Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/08/2024, 20:37
Static task
static1
Behavioral task
behavioral1
Sample
neverlose by pinkking.exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
steam_api.dll
Resource
win11-20240802-en
General
-
Target
neverlose by pinkking.exe
-
Size
84KB
-
MD5
1e1f1d68311dd22314ae2577ed795849
-
SHA1
529049136b8cdd06ffd827b7d2415bd9d81bc7c3
-
SHA256
270ee31a32338f8d05257bcf77103662cb555129703312c76e607feef94f94c9
-
SHA512
2fc7df714f2b9b6847b19cd96ac7bde29d09321ce35018247a6e4274e4274df62e387828d8962e191e82f86fddaff41d4997a08d01fc26bb2dbfae0aa753eaab
-
SSDEEP
1536:92Y0VNblnigen1FQGpaika1PASjg/olRlx+:923rbZi/8GprF3jg/o3ls
Malware Config
Signatures
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 1952 cmd.exe 1388 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neverlose by pinkking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mode.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mode.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neverlose by pinkking.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2336 neverlose by pinkking.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4576 wrote to memory of 2740 4576 neverlose by pinkking.exe 79 PID 4576 wrote to memory of 2740 4576 neverlose by pinkking.exe 79 PID 4576 wrote to memory of 2740 4576 neverlose by pinkking.exe 79 PID 2740 wrote to memory of 5064 2740 cmd.exe 80 PID 2740 wrote to memory of 5064 2740 cmd.exe 80 PID 2740 wrote to memory of 5064 2740 cmd.exe 80 PID 4576 wrote to memory of 3708 4576 neverlose by pinkking.exe 81 PID 4576 wrote to memory of 3708 4576 neverlose by pinkking.exe 81 PID 4576 wrote to memory of 3708 4576 neverlose by pinkking.exe 81 PID 4576 wrote to memory of 4928 4576 neverlose by pinkking.exe 82 PID 4576 wrote to memory of 4928 4576 neverlose by pinkking.exe 82 PID 4576 wrote to memory of 4928 4576 neverlose by pinkking.exe 82 PID 4576 wrote to memory of 1268 4576 neverlose by pinkking.exe 83 PID 4576 wrote to memory of 1268 4576 neverlose by pinkking.exe 83 PID 4576 wrote to memory of 1268 4576 neverlose by pinkking.exe 83 PID 4576 wrote to memory of 1952 4576 neverlose by pinkking.exe 84 PID 4576 wrote to memory of 1952 4576 neverlose by pinkking.exe 84 PID 4576 wrote to memory of 1952 4576 neverlose by pinkking.exe 84 PID 1952 wrote to memory of 2220 1952 cmd.exe 85 PID 1952 wrote to memory of 2220 1952 cmd.exe 85 PID 1952 wrote to memory of 2220 1952 cmd.exe 85 PID 4576 wrote to memory of 4152 4576 neverlose by pinkking.exe 86 PID 4576 wrote to memory of 4152 4576 neverlose by pinkking.exe 86 PID 4576 wrote to memory of 4152 4576 neverlose by pinkking.exe 86 PID 4576 wrote to memory of 5092 4576 neverlose by pinkking.exe 87 PID 4576 wrote to memory of 5092 4576 neverlose by pinkking.exe 87 PID 4576 wrote to memory of 5092 4576 neverlose by pinkking.exe 87 PID 4576 wrote to memory of 2036 4576 neverlose by pinkking.exe 88 PID 4576 wrote to memory of 2036 4576 neverlose by pinkking.exe 88 PID 4576 wrote to memory of 2036 4576 neverlose by pinkking.exe 88 PID 4576 wrote to memory of 724 4576 neverlose by pinkking.exe 89 PID 4576 wrote to memory of 724 4576 neverlose by pinkking.exe 89 PID 4576 wrote to memory of 724 4576 neverlose by pinkking.exe 89 PID 4576 wrote to memory of 4428 4576 neverlose by pinkking.exe 90 PID 4576 wrote to memory of 4428 4576 neverlose by pinkking.exe 90 PID 4576 wrote to memory of 4428 4576 neverlose by pinkking.exe 90 PID 2336 wrote to memory of 2924 2336 neverlose by pinkking.exe 100 PID 2336 wrote to memory of 2924 2336 neverlose by pinkking.exe 100 PID 2336 wrote to memory of 2924 2336 neverlose by pinkking.exe 100 PID 2924 wrote to memory of 2796 2924 cmd.exe 101 PID 2924 wrote to memory of 2796 2924 cmd.exe 101 PID 2924 wrote to memory of 2796 2924 cmd.exe 101 PID 2336 wrote to memory of 4472 2336 neverlose by pinkking.exe 102 PID 2336 wrote to memory of 4472 2336 neverlose by pinkking.exe 102 PID 2336 wrote to memory of 4472 2336 neverlose by pinkking.exe 102 PID 2336 wrote to memory of 2368 2336 neverlose by pinkking.exe 103 PID 2336 wrote to memory of 2368 2336 neverlose by pinkking.exe 103 PID 2336 wrote to memory of 2368 2336 neverlose