Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 03:07
Static task
static1
Behavioral task
behavioral1
Sample
c8d591bc16616887d87b715a8c1f2462.exe
Resource
win7-20231023-en
General
-
Target
c8d591bc16616887d87b715a8c1f2462.exe
-
Size
11.3MB
-
MD5
c8d591bc16616887d87b715a8c1f2462
-
SHA1
8f553bcf72d94acc6602400388c102fcad96f74e
-
SHA256
51c17131fdcf0dc213cb066024c72ef79ca0c33177c60f226b8c4ca447ff3214
-
SHA512
f16a057737d2833ef12399f3850c0c4ea8230a3f945171a62e0b330bd22c5f34bbc520900d939aa77a8ed34982e7b4827eb26d4e78aeb162855782e06280f117
-
SSDEEP
196608:WJWQd/GQDd3JjPOVXRzPHGvhraFLCvU6CILodzD2hqIVFOM+JXBry+azIT:iWQdr5uX5PHG5EQnLk6hLedB5mI
Malware Config
Signatures
-
XMRig Miner payload 22 IoCs
resource yara_rule behavioral2/memory/4500-35-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-36-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-37-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-41-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-42-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-43-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-53-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-54-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-55-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-61-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-65-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-66-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-67-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-68-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-69-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-70-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-71-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-72-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-73-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-74-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-75-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral2/memory/4500-76-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 3692 netsh.exe 4072 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation c8d591bc16616887d87b715a8c1f2462.exe -
Executes dropped EXE 2 IoCs
pid Process 4500 TiWorker.exe 3440 shia hacker -rat.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MicrosoftWindows.xml c8d591bc16616887d87b715a8c1f2462.exe File created C:\Windows\SysWOW64\TiWorker.exe c8d591bc16616887d87b715a8c1f2462.exe File opened for modification C:\Windows\SysWOW64\TiWorker.exe c8d591bc16616887d87b715a8c1f2462.exe File created C:\Windows\SysWOW64\config.json c8d591bc16616887d87b715a8c1f2462.exe File opened for modification C:\Windows\SysWOW64\config.json c8d591bc16616887d87b715a8c1f2462.exe File created C:\Windows\SysWOW64\MicrosoftWindows.xml c8d591bc16616887d87b715a8c1f2462.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3620 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2800 c8d591bc16616887d87b715a8c1f2462.exe 2800 c8d591bc16616887d87b715a8c1f2462.exe 2800 c8d591bc16616887d87b715a8c1f2462.exe 2800 c8d591bc16616887d87b715a8c1f2462.exe 2800 c8d591bc16616887d87b715a8c1f2462.exe 2800 c8d591bc16616887d87b715a8c1f2462.exe 2800 c8d591bc16616887d87b715a8c1f2462.exe 2800 c8d591bc16616887d87b715a8c1f2462.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLockMemoryPrivilege 4500 TiWorker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3440 shia hacker -rat.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3440 shia hacker -rat.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2332 2800 c8d591bc16616887d87b715a8c1f2462.exe 87 PID 2800 wrote to memory of 2332 2800 c8d591bc16616887d87b715a8c1f2462.exe 87 PID 2332 wrote to memory of 4524 2332 cmd.exe 89 PID 2332 wrote to memory of 4524 2332 cmd.exe 89 PID 2332 wrote to memory of 3320 2332 cmd.exe 91 PID 2332 wrote to memory of 3320 2332 cmd.exe 91 PID 2800 wrote to memory of 648 2800 c8d591bc16616887d87b715a8c1f2462.exe 92 PID 2800 wrote to memory of 648 2800 c8d591bc16616887d87b715a8c1f2462.exe 92 PID 648 wrote to memory of 3664 648 cmd.exe 94 PID 648 wrote to memory of 3664 648 cmd.exe 94 PID 2800 wrote to memory of 3872 2800 c8d591bc16616887d87b715a8c1f2462.exe 