Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12/09/2024, 12:01
General
-
Target
Total War Attila V1.00 Build 4514 Trainer +17 MrAntiFun.exe
-
Size
4.1MB
-
MD5
9d0c5936d9ceeec933ffd2c1db6c9f01
-
SHA1
45d4b313aa04723b0ec1dd430345e526ce6b53e9
-
SHA256
bc7427f7b53f7a399f6215537fe97cacc1b76eefb6817faf0954a4d4352facc9
-
SHA512
ecd887b9fdeb42c4f6c09fd6affc34f8c68d891de91b8e75cefd18e82aac61ad68d132ce89abd07ac1f82771fab840fe78b85168a1f88bfad7a217d49caa7df4
-
SSDEEP
98304:00wy+TFo2/dmj89hjQ1DLNZuvUpayPFrQ5qTaSLYgQV:7kTFXdRhkNNZuv2dFPaOLQV
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 44 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Total War Attila V1.00 Build 4514 Trainer +17 MrAntiFun.exe"C:\Users\Admin\AppData\Local\Temp\Total War Attila V1.00 Build 4514 Trainer +17 MrAntiFun.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETAFE7.tmp\Total War Attila V1.00 Build 4514 Trainer +17 MrAntiFun.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CETAFE7.tmp\Total War Attila V1.00 Build 4514 Trainer +17 MrAntiFun.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETAFE7.tmp\extracted\Total War Attila V1.00 Build 4514 Trainer +17 MrAntiFun.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CETAFE7.tmp\extracted\Total War Attila V1.00 Build 4514 Trainer +17 MrAntiFun.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETAFE7.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start http://mrantifun.net4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://mrantifun.net/5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffad5f246f8,0x7ffad5f24708,0x7ffad5f247186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14168424568757270895,841170013153127640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5888 /prefetch:26⤵
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
192B
MD59fda860518161edda2fa011e1be452bd
SHA13ac3706f98c38742d0582dc3529672a9530c11c6
SHA256fcee4b9a8ad078f0c98c80a25b522fad3c3f564a9e82963cd223f2a004946a8b
SHA51251f79194523747c5736e436a39b9093c92bbbb9a498fcf72d7a2c8bd48cd8b4e8794461b98441042da38e1b85e8e59334c6d14a2c8f47d58c02baa0101b0b980
-
Filesize
668B
MD5d045a3c3c51b399a76f9647dbb6f13e1
SHA1ea576b55a06b57676fb166def3d95683f56f9f70
SHA256e0b06b8646a88fa8e046d986e10f37a591ebde9377058667ac76ec787b04b399
SHA512aa9a751f51caf1b15525e7306ca3dab281fe28a82ad969b5a8e8691633c45c01d14ac7a13584a506348c1d517a58c96b3c68fcfc7bc1074088903f9afd272cb5
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
6KB
MD598609176480cb35e1864facfec5784ad
SHA1b18bce34b26be0e1a0c51a159f268e074d21804e
SHA25649ce7c2812482afd35f0168bec0419d2bff148af027cff0f2e047fe5a9202b19
SHA512b1e68884375d37f5ac2f96f8b1b7850f2b2f5d3b21884a813de885332e30857225118e7c3578dd360ba889a61a09d739f87c7067561a40621071f53bebc960b6
-
Filesize
6KB
MD5b55c690ea129da85f960d59bf0d1e246
SHA1c335212612a2b16e538fef4e3f281526b9ca4f71
SHA256c0b30bfedf0a2f5d631015de267ef215437744318afd96a004808bb1c8343334
SHA512e51fd945c255fbb39dc97c05338e0513ceba62e3b8750d2b904c0583b0a9c3ae8b5c432d3278e9533b3dee3b33b69eb3a4cc6550485cbf6a3405e179f9986b21
-
Filesize
72B
MD5473ef40aa38cd860f7cd068e5f868be5
SHA1da89344ad53c783ff13a9a893b28901d03d3cb38
SHA25650182c65634b43b33afd7d6b83801014a09cf42bb1e4393d322cc7c86d379183
SHA5123792d6a9eb7f37c6872aa5986336bc5037f69aa3dea24bba3db07ed3b85d7d2fadcff86f5bbd4b9243eb6cc60255a057f4b5cdaea29918b6cd8615162cc303a1
-
Filesize
48B
MD5026e51fae63628d67af9967cf4d6b605
SHA14f9fc2dbf4a1ded9c00084a7ff134f5359e0bb7a
SHA25652f31db8fa8146d650d72314aafd90dec5b0fad1714ae4efb8f9757713702e96
SHA512d01b4e0f31414a5c213bee82f2a80dc916ec69a755d277292bef69fa05c35ccef6f3f93341d96d33c8f9af6ff778e397d308127eb7ae222cbce64805e26b3e00
-
Filesize
89B
MD56627ff8d0487ac0a5d80c93de3158713
SHA1b720c2fc0bdb6f00f2fe7511d3974b3f710db9d8
SHA256b7e657c3e5289620e1b1d77740932876dc349a7051e158c7844a6c522c0a289d
SHA5122d0e1c79aa17eb37251e0b86342d95e5064da18d7742324beb04fd29e27e5a9099609a77e657998ebb877ee200d2d7dc3a0ffac762616b3f10ce841eb6b8f04c
-
Filesize
83B
MD581fb009eb35167e232faf017339f320a
SHA1be2bfae0628d0b3bff95a7ad377d0e37937ff869
SHA2567a1043e1726514f13064b799302c7c4344feb444a2004c80d1b649990fd4175d
SHA51236a1c2239d81999e4c3cc43bca528b23ecd0b870ac5fa104cde9be4efc52525bb0e1455f74ceeeaade53ab4785cd1be9759136a8f551b807961ea126fab37e41
-
Filesize
72B
MD54920a8ca8549ca3db6b8a9c2165607f7
SHA1c8e212d18cb004972d1d01494834e8ab6b22ddc5
SHA2563aeb5d92763303d954f252deca8dff19958282c5b6e084329760449b7e7f6457
SHA5128ececaf1c210d7a28c07a8189ba1f7feff790cc4282be571b77bf17940866ad4a815c796fee6abcb43445a6eca77f0ec617602481d7a32f2ea269833d01aefc4
-
Filesize
48B
MD5087d0a0a441865fd4e081ccf06f72f1b
SHA170baaf30a0eef81405864a0448f322d4e7035b6c
SHA2566e841834db0e55093b30861d3fe5c281860362407b05e0c8d7b506bf748da62f
SHA51299744fed470b980c311f74a36dad0eb060da43a06eb71372a795ed698a8ea26f084263dd9ea26bab47f555ca0766c57063a553fd49a4796236b5ddc187297446
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD57b984c4339ed34ccfc3a10afb49f3401
SHA1bcdaf7131b0c5ab9c0e9d34a762c228431cc6c25
SHA25631d6e8a5722691b5f95638a167ff7e09bdcaabc8237d7c4c954ef5dfdad96d72
SHA512b01ae4a128b2cbb8f7cccba03f9d8461dffc510002aef96f786f5a09d6e34ac561709d521cfa78e9bd3e037714741d5b720236b52fa80d00c486fea3f2ec5958
-
Filesize
3.7MB
MD560a8a76dcf2a4230673551dc5d4a5009
SHA12b1fdc2db4c1a22be2612611d612d62418466356
SHA2565dc4a95dd0eb3c59e5f1d2eed14b5639a4bc5e86b4328146e993800496909469
SHA512e60c49af76d6e94f263df55923fc23345b2dc795a215439e9094963704c17c171deedce20200f411b0fdce0bcd94adc97a178e796444cfdf0e163a0cc1967496
-
Filesize
196KB
MD5808de473370ef6b5d98ab752f245a3ca
SHA1800bd4ad10c17471829693fac3cee4502b14f029
SHA25665cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39
SHA512fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c
-
Filesize
161KB
MD57f17312b57648f1c4957d8d80acca7d1
SHA19d940fd8f7bee1c23bcaaf709661e90649541132
SHA256442dc3b8b56efee2a952ce8cd31eb75ad21b0626115858541db4712d7a1da7d0
SHA512d5f10048b91b05715056600460b3a294ac29abd7da2c41d32a147d111e71f949ec21093302c0f312a78abde91947cbe1b982229dba7c8b2adb11cdda7d3e31bb
-
Filesize
7.4MB
MD57be0f90c526a7dcbe40c2b6d5db884cc
SHA1afaf6106f912f9ca8703fe8be2114c1d47121fdb
SHA256c53cd508cdf0c218876e6ff23ffa496d51bd7a231e5a64f86ca3af46b0402fbb
SHA512698011935a3e5a83dd69689c48b0414e85625d4b1e502517854d435e3af81e84aca1112232a0943c123e7a81d0d141781ce30612f64ec90ffc7d93c75d6f93e9
-
Filesize
5KB
MD5d8f9b4a10a48ebd8936255f6215c8a43
SHA17d8ff0012fa9d9dcf189c6df963f1c627f2ccb76
SHA256d4347332b232622283e7dd3781f64966bd1097d06cca7052b467cf99e62898f2
SHA51267db5dc65fef66fe3a1920c5f406091d17eeae27266039af392a166d63686b8fc61b94684f2b97762995aefa42d2d15148213ecef64cc0df04de19320abba97a
-
Filesize
329KB
MD52730ff589ae86ef10d94952769f9404f
SHA18010834297a6aa488e6bf90eceaaf9e60bb60c6e
SHA256faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b
SHA5125fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0
-
Filesize
1.2MB
MD59139604740814e53298a5e8428ba29d7
SHA1c7bf8947e9276a311c4807ea4a57b504f95703c9
SHA256150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f
SHA5120b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d
-
Filesize
4KB