Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
48s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
01/07/2024, 20:17
Errors
General
-
Target
Cheat NurSultan.exe
-
Size
1.3MB
-
MD5
22b762a6b5b3da61cbf9e1222b8c7bd3
-
SHA1
e96af3ed20282eec090ba042650c6ed0aee200ef
-
SHA256
6158c5b45fb9b11f49d6ea84917c3dce8590b8410accb865e346c68f9c619a99
-
SHA512
68071a50f25693272389995390c0c3d828355402ae52ceabd3cae5f1d2262c0a6f7ece737dbcc44a3fb4093aa7784a71f3bc08d3a409518762b0ca8eb2527aca
-
SSDEEP
24576:mwxPanDWDAxfy+t4g6cBLi2iYQOlb8T8IU+x:LxPpWTjPJplgTfUw
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe"C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe"1⤵
- UAC bypass
- Windows security bypass
- Event Triggered Execution: Image File Execution Options Injection
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe" /rl HIGHEST /f2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cheat NurSultan.exe'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB