Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/08/2024, 20:37

General

  • Target

    neverlose by pinkking.exe

  • Size

    84KB

  • MD5

    1e1f1d68311dd22314ae2577ed795849

  • SHA1

    529049136b8cdd06ffd827b7d2415bd9d81bc7c3

  • SHA256

    270ee31a32338f8d05257bcf77103662cb555129703312c76e607feef94f94c9

  • SHA512

    2fc7df714f2b9b6847b19cd96ac7bde29d09321ce35018247a6e4274e4274df62e387828d8962e191e82f86fddaff41d4997a08d01fc26bb2dbfae0aa753eaab

  • SSDEEP

    1536:92Y0VNblnigen1FQGpaika1PASjg/olRlx+:923rbZi/8GprF3jg/o3ls

Malware Config

Signatures

  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\neverlose by pinkking.exe
    "C:\Users\Admin\AppData\Local\Temp\neverlose by pinkking.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\mode.com
        mode con:cols=0120 lines=0030
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5064
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c title neverlose crack by pinkking
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1268
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2220
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4152
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5092
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      2⤵
      • System Location Discovery: System Language Discovery
      PID:724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4428
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
    1⤵
      PID:1652
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3484
      • C:\Users\Admin\Desktop\neverlose by pinkking.exe
        "C:\Users\Admin\Desktop\neverlose by pinkking.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\mode.com
            mode con:cols=0120 lines=0030
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2796
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c title neverlose crack by pinkking
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4472
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2368
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:388
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
          2⤵
          • Hide Artifacts: Hidden Files and Directories
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1388
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
            3⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:456
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3920
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3372
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c pause
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2984

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\i6.bat

        Filesize

        173B

        MD5

        0f8f70e88009593eefaa155a8e31b1d6

        SHA1

        eabcc3f2135e0919e9456da0a4b1084f3382d4b6

        SHA256

        941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b

        SHA512

        94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750

      • C:\Users\Admin\AppData\Local\Temp\i6.f

        Filesize

        32B

        MD5

        d406619e40f52369e12ae4671b16a11a

        SHA1

        9c5748148612b1eefaacf368fbf5dbcaa8dea6d0

        SHA256

        2e340d2b9ced6ad419c031400fb974feed427cfabd0c167dea26ec732d8579be

        SHA512

        4d9792a6427e4a48553318b4c2bac19ff729a9c0a635bc9196c33d2be5d1a224d1bac30da5f881bad6340b0235894ff020f32061a64125629848e21c879c5264

      • C:\Users\Admin\AppData\Local\Temp\i6.t

        Filesize

        3B

        MD5

        a5ea0ad9260b1550a14cc58d2c39b03d

        SHA1

        f0aedf295071ed34ab8c6a7692223d22b6a19841

        SHA256

        f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

        SHA512

        7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

      • C:\Users\Admin\AppData\Local\Temp\i6.t

        Filesize

        3B

        MD5

        21438ef4b9ad4fc266b6129a2f60de29

        SHA1

        5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

        SHA256

        13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

        SHA512

        37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237