Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2023, 13:10
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
1.9MB
-
MD5
d1949ae00330d3c0f7cc282d2f6952cc
-
SHA1
f94a50cdd1aff1fe2f7f4135647df2a680ac3e79
-
SHA256
0f1f360e32236b3af68ae241d8604a202c3de6d93603163d2af21364263fceb7
-
SHA512
0f1499ee262e56c4771490fee60c4d76ba8625b6b5004ca73be437c6f17e5a358237c03fc78da07c6a7043ef52252f73cdadd4635c5eef38dbe5cc3fd36b2730
-
SSDEEP
24576:Nx2pKMUGjuNYmUeV5CMl307hOhkMIIj0VOyp2VmmBgbc2vLmmsanDJY++JyBBT9:Nx4U2mV6MV28m9vF2/2c29YjyBBx
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/2832-159-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/2832-160-0x0000000140343234-mapping.dmp xmrig behavioral2/memory/2832-161-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/2832-162-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/2832-164-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/2832-166-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/1960-142-0x0000000000080000-0x000000000025E000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation file.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1960 set thread context of 2832 1960 file.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3988 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1960 file.exe 1960 file.exe 4836 powershell.exe 4836 powershell.exe 1960 file.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1960 file.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeLockMemoryPrivilege 2832 vbc.exe Token: SeLockMemoryPrivilege 2832 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2832 vbc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1960 wrote to memory of 4836 1960 file.exe 79 PID 1960 wrote to memory of 4836 1960 file.exe 79 PID 1960 wrote to memory of 1640 1960 file.exe 87 PID 1960 wrote to memory of 1640 1960 file.exe 87 PID 1640 wrote to memory of 3988 1640 cmd.exe 89 PID 1640 wrote to memory of 3988 1640 cmd.exe 89 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91 PID 1960 wrote to memory of 2832 1960 file.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XORES" /tr "C:\ProgramData\Review\XORES.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XORES" /tr "C:\ProgramData\Review\XORES.exe"3⤵
- Creates scheduled task(s)
PID:3988
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2832
-