hwbd64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo32.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
Tournament_Fixer/AdditionalRuntimes/jfg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Tournament_Fixer/AdditionalRuntimes/jsg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
Tournament_Fixer/AdditionalRuntimes/jsr.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Tournament_Fixer/AdditionalRuntimes/kwg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
Tournament_Fixer/AdditionalRuntimes/lsm.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Tournament_Fixer/AdditionalRuntimes/lsmproxy.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
Tournament_Fixer/AdditionalRuntimes/lstelemetry.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
Tournament_Fixer/AdditionalRuntimes/luainstall.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
Tournament_Fixer/AdditionalRuntimes/luiapi.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Tournament_Fixer/AdditionalRuntimes/lz32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral22
Sample
Tournament_Fixer/AdditionalRuntimes/mcicda.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Tournament_Fixer/AdditionalRuntimes/mciwave.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
Tournament_Fixer/AdditionalRuntimes/mfc70.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Tournament_Fixer/AdditionalRuntimes/tcs.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
Tournament_Fixer/AdditionalRuntimes/tcs64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Tournament_Fixer/AdditionalRuntimes/tm.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
Tournament_Fixer/AdditionalRuntimes/wmc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
FN-TOOLZ-main/applecleaner.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
FN-TOOLZ-main/serial_checker.bat
Resource
win10v2004-20240508-en
General
-
Target
Tournament_Fixer/AdditionalRuntimes/nvrl.exe
-
Size
89KB
-
MD5
d2665be261f42f3b0850269e0a16f4d9
-
SHA1
6dbd41fe7b18cb9824edf11afac771c3c5483c6e
-
SHA256
2e8efd60494d3516f05b29682343281962f757c5ff0edbc9df1f517ee3e14bfd
-
SHA512
b282eb148d6ef5e41a091cba1497ea327a9b550aa4e5820851b5bd255672e1d2627efe1152c436e1aa94213d1bbf3dfe8b962126aa0c84f9a7b357f5c29a12a3
-
SSDEEP
1536:L7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAwQOU:H7DhdC6kzWypvaQ0FxyNTBfAp
Malware Config
Signatures
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 5048 ipconfig.exe 2476 ipconfig.exe 3036 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3136 WMIC.exe Token: SeSecurityPrivilege 3136 WMIC.exe Token: SeTakeOwnershipPrivilege 3136 WMIC.exe Token: SeLoadDriverPrivilege 3136 WMIC.exe Token: SeSystemProfilePrivilege 3136 WMIC.exe Token: SeSystemtimePrivilege 3136 WMIC.exe Token: SeProfSingleProcessPrivilege 3136 WMIC.exe Token: SeIncBasePriorityPrivilege 3136 WMIC.exe Token: SeCreatePagefilePrivilege 3136 WMIC.exe Token: SeBackupPrivilege 3136 WMIC.exe Token: SeRestorePrivilege 3136 WMIC.exe Token: SeShutdownPrivilege 3136 WMIC.exe Token: SeDebugPrivilege 3136 WMIC.exe Token: SeSystemEnvironmentPrivilege 3136 WMIC.exe Token: SeRemoteShutdownPrivilege 3136 WMIC.exe Token: SeUndockPrivilege 3136 WMIC.exe Token: SeManageVolumePrivilege 3136 WMIC.exe Token: 33 3136 WMIC.exe Token: 34 3136 WMIC.exe Token: 35 3136 WMIC.exe Token: 36 3136 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3756 wrote to memory of 1080 3756 nvrl.exe 84 PID 3756 wrote to memory of 1080 3756 nvrl.exe 84 PID 1080 wrote to memory of 3108 1080 cmd.exe 85 PID 1080 wrote to memory of 3108 1080 cmd.exe 85 PID 1080 wrote to memory of 5100 1080 cmd.exe 89 PID 1080 wrote to memory of 5100 1080 cmd.exe 89 PID 1080 wrote to memory of 4016 1080 cmd.exe 90 PID 1080 wrote to memory of 4016 1080 cmd.exe 90 PID 1080 wrote to memory of 3796 1080 cmd.exe 91 PID 1080 wrote to memory of 3796 1080 cmd.exe 91 PID 1080 wrote to memory of 5088 1080 cmd.exe 92 PID 1080 wrote to memory of 5088 1080 cmd.exe 92 PID 1080 wrote to memory of 2476 1080 cmd.exe 93 PID 1080 wrote to memory of 2476 1080 cmd.exe 93 PID 1080 wrote to memory of 3036 1080 cmd.exe 94 PID 1080 wrote to memory of 3036 1080 cmd.exe 94 PID 1080 wrote to memory of 5048 1080 cmd.exe 95 PID 1080 wrote to memory of 5048 1080 cmd.exe 95 PID 1080 wrote to memory of 556 1080 cmd.exe 96 PID 1080 wrote to memory of 556 1080 cmd.exe 96 PID 1080 wrote to memory of 2704 1080 cmd.exe 97 PID 1080 wrote to memory of 2704 1080 cmd.exe 97 PID 1080 wrote to memory of 3136 1080 cmd.exe 98 PID 1080 wrote to memory of 3136 1080 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3E61.tmp\3E62.tmp\3E63.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\netsh.exeNETSH INT IP RESET3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3108
-
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV4 RESET3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5100
-
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV6 RESET3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4016
-
-
C:\Windows\system32\netsh.exeNETSH INTERFACE TCP RESET3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3796
-
-
C:\Windows\system32\netsh.exeNETSH INT RESET ALL3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5088
-
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE3⤵
- Gathers network information
PID:2476
-
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE3⤵
- Gathers network information
PID:3036
-
-
C:\Windows\system32\ipconfig.exeIPCONFIG /FLUSHDNS3⤵
- Gathers network information
PID:5048
-
-
C:\Windows\system32\nbtstat.exeNBTSTAT -R3⤵PID:556
-
-
C:\Windows\system32\nbtstat.exeNBTSTAT -RR3⤵PID:2704
-
-
C:\Windows\System32\Wbem\WMIC.exeWMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530B
MD595e33c4700e0c94a4225251858b8bf49
SHA1116d458fa09f1f7338a6303175e26e94e068c560
SHA256ddab15d142c77b1c060fed8d8561dadb7e2d70615a096b83e9299f5d4c5d2706
SHA51242c65d35ee3b7c05188814aeb8717a2e6d18b14085bb824debe1819e5119f82f1de08a1c8c13d159f2719e2ace314e209b9992abb5e908588ca03af01a91b370