Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10FN-TOOLZ-m...AN.bat
windows10-2004-x64
10Tournament...ew.exe
windows10-2004-x64
6Tournament...al.dll
windows10-2004-x64
1Tournament...UI.dll
windows10-2004-x64
1Tournament...cl.exe
windows10-2004-x64
1Tournament...uz.exe
windows10-2004-x64
9Tournament...dc.exe
windows10-2004-x64
1Tournament...ft.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
1Tournament...32.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
4Tournament...fg.exe
windows10-2004-x64
3Tournament...sg.exe
windows10-2004-x64
3Tournament...sr.exe
windows10-2004-x64
10Tournament...wg.exe
windows10-2004-x64
1Tournament...sm.dll
windows10-2004-x64
1Tournament...xy.dll
windows10-2004-x64
7Tournament...ry.dll
windows10-2004-x64
1Tournament...ll.dll
windows10-2004-x64
1Tournament...pi.dll
windows10-2004-x64
1Tournament...32.dll
windows10-2004-x64
1Tournament...da.dll
windows10-2004-x64
1Tournament...ve.dll
windows10-2004-x64
1Tournament...70.dll
windows10-2004-x64
1Tournament...rl.exe
windows10-2004-x64
3Tournament...64.exe
windows10-2004-x64
3Tournament...cs.exe
windows10-2004-x64
8Tournament...64.exe
windows10-2004-x64
10Tournament...tm.exe
windows10-2004-x64
3Tournament...mc.exe
windows10-2004-x64
1FN-TOOLZ-m...er.exe
windows10-2004-x64
9FN-TOOLZ-m...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
0s -
max time network
308s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 20:50
Behavioral task
behavioral1
Sample
FN-TOOLZ-main/FNCLEAN.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Tournament_Fixer/AdditionalRuntimes/DevManView.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Tournament_Fixer/AdditionalRuntimes/MCCSPal.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Tournament_Fixer/AdditionalRuntimes/MaintenanceUI.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Tournament_Fixer/AdditionalRuntimes/ccl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
Tournament_Fixer/AdditionalRuntimes/cpuz.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Tournament_Fixer/AdditionalRuntimes/ddc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Tournament_Fixer/AdditionalRuntimes/hssft.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Tournament_Fixer/AdditionalRuntimes/hwbd64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo32.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
Tournament_Fixer/AdditionalRuntimes/jfg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Tournament_Fixer/AdditionalRuntimes/jsg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
Tournament_Fixer/AdditionalRuntimes/jsr.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Tournament_Fixer/AdditionalRuntimes/kwg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
Tournament_Fixer/AdditionalRuntimes/lsm.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Tournament_Fixer/AdditionalRuntimes/lsmproxy.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
Tournament_Fixer/AdditionalRuntimes/lstelemetry.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
Tournament_Fixer/AdditionalRuntimes/luainstall.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
Tournament_Fixer/AdditionalRuntimes/luiapi.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Tournament_Fixer/AdditionalRuntimes/lz32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral22
Sample
Tournament_Fixer/AdditionalRuntimes/mcicda.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Tournament_Fixer/AdditionalRuntimes/mciwave.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
Tournament_Fixer/AdditionalRuntimes/mfc70.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Tournament_Fixer/AdditionalRuntimes/tcs.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
Tournament_Fixer/AdditionalRuntimes/tcs64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Tournament_Fixer/AdditionalRuntimes/tm.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
Tournament_Fixer/AdditionalRuntimes/wmc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
FN-TOOLZ-main/applecleaner.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
FN-TOOLZ-main/serial_checker.bat
Resource
win10v2004-20240508-en
General
-
Target
Tournament_Fixer/AdditionalRuntimes/wmc.exe
-
Size
91KB
-
MD5
b39ac1b12aa20bffbd85c28796c5c9ef
-
SHA1
c2d378d226c6a4d80d13675f6a3dfb284c6563bd
-
SHA256
90a71d75e1058e4b76c9469dada5d6dc9ec922e5adb288e95c5eced28a4b93f4