96 PID 2800 wrote to memory of 3872 2800 c8d591bc16616887d87b715a8c1f2462.exe 96 PID 3872 wrote to memory of 3692 3872 cmd.exe 98 PID 3872 wrote to memory of 3692 3872 cmd.exe 98 PID 2800 wrote to memory of 3436 2800 c8d591bc16616887d87b715a8c1f2462.exe 101 PID 2800 wrote to memory of 3436 2800 c8d591bc16616887d87b715a8c1f2462.exe 101 PID 3436 wrote to memory of 4072 3436 cmd.exe 103 PID 3436 wrote to memory of 4072 3436 cmd.exe 103 PID 2800 wrote to memory of 4776 2800 c8d591bc16616887d87b715a8c1f2462.exe 104 PID 2800 wrote to memory of 4776 2800 c8d591bc16616887d87b715a8c1f2462.exe 104 PID 4776 wrote to memory of 3620 4776 cmd.exe 106 PID 4776 wrote to memory of 3620 4776 cmd.exe 106 PID 2800 wrote to memory of 2180 2800 c8d591bc16616887d87b715a8c1f2462.exe 107 PID 2800 wrote to memory of 2180 2800 c8d591bc16616887d87b715a8c1f2462.exe 107 PID 2180 wrote to memory of 2492 2180 cmd.exe 109 PID 2180 wrote to memory of 2492 2180 cmd.exe 109 PID 2180 wrote to memory of 1400 2180 cmd.exe 110 PID 2180 wrote to memory of 1400 2180 cmd.exe 110 PID 2800 wrote to memory of 4424 2800 c8d591bc16616887d87b715a8c1f2462.exe 113 PID 2800 wrote to memory of 4424 2800 c8d591bc16616887d87b715a8c1f2462.exe 113 PID 4424 wrote to memory of 4612 4424 cmd.exe 115 PID 4424 wrote to memory of 4612 4424 cmd.exe 115 PID 2800 wrote to memory of 3440 2800 c8d591bc16616887d87b715a8c1f2462.exe 118 PID 2800 wrote to memory of 3440 2800 c8d591bc16616887d87b715a8c1f2462.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8d591bc16616887d87b715a8c1f2462.exe"C:\Users\Admin\AppData\Local\Temp\c8d591bc16616887d87b715a8c1f2462.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\schtasks.exeschtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵PID:4524
-
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "WindowsUpdate"3⤵PID:3320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit2⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "WindowsUpdate" /F3⤵PID:3664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\schtasks.exeschtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F3⤵
- Creates scheduled task(s)
PID:3620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"3⤵PID:2492
-
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\system32\certutil.execertutil –addstore –f root MicrosoftWindows.crt3⤵PID:4612
-
-
-
C:\Users\Admin\AppData\Local\Temp\shia hacker -rat.exe"C:\Users\Admin\AppData\Local\Temp\shia hacker -rat.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3440
-
-
C:\Windows\SysWOW64\TiWorker.exeC:\Windows\SysWOW64\TiWorker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51bb617d3aab1dbe2ec2e4a90bf824846
SHA1bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA2561bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52
-
Filesize
1KB
MD51bb617d3aab1dbe2ec2e4a90bf824846
SHA1bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA2561bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52
-
Filesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
Filesize
10.3MB
MD5336aef70c7eb97d1e850cb8e6ba82c46
SHA1d3ebd9716609058d57f95e9306f76aefd758e31a
SHA2562d749a132f6e73b2d26bc3ebe66fc3c1fe947baed2d2867a858d7b3b97a30d30
SHA5121787375fb3800d4e610c7ac03e2ebb3f40ae25981a4cae3cd63269dd7c40827cc3af08cf108c2b5b130eaf9d1aae2249d2102a223a21a499230f241d8e815b5d
-
Filesize
10.3MB
MD5336aef70c7eb97d1e850cb8e6ba82c46
SHA1d3ebd9716609058d57f95e9306f76aefd758e31a
SHA2562d749a132f6e73b2d26bc3ebe66fc3c1fe947baed2d2867a858d7b3b97a30d30
SHA5121787375fb3800d4e610c7ac03e2ebb3f40ae25981a4cae3cd63269dd7c40827cc3af08cf108c2b5b130eaf9d1aae2249d2102a223a21a499230f241d8e815b5d
-
Filesize
4KB
MD5b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA15c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA25696f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7
-
Filesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
Filesize
1011B
MD53da156f2d3307118a8e2c569be30bc87
SHA1335678ca235af3736677bd8039e25a6c1ee5efca
SHA256f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb
SHA51259748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0
-
Filesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d