Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

SDL2.dll

windows7-x64

1

SDL2.dll

windows10-2004-x64

1

Vita3K.exe

windows7-x64

3

Vita3K.exe

windows10-2004-x64

8

discord_game_sdk.dll

windows7-x64

1

discord_game_sdk.dll

windows10-2004-x64

1

shaders-bu...su.vbs

windows7-x64

1

shaders-bu...su.vbs

windows10-2004-x64

1

update-vita3k.bat

windows7-x64

8

update-vita3k.bat

windows10-2004-x64

8

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01/09/2024, 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    update-vita3k.bat

  • Size

    2KB

  • MD5

    3835ec952c7985bf0768658aacb6123d

  • SHA1

    c86f211d67eb44dbed940746289f7a50a6396c8a

  • SHA256

    8329ef6dcb8d266a0cbb722bdccdf582a59ef4fa034cf1617a8b44c6c66247a6

  • SHA512

    9b11c5c0cea3644346680aecb581fcd5520c52713d66863cb249e8a2971c9c0997c45461e63b8490342b2faf332b7d2c397f0821e201bab45edd6f01801f738c

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\update-vita3k.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      2⤵
      • Delays execution with timeout.exe
      PID:2440
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell "((Invoke-RestMethod https://api.github.com/repos/Vita3K/Vita3K/releases/latest -timeout 2).body.Split("\"`n"\") | Select-String -Pattern 'Vita3K Build:') -replace 'Vita3K Build: '"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "((Invoke-RestMethod https://api.github.com/repos/Vita3K/Vita3K/releases/latest -timeout 2).body.Split("\"`n"\") | Select-String -Pattern 'Vita3K Build:') -replace 'Vita3K Build: '"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2172
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell "((Get-Item Vita3K.exe).VersionInfo.FileVersion) -replace '0.2.0.'"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "((Get-Item Vita3K.exe).VersionInfo.FileVersion) -replace '0.2.0.'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "Invoke-WebRequest https://github.com/Vita3K/Vita3K/releases/download/continuous/windows-latest.zip -OutFile vita3k-latest.zip"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM Vita3K.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    1b0f9391faa12a5654723abed0800c35

    SHA1

    ecf3a11fee318f2030026974bf2e370c63fd43fc

    SHA256

    fd7b0ed785fe0052b0684eb4c817f17745151ad59f1072cfa070c52700242e97

    SHA512

    bf8f0a77e0612130b0acfdf6b62b302ac96327d9a6db2d6c389f4f595e640f847cf9ee0d9fe6cd85a2d1772a7bf2ee851312cce07fd41481cdee3bab175fccfe

    Download Submit

  • memory/2172-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-6-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2172-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2172-8-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2172-7-0x0000000001D80000-0x0000000001D88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2172-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2172-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2172-11-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2172-12-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-18-0x000000001B520000-0x000000001B802000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2840-19-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB

    Download