Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

1eb4eaaac1...c0.exe

windows7_x64

9

1eb4eaaac1...c0.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    139s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12/06/2022, 20:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1eb4eaaac11a804bdbf36009b6a4fcca8331f4adbefd495c3afd2c1536eb13c0.exe

  • Size

    4.7MB

  • MD5

    f5479f77d2bee7461763a19bdeffac80

  • SHA1

    4d98de66484a9f1461d22bd51ddec7d0883022a4

  • SHA256

    1eb4eaaac11a804bdbf36009b6a4fcca8331f4adbefd495c3afd2c1536eb13c0

  • SHA512

    3b9fa6393d32f793980e223c4351a3ea256cf93ad6aec43bdb90fed13a518e5cde54da507efac4b81c1e912cc8eb8cf666e1768c602dd069c71bff4f132675ef

Score
9/10
minerupx

Malware Config

Signatures

  • Detected Stratum cryptominer command 1 IoCs

    Looks to be attempting to contact Stratum mining pool.

    miner
  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1eb4eaaac11a804bdbf36009b6a4fcca8331f4adbefd495c3afd2c1536eb13c0.exe
    "C:\Users\Admin\AppData\Local\Temp\1eb4eaaac11a804bdbf36009b6a4fcca8331f4adbefd495c3afd2c1536eb13c0.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\rwM7nS.exe
      "C:\Windows\SysWOW64\rwM7nS.exe" 916 |||C:\Users\Admin\AppData\Local\Temp\1eb4eaaac11a804bdbf36009b6a4fcca8331f4adbefd495c3afd2c1536eb13c0.exe|||
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\U30KcO.exe
        "C:\Windows\SysWOW64\U30KcO.exe" -a bcd -o stratum+tcp://abc.xsdong.com:9501 -u 14SUEcH7KpPB8emfB24xR754Car2bLZ5XQ.BCD -p x -i 12
        3⤵
        • Detected Stratum cryptominer command
        • Executes dropped EXE
        PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\U30KcO.exe
    Filesize

    4.4MB

    MD5

    db6b6d7a773d0608bdb6056b71ad6e5e

    SHA1

    59e0c3d36b97e3502b8fc8a34e55bc1531991e01

    SHA256

    04817972c9f3222804fb1b82ddfce0eb90e957e722a1dbacb655aa954f564940

    SHA512

    53a62ebf06de34ec182a5be733e91698a1c2ac8c006513e39a8921db0c52e88388fc416ffcbad76113296da3afbef7bc0addbe94e639a96f83ec0149518b22ae

    Download Submit

  • C:\Windows\SysWOW64\rwM7nS.exe
    Filesize

    4.7MB

    MD5

    f5479f77d2bee7461763a19bdeffac80

    SHA1

    4d98de66484a9f1461d22bd51ddec7d0883022a4

    SHA256

    1eb4eaaac11a804bdbf36009b6a4fcca8331f4adbefd495c3afd2c1536eb13c0

    SHA512

    3b9fa6393d32f793980e223c4351a3ea256cf93ad6aec43bdb90fed13a518e5cde54da507efac4b81c1e912cc8eb8cf666e1768c602dd069c71bff4f132675ef

    Download Submit

  • C:\Windows\SysWOW64\rwM7nS.exe
    Filesize

    4.7MB

    MD5

    f5479f77d2bee7461763a19bdeffac80

    SHA1

    4d98de66484a9f1461d22bd51ddec7d0883022a4

    SHA256

    1eb4eaaac11a804bdbf36009b6a4fcca8331f4adbefd495c3afd2c1536eb13c0

    SHA512

    3b9fa6393d32f793980e223c4351a3ea256cf93ad6aec43bdb90fed13a518e5cde54da507efac4b81c1e912cc8eb8cf666e1768c602dd069c71bff4f132675ef

    Download Submit

  • \Windows\SysWOW64\rwM7nS.exe
    Filesize

    4.7MB

    MD5

    f5479f77d2bee7461763a19bdeffac80

    SHA1

    4d98de66484a9f1461d22bd51ddec7d0883022a4

    SHA256

    1eb4eaaac11a804bdbf36009b6a4fcca8331f4adbefd495c3afd2c1536eb13c0

    SHA512

    3b9fa6393d32f793980e223c4351a3ea256cf93ad6aec43bdb90fed13a518e5cde54da507efac4b81c1e912cc8eb8cf666e1768c602dd069c71bff4f132675ef

    Download Submit

  • \Windows\SysWOW64\rwM7nS.exe
    Filesize

    4.7MB

    MD5

    f5479f77d2bee7461763a19bdeffac80

    SHA1

    4d98de66484a9f1461d22bd51ddec7d0883022a4

    SHA256

    1eb4eaaac11a804bdbf36009b6a4fcca8331f4adbefd495c3afd2c1536eb13c0

    SHA512

    3b9fa6393d32f793980e223c4351a3ea256cf93ad6aec43bdb90fed13a518e5cde54da507efac4b81c1e912cc8eb8cf666e1768c602dd069c71bff4f132675ef

    Download Submit

  • memory/916-54-0x000007FEFC041000-0x000007FEFC043000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2004-63-0x0000000000400000-0x00000000018FF000-memory.dmp

    Filesize

    21.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.