Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2022, 17:05
Behavioral task
behavioral1
Sample
0x0007000000022e19-164.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0x0007000000022e19-164.exe
Resource
win10v2004-20221111-en
General
-
Target
0x0007000000022e19-164.exe
-
Size
4.0MB
-
MD5
adc8831a1ca720028db3120e7325f537
-
SHA1
f2fd460cccfe764fbf623d0de8b9064d12c4235d
-
SHA256
3f8f82cc246266043b39729f99004dacc14ead06432e4c52198f967b0c84b7e9
-
SHA512
9e74b3ce63168e7e15ae57362f03641acfcbb86c2ef502a2e0834fff2dde8f7b6d16cdc860d1033d6279c3c3bc179168aedf0a8ca6e77233d953ee47c271216f
-
SSDEEP
49152:xANDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:x2zP88fBsnZTgOtqB3m1RC3
Malware Config
Extracted
loaderbot
http://mrmax4td.beget.tech/cmd.php
Signatures
-
LoaderBot executable 1 IoCs
resource yara_rule behavioral2/memory/2276-132-0x0000000000A80000-0x0000000000E7E000-memory.dmp loaderbot -
XMRig Miner payload 4 IoCs
resource yara_rule behavioral2/memory/4032-138-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral2/memory/4032-139-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral2/memory/3632-143-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral2/memory/3632-145-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
pid Process 4032 Driver.exe 3632 Driver.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 0x0007000000022e19-164.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 0x0007000000022e19-164.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\0x0007000000022e19-164.exe" 0x0007000000022e19-164.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4592 4032 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe 2276 0x0007000000022e19-164.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 640 Process not Found -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2276 0x0007000000022e19-164.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2276 0x0007000000022e19-164.exe Token: SeLockMemoryPrivilege 4032 Driver.exe Token: SeLockMemoryPrivilege 4032 Driver.exe Token: SeLockMemoryPrivilege 3632 Driver.exe Token: SeLockMemoryPrivilege 3632 Driver.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2276 wrote to memory of 4032 2276 0x0007000000022e19-164.exe 83 PID 2276 wrote to memory of 4032 2276 0x0007000000022e19-164.exe 83 PID 2276 wrote to memory of 3632 2276 0x0007000000022e19-164.exe 88 PID 2276 wrote to memory of 3632 2276 0x0007000000022e19-164.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0007000000022e19-164.exe"C:\Users\Admin\AppData\Local\Temp\0x0007000000022e19-164.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4Aqfi5yndcxjFRs1r3dfPjDZnPRfwGijhhYKjaz5NLbJRNwgHHYht1MV2coRC2npEY96NfaVRT4yNaA86TkTfBYzUKR1jyc -p x -k -v=0 --donate-level=0 -t 12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4032 -s 7603⤵
- Program crash
PID:4592
-
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4Aqfi5yndcxjFRs1r3dfPjDZnPRfwGijhhYKjaz5NLbJRNwgHHYht1MV2coRC2npEY96NfaVRT4yNaA86TkTfBYzUKR1jyc -p x -k -v=0 --donate-level=0 -t 12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 4032 -ip 40321⤵PID:4720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322