Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Cheat NurSultan.exe

windows7-x64

10

Cheat NurSultan.exe

windows10-1703-x64

10

Cheat NurSultan.exe

windows10-2004-x64

Cheat NurSultan.exe

windows11-21h2-x64

Cheat NurSultan.exe

macos-10.15-amd64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Cheat NurSultan.exe

  • Size

    1.3MB

  • Sample

    240701-y222daxdjb

  • MD5

    22b762a6b5b3da61cbf9e1222b8c7bd3

  • SHA1

    e96af3ed20282eec090ba042650c6ed0aee200ef

  • SHA256

    6158c5b45fb9b11f49d6ea84917c3dce8590b8410accb865e346c68f9c619a99

  • SHA512

    68071a50f25693272389995390c0c3d828355402ae52ceabd3cae5f1d2262c0a6f7ece737dbcc44a3fb4093aa7784a71f3bc08d3a409518762b0ca8eb2527aca

  • SSDEEP

    24576:mwxPanDWDAxfy+t4g6cBLi2iYQOlb8T8IU+x:LxPpWTjPJplgTfUw

Score
10/10
bootkitevasionexecutionmacospersistencetrojan

Malware Config

Targets

    • Target

      Cheat NurSultan.exe

    • Size

      1.3MB

    • MD5

      22b762a6b5b3da61cbf9e1222b8c7bd3

    • SHA1

      e96af3ed20282eec090ba042650c6ed0aee200ef

    • SHA256

      6158c5b45fb9b11f49d6ea84917c3dce8590b8410accb865e346c68f9c619a99

    • SHA512

      68071a50f25693272389995390c0c3d828355402ae52ceabd3cae5f1d2262c0a6f7ece737dbcc44a3fb4093aa7784a71f3bc08d3a409518762b0ca8eb2527aca

    • SSDEEP

      24576:mwxPanDWDAxfy+t4g6cBLi2iYQOlb8T8IU+x:LxPpWTjPJplgTfUw

    Score
    10/10
    bootkitevasionexecutionpersistencetrojan

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Launchctl

1
T1569.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Resource Forking

1
T1564.009

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

5
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.