Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

4

Static

static

3

mins.exe

windows10-1703-x64

4

Resubmissions

31/08/2023, 11:17

230831-nd2qlaed2w 4

31/08/2023, 10:59

230831-m3s93sef78 7

Analysis

  • max time kernel
    38s
  • max time network
    130s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/08/2023, 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mins.exe

  • Size

    962KB

  • MD5

    d0fdcafe227693a18f52fecb4db174a6

  • SHA1

    b2087f372e9cc7466d37406ab35bd5f3f83c68d3

  • SHA256

    42a5b1d974f030bc2868a3a2f2cf4dad5443d3e85a18919088429abc1bb9b0ca

  • SHA512

    def0da3fbfcc6674f80a098ad840c8557a6d7f2650f2b1f782f6d330f1b7d84c6410a8048a7c55471890865548339b712c97f219e2ad8d4a5768ee133d772572

  • SSDEEP

    12288:dGGyqIuubhT0IE+n4Oo5RwIAv7J2J1mxR0Zu4TE39vI9geB:duqIuuJdVumIAv7EJIxRjJVI9geB

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mins.exe
    "C:\Users\Admin\AppData\Local\Temp\mins.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3244
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1368
      • C:\ProgramData\Includers\DNDWMYRI.exe
        "C:\ProgramData\Includers\DNDWMYRI.exe"
        3⤵
          PID:4752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
            4⤵
              PID:3076
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
              4⤵
                PID:4664
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4884
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:1892
          • C:\Users\Admin\Desktop\mins.exe
            "C:\Users\Admin\Desktop\mins.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4412
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2940
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5044
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DNDWMYRI" /tr "C:\ProgramData\Includers\DNDWMYRI.exe"
              2⤵
                PID:4844
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DNDWMYRI" /tr "C:\ProgramData\Includers\DNDWMYRI.exe"
                  3⤵
                  • Creates scheduled task(s)
                  PID:4420

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Includers\DNDWMYRI.exe
              Filesize

              592.0MB

              MD5

              15db03f4cc6bb7aaf0c4e95c573018ed

              SHA1

              ec5bc3bbd16d7d6fd0c9b9d311b9da31682257fb

              SHA256

              c954a69d0c30816a1e0dd968402f99379ea8d88cae2a7b83356379145ef08185

              SHA512

              03c8083232b905a297792dbec8e51806f1ef28c121e565e50f150d6d197c2f60c81925c93276ebef915e4c4162ff4faa4acf762c28cca17bd20ad278ca863f5e

              Download Submit

            • C:\ProgramData\Includers\DNDWMYRI.exe
              Filesize

              594.9MB

              MD5

              808a945de91e1e4bf85da533506b9ed8

              SHA1

              c6bfc29ca159613573369c6f2b2e2073a15eea6d

              SHA256

              cacf8a651049c120aa0ab1def65dc27388987126aeca70077bac312d3290227c

              SHA512

              43dbc7e7b03d4f837f7bc36030fb13c2065a6e5e732da2f1828cb358c728d518b3e309e6d8999784484df4ee98e4ce8bc9a9077211ca821f842fd0d7464a8bc8

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mins.exe.log
              Filesize

              660B

              MD5

              6f8201778bb230fb0ac7c8b78a134a12

              SHA1

              06570db78997747dd80e558a483d29af167f43c5

              SHA256

              984fcdb20fcd38e921511def1e720e36c7a20887010f4f5035b0a6b24c75148f

              SHA512

              86ebbb74d94c382073f4481bb3a4c0747b801753adba15ee36c97dc8b09827e7a29b46209b559c1ab4fa836fbbe6a90b0339e97ed9d5d4856179604e380f2254

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              ad5cd538ca58cb28ede39c108acb5785

              SHA1

              1ae910026f3dbe90ed025e9e96ead2b5399be877

              SHA256

              c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

              SHA512

              c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              a4534eac0fd6c0bd9cf272cb21a6a4f7

              SHA1

              d729648900793970646b9bbfccb909be2fb78da3

              SHA256

              46c007cdf3b3f1d0ef2907bcacc081e510f9534a57f6a7f2309de30c5a6879a4

              SHA512

              ce232bb13a0dd287e4e1ea747e107c0bb79dc748d8960eb680ca946277fc55d798b1ec76cd9558a2ddeb53700b577777b15f852186416e333d374a1939968873

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              a4534eac0fd6c0bd9cf272cb21a6a4f7

              SHA1

              d729648900793970646b9bbfccb909be2fb78da3

              SHA256

              46c007cdf3b3f1d0ef2907bcacc081e510f9534a57f6a7f2309de30c5a6879a4

              SHA512

              ce232bb13a0dd287e4e1ea747e107c0bb79dc748d8960eb680ca946277fc55d798b1ec76cd9558a2ddeb53700b577777b15f852186416e333d374a1939968873

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              6f0c9a9fb96f670f38b1c6d3d61c926e

              SHA1

              bd27deda8fdea9829ef839a0c46d1037c87d94b0

              SHA256

              cf288142496e662bfda3ccc0c1b980ddd793906064d6a007b1c37f0e802d74c6

              SHA512

              5fb89135305b11e38582342e829ace61a53ba32c77b5d04aff8861a6d85044ac70c176cc471c36a3315b1f6e8e36e2c677abcc2570ba7f40e6e5701daf3a8bca

