Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    308s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 20:50

General

  • Target

    Tournament_Fixer/AdditionalRuntimes/wmc.exe

  • Size

    91KB

  • MD5

    b39ac1b12aa20bffbd85c28796c5c9ef

  • SHA1

    c2d378d226c6a4d80d13675f6a3dfb284c6563bd

  • SHA256

    90a71d75e1058e4b76c9469dada5d6dc9ec922e5adb288e95c5eced28a4b93f4

  • SHA512

    502a068ee9dcb2c3c85d45b4f3fbc63717d72f5fc2bc7566adb14543d64c33ce4fc78a7c74fc66b10ecadbc999a8de9baf9c4643f42a25f5ff00f3a754f6858c

  • SSDEEP

    1536:X7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfxwNW6I6OF:L7DhdC6kzWypvaQ0FxyNTBfxkI3

Score
1/10

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe
    "C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\45C3.tmp\45C4.tmp\45C5.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\wmc.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3644
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic nic where physicaladapter=true get deviceid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3404
        • C:\Windows\system32\findstr.exe
          findstr [0-9]
          4⤵
            PID:4448
        • C:\Windows\system32\reg.exe
          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
          3⤵
            PID:4192
          • C:\Windows\system32\reg.exe
            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
            3⤵
              PID:2052
            • C:\Windows\system32\reg.exe
              REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
              3⤵
                PID:2084
              • C:\Windows\system32\reg.exe
                REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 1E4CBCC388F6 /f
                3⤵
                  PID:4888
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
                  3⤵
                    PID:4392
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic nic where physicaladapter=true get deviceid
                      4⤵
                        PID:2044
                      • C:\Windows\system32\findstr.exe
                        findstr [0-9]
                        4⤵
                          PID:2584
                      • C:\Windows\system32\reg.exe
                        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
                        3⤵
                          PID:3912
                        • C:\Windows\system32\reg.exe
                          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
                          3⤵
                            PID:2524
                          • C:\Windows\system32\reg.exe
                            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
                            3⤵
                              PID:4856
                            • C:\Windows\system32\reg.exe
                              REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
                              3⤵
                                PID:716
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
                                3⤵
                                  PID:1332
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
                                    4⤵
                                      PID:1324
                                  • C:\Windows\system32\netsh.exe
                                    netsh interface set interface name="Ethernet" disable
                                    3⤵
                                      PID:2516
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                                  1⤵
                                    PID:1668

                                  Network

                                  MITRE ATT&CK Matrix

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\45C3.tmp\45C4.tmp\45C5.bat

                                    Filesize

                                    2KB

                                    MD5

                                    8ca2de2e300d0f8b61645529ffc75551

                                    SHA1

                                    058f24d2ed2016d5c8a137a5853065dbdfded102

                                    SHA256

                                    11e99c0caedf2b03d3c9e10c4f533a5a5a02054c0b4640e54463722474f90464

                                    SHA512

                                    0fe3044f7c1c4a00e4365a3f3d97489fb3931626872fca77b0f9e17bdac42ba91dd09187ea1fc2e6f1b103f608b1d80faf45d63478a22a8788b3ea9d7f6d1885