Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10FN-TOOLZ-m...AN.bat
windows10-2004-x64
10Tournament...ew.exe
windows10-2004-x64
6Tournament...al.dll
windows10-2004-x64
1Tournament...UI.dll
windows10-2004-x64
1Tournament...cl.exe
windows10-2004-x64
1Tournament...uz.exe
windows10-2004-x64
9Tournament...dc.exe
windows10-2004-x64
1Tournament...ft.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
1Tournament...32.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
4Tournament...fg.exe
windows10-2004-x64
3Tournament...sg.exe
windows10-2004-x64
3Tournament...sr.exe
windows10-2004-x64
10Tournament...wg.exe
windows10-2004-x64
1Tournament...sm.dll
windows10-2004-x64
1Tournament...xy.dll
windows10-2004-x64
7Tournament...ry.dll
windows10-2004-x64
1Tournament...ll.dll
windows10-2004-x64
1Tournament...pi.dll
windows10-2004-x64
1Tournament...32.dll
windows10-2004-x64
1Tournament...da.dll
windows10-2004-x64
1Tournament...ve.dll
windows10-2004-x64
1Tournament...70.dll
windows10-2004-x64
1Tournament...rl.exe
windows10-2004-x64
3Tournament...64.exe
windows10-2004-x64
3Tournament...cs.exe
windows10-2004-x64
8Tournament...64.exe
windows10-2004-x64
10Tournament...tm.exe
windows10-2004-x64
3Tournament...mc.exe
windows10-2004-x64
1FN-TOOLZ-m...er.exe
windows10-2004-x64
9FN-TOOLZ-m...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
3s -
max time network
4s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 20:50
Behavioral task
behavioral1
Sample
FN-TOOLZ-main/FNCLEAN.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Tournament_Fixer/AdditionalRuntimes/DevManView.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Tournament_Fixer/AdditionalRuntimes/MCCSPal.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Tournament_Fixer/AdditionalRuntimes/MaintenanceUI.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Tournament_Fixer/AdditionalRuntimes/ccl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
Tournament_Fixer/AdditionalRuntimes/cpuz.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Tournament_Fixer/AdditionalRuntimes/ddc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Tournament_Fixer/AdditionalRuntimes/hssft.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Tournament_Fixer/AdditionalRuntimes/hwbd64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo32.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
Tournament_Fixer/AdditionalRuntimes/jfg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Tournament_Fixer/AdditionalRuntimes/jsg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
Tournament_Fixer/AdditionalRuntimes/jsr.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Tournament_Fixer/AdditionalRuntimes/kwg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
Tournament_Fixer/AdditionalRuntimes/lsm.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Tournament_Fixer/AdditionalRuntimes/lsmproxy.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
Tournament_Fixer/AdditionalRuntimes/lstelemetry.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
Tournament_Fixer/AdditionalRuntimes/luainstall.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
Tournament_Fixer/AdditionalRuntimes/luiapi.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Tournament_Fixer/AdditionalRuntimes/lz32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral22
Sample
Tournament_Fixer/AdditionalRuntimes/mcicda.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Tournament_Fixer/AdditionalRuntimes/mciwave.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
Tournament_Fixer/AdditionalRuntimes/mfc70.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Tournament_Fixer/AdditionalRuntimes/tcs.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
Tournament_Fixer/AdditionalRuntimes/tcs64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Tournament_Fixer/AdditionalRuntimes/tm.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
Tournament_Fixer/AdditionalRuntimes/wmc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
FN-TOOLZ-main/applecleaner.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
FN-TOOLZ-main/serial_checker.bat
Resource
win10v2004-20240508-en
General
-
Target
Tournament_Fixer/AdditionalRuntimes/nvrl64.exe
-
Size
259KB
-
MD5
6e8599bb5bc6c68d3621304b8a6f2c9c
-
SHA1
08a67c455f41e3afa91afe4c448973655c19841e
-
SHA256
168f7fa5ea8971b0b8164ea3d56b8201da27d8b6e9cf80c8c8051a1a1615a92c
-
SHA512
74a6237ea6787ceeb9ff424633363c5059ad455af79467e096e5b9eeb66eb3b7c8c051db224cb28d5f243c9b9754834efca9dcd959915d3c9a17b21b72e299e8
-
SSDEEP
6144:UBlkZvaF4NTBBUSm8J01k0lNFbuH5X1Cok2hM6Xks:UoSWNTPUb8A9tbuHl1i2hM6Xd
Malware Config
Signatures
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 1600 ipconfig.exe 4060 ipconfig.exe 1412 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3860 WMIC.exe Token: SeSecurityPrivilege 3860 WMIC.exe Token: SeTakeOwnershipPrivilege 3860 WMIC.exe Token: SeLoadDriverPrivilege 3860 WMIC.exe Token: SeSystemProfilePrivilege 3860 WMIC.exe Token: SeSystemtimePrivilege 3860 WMIC.exe Token: SeProfSingleProcessPrivilege 3860 WMIC.exe Token: SeIncBasePriorityPrivilege 3860 WMIC.exe Token: SeCreatePagefilePrivilege 3860 WMIC.exe Token: SeBackupPrivilege 3860 WMIC.exe Token: SeRestorePrivilege 3860 WMIC.exe Token: SeShutdownPrivilege 3860 WMIC.exe Token: SeDebugPrivilege 3860 WMIC.exe Token: SeSystemEnvironmentPrivilege 3860 WMIC.exe Token: SeRemoteShutdownPrivilege 3860 WMIC.exe Token: SeUndockPrivilege 3860 WMIC.exe Token: SeManageVolumePrivilege 3860 WMIC.exe Token: 33 3860 WMIC.exe Token: 34 3860 WMIC.exe Token: 35 3860 WMIC.exe Token: 36 3860 WMIC.exe Token: SeIncreaseQuotaPrivilege 3860 WMIC.exe Token: SeSecurityPrivilege 3860 WMIC.exe Token: SeTakeOwnershipPrivilege 3860 WMIC.exe Token: SeLoadDriverPrivilege 3860 WMIC.exe Token: SeSystemProfilePrivilege 3860 WMIC.exe Token: SeSystemtimePrivilege 3860 WMIC.exe Token: SeProfSingleProcessPrivilege 3860 WMIC.exe Token: SeIncBasePriorityPrivilege 3860 WMIC.exe Token: SeCreatePagefilePrivilege 3860 WMIC.exe Token: SeBackupPrivilege 3860 WMIC.exe Token: SeRestorePrivilege 3860 WMIC.exe Token: SeShutdownPrivilege 3860 WMIC.exe Token: SeDebugPrivilege 3860 WMIC.exe Token: SeSystemEnvironmentPrivilege 3860 WMIC.exe Token: SeRemoteShutdownPrivilege 3860 WMIC.exe Token: SeUndockPrivilege 3860 WMIC.exe Token: SeManageVolumePrivilege 3860 WMIC.exe Token: 33 3860 WMIC.exe Token: 34 3860 WMIC.exe Token: 35 3860 WMIC.exe Token: 36 3860 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4564 wrote to memory of 3576 4564 nvrl64.exe 82 PID 4564 wrote to memory of 3576 4564 nvrl64.exe 82 PID 3576 wrote to memory of 4788 3576 cmd.exe 83 PID 3576 wrote to memory of 4788 3576 cmd.exe 83 PID 3576 wrote to memory of 2924 3576 cmd.exe 84 PID 3576 wrote to memory of 2924 3576 cmd.exe 84 PID 3576 wrote to memory of 4048 3576 cmd.exe 85 PID 3576 wrote to memory of 4048 3576 cmd.exe 85 PID 3576 wrote to memory of 2020 3576 cmd.exe 86 PID 3576 wrote to memory of 2020 3576 cmd.exe 86 PID 3576 wrote to memory of 720 3576 cmd.exe 87 PID 3576 wrote to memory of 720 3576 cmd.exe 87 PID 3576 wrote to memory of 4200 3576 cmd.exe 88 PID 3576 wrote to memory of 4200 3576 cmd.exe 88 PID 3576 wrote to memory of 1600 3576 cmd.exe 89 PID 3576 wrote to memory of 1600 3576 cmd.exe 89 PID 3576 wrote to memory of 4060 3576 cmd.exe 90 PID 3576 wrote to memory of 4060 3576 cmd.exe 90 PID 3576 wrote to memory of 1412 3576 cmd.exe 91 PID 3576 wrote to memory of 1412 3576 cmd.exe 91 PID 3576 wrote to memory of 4220 3576 cmd.exe 92 PID 3576 wrote to memory of 4220 3576 cmd.exe 92 PID 3576 wrote to memory of 4868 3576 cmd.exe 93 PID 3576 wrote to memory of 4868 3576 cmd.exe 93 PID 3576 wrote to memory of 3860 3576 cmd.exe 94 PID 3576 wrote to memory of 3860 3576 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7678.tmp\7679.tmp\767A.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\nvrl64.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\system32\netsh.exeNETSH WINSOCK RESET3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4788
-
-
C:\Windows\system32\netsh.exeNETSH INT IP RESET3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2924
-
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV4 RESET3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4048
-
-
C:\Windows\system32\netsh.exeNETSH INTERFACE IPV6 RESET3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2020
-
-
C:\Windows\system32\netsh.exeNETSH INTERFACE TCP RESET3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:720
-
-
C:\Windows\system32\netsh.exeNETSH INT RESET ALL3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4200
-
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE3⤵
- Gathers network information
PID:1600
-
-
C:\Windows\system32\ipconfig.exeIPCONFIG /RELEASE3⤵
- Gathers network information
PID:4060
-
-
C:\Windows\system32\ipconfig.exeIPCONFIG /FLUSHDNS3⤵
- Gathers network information
PID:1412
-
-
C:\Windows\system32\nbtstat.exeNBTSTAT -R3⤵PID:4220
-
-
C:\Windows\system32\nbtstat.exeNBTSTAT -RR3⤵PID:4868
-
-
C:\Windows\System32\Wbem\WMIC.exeWMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD57933f4bcf196e8ef425998cc9f1a8a91
SHA1d9a4d1d104425c5e3ccb17581351e5b61d96d69d
SHA25615bf3321b57e08f6cc80c72e7a1ad54eea4ff27d2faccdd8dd10cc5e4adb26fc
SHA51252f0e5d0ba1224b9ffa6bbb9d1ef365288304581d536b3187f69396049a6ff1190c4feb2ee303b5bec46e688843956532911a7dd3bb75a9cb785d4fb358010b5