Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
20s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01/07/2024, 20:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Cheat NurSultan.exe
Resource
win7-20240508-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
Cheat NurSultan.exe
Resource
win10-20240404-en
windows10-1703-x64
13 signatures
150 seconds
Behavioral task
behavioral3
Sample
Cheat NurSultan.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral4
Sample
Cheat NurSultan.exe
Resource
win11-20240508-en
windows11-21h2-x64
13 signatures
150 seconds
General
-
Target
Cheat NurSultan.exe
-
Size
1.3MB
-
MD5
22b762a6b5b3da61cbf9e1222b8c7bd3
-
SHA1
e96af3ed20282eec090ba042650c6ed0aee200ef
-
SHA256
6158c5b45fb9b11f49d6ea84917c3dce8590b8410accb865e346c68f9c619a99
-
SHA512
68071a50f25693272389995390c0c3d828355402ae52ceabd3cae5f1d2262c0a6f7ece737dbcc44a3fb4093aa7784a71f3bc08d3a409518762b0ca8eb2527aca
-
SSDEEP
24576:mwxPanDWDAxfy+t4g6cBLi2iYQOlb8T8IU+x:LxPpWTjPJplgTfUw
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Cheat NurSultan.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths Cheat NurSultan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe = "0" Cheat NurSultan.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2264 powershell.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Cheat NurSultan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat NurSultan.exe" Cheat NurSultan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Cheat NurSultan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat NurSultan.exe" Cheat NurSultan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "\"cmd.exe\",\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat NurSultan.exe\"" Cheat NurSultan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Cheat NurSultan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat NurSultan.exe" Cheat NurSultan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat NurSultan.exe" Cheat NurSultan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe Cheat NurSultan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat NurSultan.exe" Cheat NurSultan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe Cheat NurSultan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Cheat NurSultan.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths Cheat NurSultan.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions Cheat NurSultan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe = "0" Cheat NurSultan.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Qwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat NurSultan.exe" Cheat NurSultan.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Cheat NurSultan.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Cheat NurSultan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 2264 powershell.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe 3936 Cheat NurSultan.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeBackupPrivilege 3936 Cheat NurSultan.exe Token: SeRestorePrivilege 3936 Cheat NurSultan.exe Token: SeDebugPrivilege 3936 Cheat NurSultan.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeIncreaseQuotaPrivilege 2264 powershell.exe Token: SeSecurityPrivilege 2264 powershell.exe Token: SeTakeOwnershipPrivilege 2264 powershell.exe Token: SeLoadDriverPrivilege 2264 powershell.exe Token: SeSystemProfilePrivilege 2264 powershell.exe Token: SeSystemtimePrivilege 2264 powershell.exe Token: SeProfSingleProcessPrivilege 2264 powershell.exe Token: SeIncBasePriorityPrivilege 2264 powershell.exe Token: SeCreatePagefilePrivilege 2264 powershell.exe Token: SeBackupPrivilege 2264 powershell.exe Token: SeRestorePrivilege 2264 powershell.exe Token: SeShutdownPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeSystemEnvironmentPrivilege 2264 powershell.exe Token: SeRemoteShutdownPrivilege 2264 powershell.exe Token: SeUndockPrivilege 2264 powershell.exe Token: SeManageVolumePrivilege 2264 powershell.exe Token: 33 2264 powershell.exe Token: 34 2264 powershell.exe Token: 35 2264 powershell.exe Token: 36 2264 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3936 wrote to memory of 3748 3936 Cheat NurSultan.exe 72 PID 3936 wrote to memory of 3748 3936 Cheat NurSultan.exe 72 PID 3936 wrote to memory of 2264 3936 Cheat NurSultan.exe 74 PID 3936 wrote to memory of 2264 3936 Cheat NurSultan.exe 74 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Cheat NurSultan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Cheat NurSultan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" Cheat NurSultan.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe"C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe"1⤵
- UAC bypass
- Windows security bypass
- Event Triggered Execution: Image File Execution Options Injection
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe" /rl HIGHEST /f2⤵PID:3748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe"C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe" explorer.exe1⤵PID:340
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a