Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    198s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 20:50

General

  • Target

    Tournament_Fixer/AdditionalRuntimes/ccl.exe

  • Size

    140KB

  • MD5

    df8da4150228ebafef9f815e15f34e6c

  • SHA1

    4e31107c4676b51fe82a96e2de088ccb1e3306a3

  • SHA256

    e4a752a2dcef56ec6832e41f6ef8849d3fdeddb73638405925bf02b0a3c5c258

  • SHA512

    3e472bb6a4630ec481ea748ebe27d8f97b6500bd6f6b8e0fc87c45a05315176c2e2ade57c2dbc86b8c587e2977c28924172c127e2265a8b69a0405993347ca22

  • SSDEEP

    3072:c/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFS6IWk0okpUXVtfy:/tzsb5Uh28+V1WW69B9VjMdxPedN9ugK

Score
1/10

Malware Config

Signatures

  • Kills process with taskkill 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe
    "C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\51AA.tmp\51AB.tmp\51AC.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ccl.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EscapeFromTarkov.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:396
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EscapeFromTarkov_BE.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5052
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BsgLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\51AA.tmp\51AB.tmp\51AC.bat

    Filesize

    18KB

    MD5

    eb8db91c18a62f691408bb0b176d21f6

    SHA1

    975b3e870d68d404d6f4caefb83e0e94edff15f8

    SHA256

    0f0dddce6005eca40546a881aff76cddbc6b609845c1a9266f03fbdb9245cd74

    SHA512

    e3fc3edbc26a826fa136f5da9be1230ce2c4d6f24f7b0d4345abfdacde1f890b7592bc8dcc03758b400abed6d565528f4edecd712a205d2ad5849120275b9caf