Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
Self-Activator_Gamekeys_biz/START_INTERFACE.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Self-Activator_Gamekeys_biz/START_INTERFACE.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Self-Activator_Gamekeys_biz/vpn_pl.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Self-Activator_Gamekeys_biz/vpn_pl.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Self-Activator_Gamekeys_biz/vpn_ru.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Self-Activator_Gamekeys_biz/vpn_ru.exe
Resource
win10v2004-20240802-en
General
-
Target
Self-Activator_Gamekeys_biz/vpn_ru.exe
-
Size
31KB
-
MD5
b37de4658a0b67ad1afae517f162e9a3
-
SHA1
91c9632c0605d1a929dc29d306154a7823c46eea
-
SHA256
94e9ab74c36245bbc9e6c606b0e02a0dfc3ef58fd0bffa9a786bb3791d820da1
-
SHA512
d878422b12bfaf2e7b8b300a7dd90771b0782346b4d4caad49292e330d00f275e530591dafd55e43e5ca77e6d43e7c118767610bc6ecf75345922c90c448921e
-
SSDEEP
768:Kodef6PAs68pfZP04YsubvbtbKxHVCZRSLiDSFDh/aSk1v14:KodeiPfJxYfK86GmDh/a7
Malware Config
Signatures
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1976 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1976 PING.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2464 wrote to memory of 1788 2464 vpn_ru.exe 31 PID 2464 wrote to memory of 1788 2464 vpn_ru.exe 31 PID 2464 wrote to memory of 1788 2464 vpn_ru.exe 31 PID 1788 wrote to memory of 808 1788 cmd.exe 32 PID 1788 wrote to memory of 808 1788 cmd.exe 32 PID 1788 wrote to memory of 808 1788 cmd.exe 32 PID 1788 wrote to memory of 1976 1788 cmd.exe 33 PID 1788 wrote to memory of 1976 1788 cmd.exe 33 PID 1788 wrote to memory of 1976 1788 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Self-Activator_Gamekeys_biz\vpn_ru.exe"C:\Users\Admin\AppData\Local\Temp\Self-Activator_Gamekeys_biz\vpn_ru.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AD6F.tmp\vpn_ru.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\rasdial.exerasdial vpn-ru.overplay.co nothingname gamekeysbiz /phonebook:..\Self-Activator_Gamekeys_biz\rasphone.pbk3⤵PID:808
-
-
C:\Windows\system32\PING.EXEping -n 600 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388B
MD5f341216a5d2c0f6a8eb623d9dc04a406
SHA18915e651b0069f8c0d51edc578086373ea2c9a74
SHA2565f0635290a52c1573b9b00cdba3ae46e7967d2dcd2d853fb543b5499a5dce015
SHA51205bc17364957dc9553198e88bb2f08f72e5a7685dd16b42a20fad9a96a8cd63a773701fa5e287efe5da3ca29e9b04089ea49065264e723754ad0bb6b87f18c21