by pinkking.exe 103 PID 2336 wrote to memory of 388 2336 neverlose by pinkking.exe 104 PID 2336 wrote to memory of 388 2336 neverlose by pinkking.exe 104 PID 2336 wrote to memory of 388 2336 neverlose by pinkking.exe 104 PID 2336 wrote to memory of 1388 2336 neverlose by pinkking.exe 105 PID 2336 wrote to memory of 1388 2336 neverlose by pinkking.exe 105 PID 2336 wrote to memory of 1388 2336 neverlose by pinkking.exe 105 PID 1388 wrote to memory of 456 1388 cmd.exe 106 PID 1388 wrote to memory of 456 1388 cmd.exe 106 PID 1388 wrote to memory of 456 1388 cmd.exe 106 PID 2336 wrote to memory of 3520 2336 neverlose by pinkking.exe 107 PID 2336 wrote to memory of 3520 2336 neverlose by pinkking.exe 107 PID 2336 wrote to memory of 3520 2336 neverlose by pinkking.exe 107 PID 2336 wrote to memory of 3920 2336 neverlose by pinkking.exe 108 PID 2336 wrote to memory of 3920 2336 neverlose by pinkking.exe 108 PID 2336 wrote to memory of 3920 2336 neverlose by pinkking.exe 108 PID 2336 wrote to memory of 3372 2336 neverlose by pinkking.exe 109 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2220 attrib.exe 456 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\neverlose by pinkking.exe"C:\Users\Admin\AppData\Local\Temp\neverlose by pinkking.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=00302⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\mode.commode con:cols=0120 lines=00303⤵
- System Location Discovery: System Language Discovery
PID:5064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title neverlose crack by pinkking2⤵
- System Location Discovery: System Language Discovery
PID:3708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"2⤵
- System Location Discovery: System Language Discovery
PID:4928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"2⤵
- System Location Discovery: System Language Discovery
PID:1268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t2⤵
- System Location Discovery: System Language Discovery
PID:4152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat2⤵
- System Location Discovery: System Language Discovery
PID:5092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c2⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
- System Location Discovery: System Language Discovery
PID:724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c2⤵
- System Location Discovery: System Language Discovery
PID:4428
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:1652
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3484
-
C:\Users\Admin\Desktop\neverlose by pinkking.exe"C:\Users\Admin\Desktop\neverlose by pinkking.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=00302⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\mode.commode con:cols=0120 lines=00303⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title neverlose crack by pinkking2⤵
- System Location Discovery: System Language Discovery
PID:4472
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"2⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"2⤵
- System Location Discovery: System Language Discovery
PID:388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t2⤵
- System Location Discovery: System Language Discovery
PID:3520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat2⤵
- System Location Discovery: System Language Discovery
PID:3920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c2⤵
- System Location Discovery: System Language Discovery
PID:3372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
- System Location Discovery: System Language Discovery
PID:2984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173B
MD50f8f70e88009593eefaa155a8e31b1d6
SHA1eabcc3f2135e0919e9456da0a4b1084f3382d4b6
SHA256941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b
SHA51294df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750
-
Filesize
32B
MD5d406619e40f52369e12ae4671b16a11a
SHA19c5748148612b1eefaacf368fbf5dbcaa8dea6d0
SHA2562e340d2b9ced6ad419c031400fb974feed427cfabd0c167dea26ec732d8579be
SHA5124d9792a6427e4a48553318b4c2bac19ff729a9c0a635bc9196c33d2be5d1a224d1bac30da5f881bad6340b0235894ff020f32061a64125629848e21c879c5264
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237