Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2023, 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    5.6MB

  • MD5

    40253a5c2afc1bddfe2a9cb958b51a04

  • SHA1

    9fb0a04691588e6c6dd300b76bb21f635baadaad

  • SHA256

    345e2079dbfff1b00d5f13dc881b21383ab1d15e36739ac951df51dc0fa4f835

  • SHA512

    f2a5e867578de904e1fd5e1f52230ea4b812bbc5deff0ef9a036150809aa9d271b679f67d54ee240d98cc974884e5854cc66cd8e1013c24dcf0d701509d38b2b

  • SSDEEP

    98304:xTeyCFQywfwd3PquhdAl5a8Sgyr3XtM9jrU9ruoZ8D92JaXUz8+GCRbBxWQw:xqy+x5P5dK5HSgQX+9jrU1uoCB2JwSRI

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:2176
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2848
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:2680
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:2644
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:1684
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:2820
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:2836
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2872
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2760
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2556
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#icrgqru#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:1696
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:1752
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2404
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:812
          • C:\Windows\System32\sc.exe
            sc stop UsoSvc
            3⤵
            • Launches sc.exe
            PID:2032
          • C:\Windows\System32\sc.exe
            sc stop WaaSMedicSvc
            3⤵
            • Launches sc.exe
            PID:1096
          • C:\Windows\System32\sc.exe
            sc stop wuauserv
            3⤵
            • Launches sc.exe
            PID:2136
          • C:\Windows\System32\sc.exe
            sc stop bits
            3⤵
            • Launches sc.exe
            PID:1956
          • C:\Windows\System32\sc.exe
            sc stop dosvc
            3⤵
            • Launches sc.exe
            PID:1676
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:444
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1472
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2788
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#icrgqru#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1040
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
            3⤵
            • Creates scheduled task(s)
            PID:1908
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:1724
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {B1963E01-2112-4589-AB4D-51590E5D4C5D} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Program Files\Google\Chrome\updater.exe
            "C:\Program Files\Google\Chrome\updater.exe"
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2852

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          5.6MB

          MD5

          40253a5c2afc1bddfe2a9cb958b51a04

          SHA1

          9fb0a04691588e6c6dd300b76bb21f635baadaad

          SHA256

          345e2079dbfff1b00d5f13dc881b21383ab1d15e36739ac951df51dc0fa4f835

          SHA512

          f2a5e867578de904e1fd5e1f52230ea4b812bbc5deff0ef9a036150809aa9d271b679f67d54ee240d98cc974884e5854cc66cd8e1013c24dcf0d701509d38b2b

          Download Submit

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          5.6MB

          MD5

          40253a5c2afc1bddfe2a9cb958b51a04

          SHA1

          9fb0a04691588e6c6dd300b76bb21f635baadaad

          SHA256

          345e2079dbfff1b00d5f13dc881b21383ab1d15e36739ac951df51dc0fa4f835

          SHA512

          f2a5e867578de904e1fd5e1f52230ea4b812bbc5deff0ef9a036150809aa9d271b679f67d54ee240d98cc974884e5854cc66cd8e1013c24dcf0d701509d38b2b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          87de92db150a43a2aa9ad7ae7bdedd50

          SHA1

          4cfb5e0145a1ce16a4692fc40bf94025ef33b919

          SHA256

          6d2c4e8fdbd6660e7dd9a62e205a5bf0883f7fa080912071016897e0942131f9

          SHA512

          cb8d7f0a0259d030a15710705d279854c2948ffff80a98c69ed6e57fbc84a39db17a4087becbe13db9e6ecfbc980771977820a7bee9f8d8c0974cc47f38a9927

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G0M7XD9C7E2ETLK5B0IV.temp
          Filesize

          7KB

          MD5

          87de92db150a43a2aa9ad7ae7bdedd50

          SHA1

          4cfb5e0145a1ce16a4692fc40bf94025ef33b919

          SHA256

          6d2c4e8fdbd6660e7dd9a62e205a5bf0883f7fa080912071016897e0942131f9

          SHA512

          cb8d7f0a0259d030a15710705d279854c2948ffff80a98c69ed6e57fbc84a39db17a4087becbe13db9e6ecfbc980771977820a7bee9f8d8c0974cc47f38a9927

          Download Submit

        • \Program Files\Google\Chrome\updater.exe
          Filesize

          5.6MB

          MD5

          40253a5c2afc1bddfe2a9cb958b51a04

          SHA1

          9fb0a04691588e6c6dd300b76bb21f635baadaad

          SHA256

          345e2079dbfff1b00d5f13dc881b21383ab1d15e36739ac951df51dc0fa4f835

          SHA512

          f2a5e867578de904e1fd5e1f52230ea4b812bbc5deff0ef9a036150809aa9d271b679f67d54ee240d98cc974884e5854cc66cd8e1013c24dcf0d701509d38b2b

          Download Submit

        • memory/1040-41-0x0000000001190000-0x0000000001210000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1040-42-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1040-45-0x0000000001190000-0x0000000001210000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1040-44-0x0000000001190000-0x0000000001210000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1040-43-0x0000000001190000-0x0000000001210000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1040-46-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1040-40-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1540-63-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1540-69-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1540-56-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1540-75-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1540-54-0x0000000000370000-0x0000000000390000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1540-53-0x00000000001B0000-0x00000000001D0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1540-73-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1540-59-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1540-71-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1540-57-0x0000000000370000-0x0000000000390000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1540-61-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1540-65-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1540-67-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1724-60-0x0000000140000000-0x000000014002A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/1724-55-0x0000000140000000-0x000000014002A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2176-0-0x000000013F730000-0x000000013FCCC000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2176-28-0x000000013F730000-0x000000013FCCC000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2176-25-0x000000013F730000-0x000000013FCCC000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2404-35-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2404-39-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2404-38-0x0000000001290000-0x0000000001310000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2404-36-0x0000000001290000-0x0000000001310000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2404-37-0x0000000001290000-0x0000000001310000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2404-34-0x0000000001290000-0x0000000001310000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2404-33-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2652-20-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2652-26-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2652-18-0x000000001B020000-0x000000001B302000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2652-24-0x0000000001F30000-0x0000000001FB0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2652-23-0x0000000001F30000-0x0000000001FB0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2652-22-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2652-19-0x0000000002350000-0x0000000002358000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2652-21-0x0000000001F30000-0x0000000001FB0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2848-10-0x00000000026D0000-0x0000000002750000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2848-12-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2848-11-0x00000000026D0000-0x0000000002750000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2848-9-0x00000000026D0000-0x0000000002750000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2848-8-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2848-7-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2848-6-0x0000000002460000-0x0000000002468000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2848-5-0x000000001B1A0000-0x000000001B482000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2852-52-0x000000013FDE0000-0x000000014037C000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2852-32-0x000000013FDE0000-0x000000014037C000-memory.dmp

          Filesize

          5.6MB

          Download