Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    2s
  • max time network
    27s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 20:50

General

  • Target

    Tournament_Fixer/AdditionalRuntimes/nvrl.exe

  • Size

    89KB

  • MD5

    d2665be261f42f3b0850269e0a16f4d9

  • SHA1

    6dbd41fe7b18cb9824edf11afac771c3c5483c6e

  • SHA256

    2e8efd60494d3516f05b29682343281962f757c5ff0edbc9df1f517ee3e14bfd

  • SHA512

    b282eb148d6ef5e41a091cba1497ea327a9b550aa4e5820851b5bd255672e1d2627efe1152c436e1aa94213d1bbf3dfe8b962126aa0c84f9a7b357f5c29a12a3

  • SSDEEP

    1536:L7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAwQOU:H7DhdC6kzWypvaQ0FxyNTBfAp

Malware Config

Signatures

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe
    "C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3756
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3E61.tmp\3E62.tmp\3E63.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\system32\netsh.exe
        NETSH INT IP RESET
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:3108
      • C:\Windows\system32\netsh.exe
        NETSH INTERFACE IPV4 RESET
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:5100
      • C:\Windows\system32\netsh.exe
        NETSH INTERFACE IPV6 RESET
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:4016
      • C:\Windows\system32\netsh.exe
        NETSH INTERFACE TCP RESET
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:3796
      • C:\Windows\system32\netsh.exe
        NETSH INT RESET ALL
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:5088
      • C:\Windows\system32\ipconfig.exe
        IPCONFIG /RELEASE
        3⤵
        • Gathers network information
        PID:2476
      • C:\Windows\system32\ipconfig.exe
        IPCONFIG /RELEASE
        3⤵
        • Gathers network information
        PID:3036
      • C:\Windows\system32\ipconfig.exe
        IPCONFIG /FLUSHDNS
        3⤵
        • Gathers network information
        PID:5048
      • C:\Windows\system32\nbtstat.exe
        NBTSTAT -R
        3⤵
          PID:556
        • C:\Windows\system32\nbtstat.exe
          NBTSTAT -RR
          3⤵
            PID:2704
          • C:\Windows\System32\Wbem\WMIC.exe
            WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3136

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\3E61.tmp\3E62.tmp\3E63.bat

        Filesize

        530B

        MD5

        95e33c4700e0c94a4225251858b8bf49

        SHA1

        116d458fa09f1f7338a6303175e26e94e068c560

        SHA256

        ddab15d142c77b1c060fed8d8561dadb7e2d70615a096b83e9299f5d4c5d2706

        SHA512

        42c65d35ee3b7c05188814aeb8717a2e6d18b14085bb824debe1819e5119f82f1de08a1c8c13d159f2719e2ace314e209b9992abb5e908588ca03af01a91b370