Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

FpsOptimiz...ik.exe

windows7-x64

10

FpsOptimiz...ik.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/12/2024, 12:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FpsOptimizer_ByKartavik.exe

  • Size

    93KB

  • MD5

    0db33230bc1e881b68a31799335b53d9

  • SHA1

    f9f8eb1b71192000916de686b76c253acd8df57d

  • SHA256

    175698d488c8b8ec03b4647a3e183be501424b2cf353ae1edb1cdc16b7f8cb3f

  • SHA512

    e66d40aaca03d9302df5cb1cd5ed13b63fde98fd5b063d32c84e222e1eebd3b96cfb107010bf0ea2d04466b190d2f0a248ce018528948531d78c7fb58d176f16

  • SSDEEP

    768:YY3HepD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3wFse:neLOx6baIa9RIj00ljEwzGi1dDODpgS

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FpsOptimizer_ByKartavik.exe
    "C:\Users\Admin\AppData\Local\Temp\FpsOptimizer_ByKartavik.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2720

Network

  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.tcp.eu.ngrok.io
    server.exe
    Remote address:
    8.8.8.8:53
    Request
    4.tcp.eu.ngrok.io
    IN A
    Response
    4.tcp.eu.ngrok.io
    IN A
    3.121.139.82
  • flag-us
    DNS
    82.139.121.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.139.121.3.in-addr.arpa
    IN PTR
    Response
    82.139.121.3.in-addr.arpa
    IN PTR
    ec2-3-121-139-82 eu-central-1compute amazonawscom
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 3.121.139.82:18952
    4.tcp.eu.ngrok.io
    server.exe
    3.2kB
     47.3kB
     50
    50
  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    4.tcp.eu.ngrok.io
    dns
    server.exe
    63 B
     79 B
     1
    1

    DNS Request

    4.tcp.eu.ngrok.io

    DNS Response

    3.121.139.82

  • 8.8.8.8:53
    82.139.121.3.in-addr.arpa
    dns
    71 B
     136 B
     1
    1

    DNS Request

    82.139.121.3.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    93KB

    MD5

    0db33230bc1e881b68a31799335b53d9

    SHA1

    f9f8eb1b71192000916de686b76c253acd8df57d

    SHA256

    175698d488c8b8ec03b4647a3e183be501424b2cf353ae1edb1cdc16b7f8cb3f

    SHA512

    e66d40aaca03d9302df5cb1cd5ed13b63fde98fd5b063d32c84e222e1eebd3b96cfb107010bf0ea2d04466b190d2f0a248ce018528948531d78c7fb58d176f16

    Download Submit

  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    5B

    MD5

    c60feebd511c87b86dea130692995a0f

    SHA1

    d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a

    SHA256

    632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511

    SHA512

    bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c

    Download Submit

  • memory/2024-14-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2024-15-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2024-50-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2024-52-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2024-51-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5004-0-0x0000000074CD2000-0x0000000074CD3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5004-1-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5004-2-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5004-13-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.