-
SHA512
502a068ee9dcb2c3c85d45b4f3fbc63717d72f5fc2bc7566adb14543d64c33ce4fc78a7c74fc66b10ecadbc999a8de9baf9c4643f42a25f5ff00f3a754f6858c
-
SSDEEP
1536:X7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfxwNW6I6OF:L7DhdC6kzWypvaQ0FxyNTBfxkI3
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3404 WMIC.exe Token: SeSecurityPrivilege 3404 WMIC.exe Token: SeTakeOwnershipPrivilege 3404 WMIC.exe Token: SeLoadDriverPrivilege 3404 WMIC.exe Token: SeSystemProfilePrivilege 3404 WMIC.exe Token: SeSystemtimePrivilege 3404 WMIC.exe Token: SeProfSingleProcessPrivilege 3404 WMIC.exe Token: SeIncBasePriorityPrivilege 3404 WMIC.exe Token: SeCreatePagefilePrivilege 3404 WMIC.exe Token: SeBackupPrivilege 3404 WMIC.exe Token: SeRestorePrivilege 3404 WMIC.exe Token: SeShutdownPrivilege 3404 WMIC.exe Token: SeDebugPrivilege 3404 WMIC.exe Token: SeSystemEnvironmentPrivilege 3404 WMIC.exe Token: SeRemoteShutdownPrivilege 3404 WMIC.exe Token: SeUndockPrivilege 3404 WMIC.exe Token: SeManageVolumePrivilege 3404 WMIC.exe Token: 33 3404 WMIC.exe Token: 34 3404 WMIC.exe Token: 35 3404 WMIC.exe Token: 36 3404 WMIC.exe Token: SeIncreaseQuotaPrivilege 3404 WMIC.exe Token: SeSecurityPrivilege 3404 WMIC.exe Token: SeTakeOwnershipPrivilege 3404 WMIC.exe Token: SeLoadDriverPrivilege 3404 WMIC.exe Token: SeSystemProfilePrivilege 3404 WMIC.exe Token: SeSystemtimePrivilege 3404 WMIC.exe Token: SeProfSingleProcessPrivilege 3404 WMIC.exe Token: SeIncBasePriorityPrivilege 3404 WMIC.exe Token: SeCreatePagefilePrivilege 3404 WMIC.exe Token: SeBackupPrivilege 3404 WMIC.exe Token: SeRestorePrivilege 3404 WMIC.exe Token: SeShutdownPrivilege 3404 WMIC.exe Token: SeDebugPrivilege 3404 WMIC.exe Token: SeSystemEnvironmentPrivilege 3404 WMIC.exe Token: SeRemoteShutdownPrivilege 3404 WMIC.exe Token: SeUndockPrivilege 3404 WMIC.exe Token: SeManageVolumePrivilege 3404 WMIC.exe Token: 33 3404 WMIC.exe Token: 34 3404 WMIC.exe Token: 35 3404 WMIC.exe Token: 36 3404 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1936 wrote to memory of 5000 1936 wmc.exe 82 PID 1936 wrote to memory of 5000 1936 wmc.exe 82 PID 5000 wrote to memory of 3644 5000 cmd.exe 83 PID 5000 wrote to memory of 3644 5000 cmd.exe 83 PID 3644 wrote to memory of 3404 3644 cmd.exe 84 PID 3644 wrote to memory of 3404 3644 cmd.exe 84 PID 3644 wrote to memory of 4448 3644 cmd.exe 85 PID 3644 wrote to memory of 4448 3644 cmd.exe 85 PID 1936 wrote to memory of 5000 1936 wmc.exe 82 PID 1936 wrote to memory of 5000 1936 wmc.exe 82 PID 5000 wrote to memory of 3644 5000 cmd.exe 83 PID 5000 wrote to memory of 3644 5000 cmd.exe 83 PID 3644 wrote to memory of 3404 3644 cmd.exe 84 PID 3644 wrote to memory of 3404 3644 cmd.exe 84 PID 3644 wrote to memory of 4448 3644 cmd.exe 85 PID 3644 wrote to memory of 4448 3644 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\45C3.tmp\45C4.tmp\45C5.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]3⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Windows\system32\findstr.exefindstr [0-9]4⤵PID:4448
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\013⤵PID:4192
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013⤵PID:2052
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00013⤵PID:2084
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 1E4CBCC388F6 /f3⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]3⤵PID:4392
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid4⤵PID:2044
-
-
C:\Windows\system32\findstr.exefindstr [0-9]4⤵PID:2584
-
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\013⤵PID:3912
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013⤵PID:2524
-
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00013⤵PID:4856
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f3⤵PID:716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"3⤵PID:1332
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv4⤵PID:1324
-
-
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Ethernet" disable3⤵PID:2516
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:1668
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58ca2de2e300d0f8b61645529ffc75551
SHA1058f24d2ed2016d5c8a137a5853065dbdfded102
SHA25611e99c0caedf2b03d3c9e10c4f533a5a5a02054c0b4640e54463722474f90464
SHA5120fe3044f7c1c4a00e4365a3f3d97489fb3931626872fca77b0f9e17bdac42ba91dd09187ea1fc2e6f1b103f608b1d80faf45d63478a22a8788b3ea9d7f6d1885