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              3def9e4c34a26233cc68f70a9bbd1fe9

              SHA1

              b91bac820df6a782dcbb1bca01c419ef2b592062

              SHA256

              eb409dd1b1f5f100ac37175600939cdfab874fbd12b9715b77395d349e172811

              SHA512

              f137917befddd6f798972169931228eb7cbb98625e39603ceb0695e487347a5b88ab0a7c38eb54b3ed6b33572c622ff690cda869ab998478cf9477d294b97ad3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              3def9e4c34a26233cc68f70a9bbd1fe9

              SHA1

              b91bac820df6a782dcbb1bca01c419ef2b592062

              SHA256

              eb409dd1b1f5f100ac37175600939cdfab874fbd12b9715b77395d349e172811

              SHA512

              f137917befddd6f798972169931228eb7cbb98625e39603ceb0695e487347a5b88ab0a7c38eb54b3ed6b33572c622ff690cda869ab998478cf9477d294b97ad3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcniosh3.uzu.ps1
              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmpB.tmp.bat
              Filesize

              143B

              MD5

              33b9d07bb28a50e0cfd65fa61bc68e08

              SHA1

              e9559462266c87cfb92148553fd66659ab077a4f

              SHA256

              9c2195b1ea45aee248f64cd39381a3662ea18559f16883c74a96135be15d8f0f

              SHA512

              b856e1536e0d7c19dcffaf0a1021e88892591b730122211ff1cf26aceeb454fb8956795336ca1cefd47037b199e8e4d9bf9829d086b4f88324ad851c0a7119dc

              Download Submit

            • memory/1776-98-0x000001657B1B0000-0x000001657B1C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1776-109-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1776-48-0x000001657B1B0000-0x000001657B1C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1776-17-0x000001657B1B0000-0x000001657B1C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1776-99-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1776-11-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1776-16-0x000001657B1B0000-0x000001657B1C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1776-21-0x000001657B3C0000-0x000001657B436000-memory.dmp

              Filesize

              472KB

              Download

            • memory/2940-223-0x000001DA67FB0000-0x000001DA67FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2940-139-0x000001DA67FB0000-0x000001DA67FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2940-138-0x000001DA67FB0000-0x000001DA67FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2940-229-0x000001DA67FB0000-0x000001DA67FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2940-337-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2940-209-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2940-233-0x000001DA67FB0000-0x000001DA67FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2940-131-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2940-286-0x000001DA67FB0000-0x000001DA67FC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3076-341-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3076-203-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3076-280-0x000002142B090000-0x000002142B0A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3076-227-0x000002142B090000-0x000002142B0A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3076-326-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3076-333-0x000002142B090000-0x000002142B0A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3076-221-0x000002142B090000-0x000002142B0A0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3244-100-0x000001E47B8B0000-0x000001E47B8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3244-97-0x000001E47B8B0000-0x000001E47B8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3244-13-0x000001E47B8B0000-0x000001E47B8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3244-14-0x000001E47B8B0000-0x000001E47B8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3244-96-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3244-6-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3244-18-0x000001E47B9F0000-0x000001E47BA12000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3244-108-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3244-49-0x000001E47B8B0000-0x000001E47B8C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3636-79-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3636-123-0x00007FFDD6A60000-0x00007FFDD6B0E000-memory.dmp

              Filesize

              696KB

              Download

            • memory/3636-122-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3636-115-0x00007FFDD6A60000-0x00007FFDD6B0E000-memory.dmp

              Filesize

              696KB

              Download

            • memory/3636-91-0x000000001C3D0000-0x000000001C3E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3636-2-0x000000001C3D0000-0x000000001C3E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3636-0-0x0000000000670000-0x0000000000764000-memory.dmp

              Filesize

              976KB

              Download

            • memory/3636-1-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4412-183-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4412-126-0x0000000000B30000-0x0000000000B40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4412-125-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4412-197-0x0000000000B30000-0x0000000000B40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4664-219-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4664-283-0x0000013067630000-0x0000013067640000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4664-231-0x0000013067630000-0x0000013067640000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4664-342-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4664-225-0x0000013067630000-0x0000013067640000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4664-327-0x0000013067630000-0x0000013067640000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4752-163-0x0000000001400000-0x0000000001410000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4752-190-0x00007FFDD6A60000-0x00007FFDD6B0E000-memory.dmp

              Filesize

              696KB

              Download

            • memory/4752-187-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4752-173-0x00007FFDD6A60000-0x00007FFDD6B0E000-memory.dmp

              Filesize

              696KB

              Download

            • memory/4752-149-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/5044-254-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/5044-247-0x0000013F98000000-0x0000013F98010000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5044-175-0x0000013F98000000-0x0000013F98010000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5044-241-0x0000013F98000000-0x0000013F98010000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5044-142-0x0000013F98000000-0x0000013F98010000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5044-141-0x0000013F98000000-0x0000013F98010000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5044-136-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/5044-214-0x00007FFDBB160000-0x00007FFDBBB4C000-memory.dmp

              Filesize

              9.9MB

              Download