Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 21:39
Behavioral task
behavioral1
Sample
release8-2-24/release/main/cheat.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
release8-2-24/release/main/cheat.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
release8-2-24/release/main/loader.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
release8-2-24/release/main/loader.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
release8-2-24/release/map/Map.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
release8-2-24/release/map/Map.exe
Resource
win10v2004-20240802-en
General
-
Target
release8-2-24/release/main/loader.exe
-
Size
4.1MB
-
MD5
9ecdc9ed1bea6c226f92d740d43400b9
-
SHA1
b5b5066cd4284733d8c3f3d7de3ca6653091ae10
-
SHA256
60c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c
-
SHA512
30bc705a2438288e3647d5adfc6119d751823970972b9c6b39a60384a2b7ac261986026b8d1c0b0ca7ee3d7e95363c97b873fdc5fad4096c903cb4e15bf57e43
-
SSDEEP
98304:vnUGAC+hqc8lqvdzw2nsNKYYURyc9JirsN4JzmUPj:PTn2qcUzp6UYeJRCxPj
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion loader.exe -
resource yara_rule behavioral4/memory/4112-0-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida behavioral4/memory/4112-3-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida behavioral4/memory/4112-2-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida behavioral4/memory/4112-4-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida behavioral4/memory/4112-6-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida behavioral4/memory/4112-5-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida behavioral4/memory/4112-7-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida behavioral4/memory/4112-8-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida behavioral4/memory/4112-45-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida behavioral4/memory/4112-141-0x00007FF6580A0000-0x00007FF658B3F000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4112 loader.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 744 chrome.exe 744 chrome.exe 3200 mspaint.exe 3200 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4112 loader.exe 4700 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 744 chrome.exe 744 chrome.exe 744 chrome.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 744 chrome.exe Token: SeCreatePagefilePrivilege 744 chrome.exe Token: SeShutdownPrivilege 744 chrome.exe Token: SeCreatePagefilePrivilege 744 chrome.exe Token: SeShutdownPrivilege 744 chrome.exe Token: SeCreatePagefilePrivilege 744 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe 744 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4112 loader.exe 3200 mspaint.exe 4700 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4112 wrote to memory of 4968 4112 loader.exe 84 PID 4112 wrote to memory of 4968 4112 loader.exe 84 PID 4968 wrote to memory of 3780 4968 cmd.exe 86 PID 4968 wrote to memory of 3780 4968 cmd.exe 86 PID 4968 wrote to memory of 4268 4968 cmd.exe 87 PID 4968 wrote to memory of 4268 4968 cmd.exe 87 PID 4968 wrote to memory of 3612 4968 cmd.exe 88 PID 4968 wrote to memory of 3612 4968 cmd.exe 88 PID 744 wrote to memory of 1108 744 chrome.exe 92 PID 744 wrote to memory of 1108 744 chrome.exe 92 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 3720 744 chrome.exe 93 PID 744 wrote to memory of 1488 744 chrome.exe 94 PID 744 wrote to memory of 1488 744 chrome.exe 94 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95 PID 744 wrote to memory of 4552 744 chrome.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\release8-2-24\release\main\loader.exe"C:\Users\Admin\AppData\Local\Temp\release8-2-24\release\main\loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\release8-2-24\release\main\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\release8-2-24\release\main\loader.exe" MD53⤵PID:3780
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4268
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3612
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffed085cc40,0x7ffed085cc4c,0x7ffed085cc582⤵PID:1108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2080,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:3720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1804,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2208 /prefetch:32⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1840,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2312 /prefetch:82⤵PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:5028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:2384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3708 /prefetch:12⤵PID:3468
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2920
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CompleteImport.png" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3200
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:1344
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD558614b9f527636b72056db818a6e3f94
SHA1f83ac1260bfd56719a4c9f26de71c714b67e48bb
SHA2564dfe08075aa92e249f47310f804615259317fa005a529fbf885c1d535b6d360e
SHA512a313857bfd1a14da3a4e28b174e135d43184bffba82b5a601e63388f92fdf7ff7dc29f2c0c1deacddb6b8c9901628d3bfbd7ba3535ee270cbe45c89e5aa93c8b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD55d36b572b8305f9b050372f2b5e7715e
SHA160018732339439879e639352c670e5fb5f76c0d7
SHA25641fb5b7e1025fa79f823b511583696e3cb584a25865bdf299a09d68c368f7965
SHA512eb221b9ddb3374fe53865a69d4b68447e2c5c23afa87c0518c8188f5595d50b1d243c036115a6eea2460794a3ca1d0f5373c84fc66184e4c5033eabb5048b16f
-
Filesize
8KB
MD593c5fdf0b016d20251460efc240f2f7d
SHA1ed61476db2fd1ee18940b6cd6e0ce5532a2657d4
SHA2560b9e227769078e6536b1b6b6a4b305e1f0bb984589cc7a0eba720b2fd2837a44
SHA512809a6fbddcb621d4253498e741c2e389907a48f062f4e630fde82260891efbaa7713f55769b9457c3838b61677a8ea8d8ac432b21d00c95e035b9d0ffbe7ae07
-
Filesize
99KB
MD59e3eabe604b32eb5f198fe364cb6b315
SHA19b09f3c36921572acaf5deadc372a7c5a00f66a1
SHA2561a4aabc7a403120a0ce9485d1b808bf13ac89f7c2cd3b174c3bfb63eb6ec833c
SHA5129665b66db94f419cb0095d3b2f420f7ae762c084a2f354a36b2469c189cc9de265ce9c9f86f7c5d773009a0e09b97f03e0f1d2ffe9affe133c7420672a23e39d
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58