Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 17:50

General

  • Target

    Sky Cheat Paid (v1.5).exe

  • Size

    1006KB

  • MD5

    201bf6483b763e6dd2c41dfdf3974df6

  • SHA1

    7ffef12acb1638daf0fdd94e373aa4e5efb03087

  • SHA256

    582032dd5303f2293ae37f1d1e9a49245ffbdbd0c750409e53b238adb4f1d16a

  • SHA512

    4db7160e6230c0117e8e0cf60f1c88cd02c6ead4753a326bb1b9de271e363ebc885c9d34b7a51b7ca19259549f8439b34ae7f9d58077c6c53d99b3cc6db837bc

  • SSDEEP

    24576:ZaSAZRDuaaqZhD0qQrSEDEag4mqnNuGKFxzCvO:ZWfkqcNuLELnQ/

Score
8/10

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 29 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe
    "C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im HTTPDebuggerUI.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color 05
      2⤵
        PID:888
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:232
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im HTTPDebuggerSvc.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4184
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4748
        • C:\Windows\system32\sc.exe
          sc stop HTTPDebuggerPro
          3⤵
          • Launches sc.exe
          PID:3728
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4328
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:744
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4064
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1908
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2008
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3496
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4608
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3208
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Windows\system32\sc.exe
          sc stop HTTPDebuggerPro
          3⤵
          • Launches sc.exe
          PID:4840
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4416
        • C:\Windows\system32\taskkill.exe
          taskkill /IM HTTPDebuggerSvc.exe /F
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1808
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
        2⤵
          PID:3048
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe" MD5 | find /i /v "md5" | find /i /v "certutil"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4168
          • C:\Windows\system32\certutil.exe
            certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Sky Cheat Paid (v1.5).exe" MD5
            3⤵
              PID:2828
            • C:\Windows\system32\find.exe
              find /i /v "md5"
              3⤵
                PID:3456
              • C:\Windows\system32\find.exe
                find /i /v "certutil"
                3⤵
                  PID:2192
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                2⤵
                  PID:4404
                  • C:\Windows\system32\taskkill.exe
                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1452
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                  2⤵
                    PID:4920
                    • C:\Windows\system32\taskkill.exe
                      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2780
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                    2⤵
                      PID:1968
                      • C:\Windows\system32\taskkill.exe
                        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:904
                    • C:\Windows\SYSTEM32\cmd.exe
                      cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                      2⤵
                        PID:4444
                        • C:\Windows\system32\sc.exe
                          sc stop HTTPDebuggerPro
                          3⤵
                          • Launches sc.exe
                          PID:2880
                      • C:\Windows\SYSTEM32\cmd.exe
                        cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                        2⤵
                          PID:1240
                          • C:\Windows\system32\taskkill.exe
                            taskkill /IM HTTPDebuggerSvc.exe /F
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5084
                        • C:\Windows\SYSTEM32\cmd.exe
                          cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                          2⤵
                            PID:2740
                          • C:\Windows\SYSTEM32\cmd.exe
                            cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                            2⤵
                              PID:1692
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4196
                            • C:\Windows\SYSTEM32\cmd.exe
                              cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                              2⤵
                                PID:3204
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                  3⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4288
                              • C:\Windows\SYSTEM32\cmd.exe
                                cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                2⤵
                                  PID:5024
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2368
                                • C:\Windows\SYSTEM32\cmd.exe
                                  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                  2⤵
                                    PID:2792
                                    • C:\Windows\system32\sc.exe
                                      sc stop HTTPDebuggerPro
                                      3⤵
                                      • Launches sc.exe
                                      PID:3180
                                  • C:\Windows\SYSTEM32\cmd.exe
                                    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                    2⤵
                                      PID:3632
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /IM HTTPDebuggerSvc.exe /F
                                        3⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3976
                                    • C:\Windows\SYSTEM32\cmd.exe
                                      cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                      2⤵
                                        PID:756
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c cls
                                        2⤵
                                          PID:3864
                                        • C:\Windows\SYSTEM32\cmd.exe
                                          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                          2⤵
                                            PID:4384
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                              3⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4176
                                          • C:\Windows\SYSTEM32\cmd.exe
                                            cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                            2⤵
                                              PID:4680
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                3⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4256
                                            • C:\Windows\SYSTEM32\cmd.exe
                                              cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                              2⤵
                                                PID:3612
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                  3⤵
                                                  • Kills process with taskkill
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1792
                                              • C:\Windows\SYSTEM32\cmd.exe
                                                cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                2⤵
                                                  PID:2500
                                                  • C:\Windows\system32\sc.exe
                                                    sc stop HTTPDebuggerPro
                                                    3⤵
                                                    • Launches sc.exe
                                                    PID:1628
                                                • C:\Windows\SYSTEM32\cmd.exe
                                                  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                  2⤵
                                                    PID:1908
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /IM HTTPDebuggerSvc.exe /F
                                                      3⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3036
                                                  • C:\Windows\SYSTEM32\cmd.exe
                                                    cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                    2⤵
                                                      PID:4992
                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                      cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                      2⤵
                                                        PID:3244
                                                        • C:\Windows\system32\taskkill.exe
                                                          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                          3⤵
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3160
                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                        cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                        2⤵
                                                          PID:4980
                                                          • C:\Windows\system32\taskkill.exe
                                                            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                            3⤵
                                                            • Kills process with taskkill
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:984
                                                        • C:\Windows\SYSTEM32\cmd.exe
                                                          cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                          2⤵
                                                            PID:4300
                                                            • C:\Windows\system32\taskkill.exe
                                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                              3⤵
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2304
                                                          • C:\Windows\SYSTEM32\cmd.exe
                                                            cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                            2⤵
                                                              PID:3468
                                                              • C:\Windows\system32\sc.exe
                                                                sc stop HTTPDebuggerPro
                                                                3⤵
                                                                • Launches sc.exe
                                                                PID:4976
                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                              cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                              2⤵
                                                                PID:940
                                                                • C:\Windows\system32\taskkill.exe
                                                                  taskkill /IM HTTPDebuggerSvc.exe /F
                                                                  3⤵
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1400
                                                              • C:\Windows\SYSTEM32\cmd.exe
                                                                cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                2⤵
                                                                  PID:864
                                                                • C:\Windows\SYSTEM32\cmd.exe
                                                                  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                  2⤵
                                                                    PID:3188
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                      3⤵
                                                                      • Kills process with taskkill
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4588
                                                                  • C:\Windows\SYSTEM32\cmd.exe
                                                                    cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                    2⤵
                                                                      PID:2708
                                                                      • C:\Windows\system32\taskkill.exe
                                                                        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                        3⤵
                                                                        • Kills process with taskkill
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1072
                                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                                      cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                      2⤵
                                                                        PID:5028
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                          3⤵
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:5096
                                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                                        cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                        2⤵
                                                                          PID:2160
                                                                          • C:\Windows\system32\sc.exe
                                                                            sc stop HTTPDebuggerPro
                                                                            3⤵
                                                                            • Launches sc.exe
                                                                            PID:3808
                                                                        • C:\Windows\SYSTEM32\cmd.exe
                                                                          cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                          2⤵
                                                                            PID:2900
                                                                            • C:\Windows\system32\taskkill.exe
                                                                              taskkill /IM HTTPDebuggerSvc.exe /F
                                                                              3⤵
                                                                              • Kills process with taskkill
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4404
                                                                          • C:\Windows\SYSTEM32\cmd.exe
                                                                            cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                            2⤵
                                                                              PID:2780

                                                                          Network

                                                                          MITRE ATT&CK Enterprise v15

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads