Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b3c2ab438c...18.exe

windows7-x64

7

b3c2ab438c...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...er.exe

windows7-x64

3

$PLUGINSDI...er.exe

windows10-2004-x64

3

$PLUGINSDI...ar.exe

windows7-x64

3

$PLUGINSDI...ar.exe

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ne.exe

windows7-x64

7

$PLUGINSDI...ne.exe

windows10-2004-x64

7

AdminWorker.exe

windows7-x64

3

AdminWorker.exe

windows10-2004-x64

3

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

WebInstaller.exe

windows7-x64

6

WebInstaller.exe

windows10-2004-x64

6

WebUpdater.exe

windows7-x64

3

WebUpdater.exe

windows10-2004-x64

3

content/iwa-ovr.js

windows7-x64

3

content/iwa-ovr.js

windows10-2004-x64

3

content/iwinarcade.js

windows7-x64

3

content/iwinarcade.js

windows10-2004-x64

3

content/un...l.html

windows7-x64

3

content/un...l.html

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uninstall.exe

  • Size

    129KB

  • MD5

    49c9d6cadd02bfff54851d0b0cafd557

  • SHA1

    9bb1dbff1ff7fcf171610133354ffeab1f522d82

  • SHA256

    c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

  • SHA512

    c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

  • SSDEEP

    3072:w+8uyHOQXJoHS4Z5t2Zip6dmDHgG2ojdotyVnwz:w8+/4fQsp6dAT2ojdoIBwz

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2688
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2192
      • C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3048
      • C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2096
      • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2656
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1848
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2244
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2272
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" KillProcess iWinGames.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1780
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {ECBB2FD9-3B2F-4A6B-9A15-9C7477705316} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
      C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\iWinGames\AdminWorker.log
    Filesize

    4KB

    MD5

    bb7ed86fc243e98d945d2ff2e66a88e0

    SHA1

    de9697578bf7ab47c5b175cc4ba3c664e975de9f

    SHA256

    b4f2db172432dd1853db60dc8169d1c4fa601968e2fe66e744813ccaa7d0a21c

    SHA512

    e8222b69e1350c4736f969c7c6de233cc6f8e48e5c43723761eb1dba853188447e0e91203e27b9f242113ffe1470ad7e904a979c1cf3187789175d7f28129b67

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj6AA6.tmp\GameuxInstallHelper.dll
    Filesize

    94KB

    MD5

    4d3ac88054df63fc810427bdaa96c458

    SHA1

    e4d554e03ba91f6b53a2a80253b339f56e303c94

    SHA256

    b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6

    SHA512

    d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj6AA6.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    129KB

    MD5

    49c9d6cadd02bfff54851d0b0cafd557

    SHA1

    9bb1dbff1ff7fcf171610133354ffeab1f522d82

    SHA256

    c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

    SHA512

    c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

    Download Submit

  • memory/2272-12-0x00000000741B0000-0x00000000742AA000-memory.dmp

    Filesize

    1000KB

    Download