Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2024, 20:50

General

  • Target

    Tournament_Fixer/AdditionalRuntimes/ddc.exe

  • Size

    200KB

  • MD5

    2d6af440d55fe5c2a1de3d0cfdf5a5c6

  • SHA1

    f1f5a6e98892e66f696feab226ba90cd065ee247

  • SHA256

    1efe7e80d8bda78d69a00ff26b21c02c71db8469193de7822e5529225bd0ec56

  • SHA512

    21706bfc96b2c70860f02cb19ec357d7564ab27af206969a9ddaa667ef549a81141584a4fe6c3d7e093b7abe40fa8677817565dc0fc6f70850ee5ed6cbdb8c2c

  • SSDEEP

    6144:otzsb5Uh28+V1WW69B9VjMdxPedN9ug0z9TB9SGaIRoq7fhHKv:otzE5elwLz9TrlaIo2fhHKv

Score
1/10

Malware Config

Signatures

  • Kills process with taskkill 3 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe
    "C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4A57.tmp\4A58.tmp\4A59.bat C:\Users\Admin\AppData\Local\Temp\Tournament_Fixer\AdditionalRuntimes\ddc.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EscapeFromTarkov.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4452
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im EscapeFromTarkov_BE.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4196
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im BsgLauncher.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
      • C:\Windows\system32\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
        3⤵
          PID:1692
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
          3⤵
            PID:4048
          • C:\Windows\system32\reg.exe
            reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f
            3⤵
              PID:2656
            • C:\Windows\system32\reg.exe
              reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f
              3⤵
                PID:4832
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                3⤵
                  PID:2316
                • C:\Windows\system32\reg.exe
                  reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f
                  3⤵
                    PID:2960
                  • C:\Windows\system32\reg.exe
                    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 23565 /f
                    3⤵
                    • Modifies registry key
                    PID:3480
                  • C:\Windows\system32\reg.exe
                    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 22895 /f
                    3⤵
                    • Modifies registry key
                    PID:3536
                  • C:\Windows\system32\reg.exe
                    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
                    3⤵
                      PID:3352
                    • C:\Windows\system32\ARP.EXE
                      arp -d
                      3⤵
                        PID:3512

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\4A57.tmp\4A58.tmp\4A59.bat

                    Filesize

                    78KB

                    MD5

                    cf83e40a1338ad5be3af61a5f882664d

                    SHA1

                    479a7b4bb38725f7949647161017d42fbd630ed2

                    SHA256

                    5f283ef150cd3675af8bb98ae1f270b153ef7c622d9cf86b5c84288edf6743d1

                    SHA512

                    dbf2ead0709bb6542a45f6dbc304ccdd8bd0929a48754880a0dafa18d32b427e1d416ecf695bcebda5583bb37632781bd15fb0fd1c0bfbc584dcd05916604e4e