Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 13:53
Static task
static1
Behavioral task
behavioral1
Sample
gamebanned_2024_v1.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
gamebanned_2024_v1/Hurtworld/HurtworldClient_Data/Managed/Assembly-CSharp.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
gamebanned_2024_v1/Hurtworld/bking.dll
Resource
win10v2004-20241007-en
General
-
Target
gamebanned_2024_v1.zip
-
Size
1.0MB
-
MD5
f2f76c61e29007097869ada2ad9812dd
-
SHA1
8921cead68fa88bbd30b58f28f79f081120bf1fd
-
SHA256
7ba8dd69197379fc2fba05be5f2f20ef9ca7749d6c1bdcd2ba9d5de6e7598a20
-
SHA512
8e1abc2204c6dc521129fec4f5f6c069e24b170223fb4f52b59dfa86604763e22daa297ad3be243b16c005a59722d82023b8d7aae763ee55eb7fb89d7036fac3
-
SSDEEP
12288:TN9ZojhZExKZ0bnS9nAwuTPlubMoY+8U6XklFSlZfbRKQwOHGqbCYZdMYS3ETJxM:LZ8jWbSvAoT8elF+dLGqbCYYYSSxtgt
Malware Config
Signatures
-
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.text OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\鰀䆟縀䆁\ = "text_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\open OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\鰀䆟縀䆁 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\edit\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.text\ = "text_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\text_auto_file\shell\open\command OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2676 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1376 7zFM.exe 1376 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2028 7zFM.exe 1376 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 2028 7zFM.exe Token: 35 2028 7zFM.exe Token: SeSecurityPrivilege 2028 7zFM.exe Token: SeRestorePrivilege 1376 7zFM.exe Token: 35 1376 7zFM.exe Token: SeSecurityPrivilege 1376 7zFM.exe Token: SeSecurityPrivilege 1376 7zFM.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2028 7zFM.exe 2028 7zFM.exe 1376 7zFM.exe 1376 7zFM.exe 1376 7zFM.exe 1376 7zFM.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 4400 OpenWith.exe 3384 OpenWith.exe 3384 OpenWith.exe 3384 OpenWith.exe 3384 OpenWith.exe 3384 OpenWith.exe 3384 OpenWith.exe 3384 OpenWith.exe 3384 OpenWith.exe 3384 OpenWith.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2676 1376 7zFM.exe 111 PID 1376 wrote to memory of 2676 1376 7zFM.exe 111 PID 3384 wrote to memory of 4092 3384 OpenWith.exe 113 PID 3384 wrote to memory of 4092 3384 OpenWith.exe 113
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\gamebanned_2024_v1.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2028
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3980
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4400
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\gamebanned_2024_v1\Hurtworld\bking"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO065FFB78\version.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2676
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO06506C88\.text2⤵PID:4092
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159KB
MD57da6fccac94d51c3c6cd1dc9f9374cc1
SHA1464c509231b5614ddbb46e70dc0f3d9980623e48
SHA2564545eb7cba34da1ad8d0216a82719f9165d2a01051a5de4cce8ab04651163201
SHA512b58f124b0363317dfbc2fef28953a7cbc1c434158816a901ee6984538d2a19a099b81a2da89ff490e9a4c1c1f81f7ae1715026eb048d5726d105fb8ec6c8e776
-
Filesize
1KB
MD52b0b45af2b7b5567bf690dfa3b24fd19
SHA19a77af072c625b602786603070aba012f1feb2b9
SHA25630cfcbebd15c2cb75cb7085fd00a770d048943fa9b8fad89338eda7cc3a95f08
SHA51203409f27de3f0fc9d5152d59789292225d9dfcc899fdd26259899870d9f1a0f3ae43394d98b7037d6144292451802355c11a1589af05291c4034e343a64073b2
-
Filesize
161KB
MD5d4b00a911426084f614dfaeef71827f4
SHA169dc34efa9651221422bb367881e01073cf1a869
SHA256449534a580989e797da5fced3a6a7f4c6981a2199b024b80e2136e8a8e2e97e1
SHA512b69e76d0c9d2e740301f1a3c23529534f74ff062430e1191854a0bfdd5cf8eb7550f06887d5e62a6214fe47342149e168a1a2e095788f25e30ab122ae4ef0362