Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
25/12/2023, 17:05
General
-
Target
3554553.exe
-
Size
4.5MB
-
MD5
25a1e0a4d436eea408e79a07f45ff684
-
SHA1
da6fbf78868b855451769fb1255f7c2cdef66ace
-
SHA256
8f4c3348423dbc5dadff663216b4b015109535a06e5a81fb7cb3993a90ff26c5
-
SHA512
f7d17b6ce23042d30d9f9bad91684e627b1f8f9bb79ec2c67c3b79791f5444a2fabdcccee48ef3335df3a262060a7300d32aa81a36a1e48fc4299b6668e91df5
-
SSDEEP
98304:pKF6T4Y6cTie8X081BO2hVvXMtld70frtH1EOq+kYc6EPGo7v4+uT:QFrdSiekO2XvXMtld7WkYc6EC+uT
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 9 IoCs
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3554553.exe"C:\Users\Admin\AppData\Local\Temp\3554553.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\2121.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Roaming\115.exe"C:\Users\Admin\AppData\Roaming\115.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "Firefox"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "Firefox" binpath= "C:\ProgramData\Firefox.exe" start= "auto"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "Firefox"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Roaming\2311.exe2311 -p123 -dC:\Users\Admin\AppData\Roaming1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\conhost.execonhost.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe1⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc1⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits1⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv1⤵
- Launches sc.exe
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc1⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc1⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Firefox.exeC:\ProgramData\Firefox.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
279KB
MD5912197612ba46f17e7e3848a01c4a39f
SHA1f8dfed89890be5310959bfbdc2e1bbe047c6e919
SHA256dbb12c4f28e52c76b8e031b9f0c39a9071d571eb12833490f4795da2d339d425
SHA5123fb6ca9bd771adb79b482a5b0b829f309d49e1606bcd3aca0117c41d6fded82fa6f96cc436f90c83b8dd49739be0b3d127d7dbf4225a75e9c0b9e0ab1668952b
-
Filesize
115KB
MD5d0590be13d5688c02f1a4b4afe657a38
SHA1a432c80c14d9e28ceda1f8c012bb969ff5528212
SHA25658501b4e4179fb8a92f03c8bbdef6326a4ce65eeb29c0c49f0e9910aa4dce91e
SHA5128d21008b954fe7037a5ca405d9ee6718083bf05138fa594c72ef3b3763c868f42a465d3b0004f794602bf24ab1a2e41353b742dc9d39099a08c554ac0c78c159
-
Filesize
560KB
MD53d95bf22f2bbd88b521ac9da54fb8ed4
SHA1dde19153dd722d107d5d5ccf307b60ae719765a4
SHA2561b0c400d6e43a5cb27a9f45a53b689d0eb294004d7e29015e4bd26efd9900da5
SHA512e69081726abcbd8a7f815a284f46ee07df41c14b0d387ce794e676c8c90f7ae748bae737a42e4950b83a0ceb6678bad9526f7377a9b328234fdda1d37c8dde35
-
Filesize
385KB
MD5991e240f6be98e108c60b6b7c9dcfaa4
SHA121b6c9fb5859e5ff6ea74f8e487c12d52da459d3
SHA25646fc1cbc54289a95092ee1615cf26ace004b9c901b3f41a8d3692f501122098e
SHA512cbe383171e537ddc0b5e060260866178f59229e02e038c198df48b35544f4c0cfd4c8329c2dd41a48f1f9cad7f84d38f847358520224bf3c60b0e7958f0adada
-
Filesize
17KB
MD50f407c8a9f87a5586077dc7e52ae9b3e
SHA17d309aa919f12f3cfcd4ef8b0a2cebefcef252d4
SHA256b51a1f6a1f10e63d7f49611e53a9e2736b718c638aa608322d4806390a4031cf
SHA512c62e102aee7f73eaa1b791ca27576f3180d122afb2ef4db67d449dacd1de78611f16bcb1ae66afa2128a10ff7d8b4e81eb8be401e3225bbad2f5af5d8283f39d
-
Filesize
22B
MD5124010ee831f1263a1bfff78fe7c5e1d
SHA1ab25a327d550aa8ac3b616d1cd9e91cf4a9179d0
SHA2569ffca63f74d789d6857d3b48855eb8cedbf37265739556983f519c75b4a2d903
SHA512ea99fdc3ca643e4d3dcd7c7ef17ad1fcb47463c8e123e0954b33ce8279d3b43e728635372c6fefc3b63b268df0268a2105503dd258d33002047beb6a9f4323eb
-
Filesize
30KB
MD549264fc9f0a313f8ab30242db7982dfc
SHA1751cdc15bd744d877cee41bfcd8445336a42efaa
SHA2564ae704e58cdcc8af203c463ff6acd2d4d492d016db9e951c4fbcf92b267d474f
SHA512c9de753f73f6be5628e57718262436e24a5d2b9ca9e2b07ba76ce1f1d97054a0c5bda501b1e8d14b00a8f383a751b7ccc8f1f8fcb1b1c36ccbccae6459bafdd2
-
Filesize
108KB
MD526404b10b96d1e94b5ed0fbbcfc42e47
SHA1ba81fc25578210d972e29c7c1db31af15ed70a86
SHA25646728de54c6ea31bfe74edb18c3b7e96bf734da8e83a0adf89396eef43ce4f8a
SHA512473a306453a5513aff20c9b3e8d3d5947bd5eecd130b719ff848647495fa2f3a00140cde2beed9a30e817c06a9387d375e1077ffe722ea71e0dcd230e66f258c
-
Filesize
199KB
MD5998ac0212b619e532d5d866877ed74e7
SHA1ee9bd63d886af34da379237bb98a77cfdd30abc3
SHA256b71d6bdf53d095d204e7e53d9f74f005b5226e420e2da5d7abadc05753814076
SHA512f0f37d78da86af5f1c183ef09ff76c083bcdcabe76ff6420b1a8ca158d4d1862e3d0ff0059e0e6ebc14394281518f05a1532f1beb3a41e21c5df3e412fae1070
-
Filesize
255KB
MD597ace791c5ae10a61454c25b0acb8d7d
SHA170f71950bec668f31313d7b56a1faa71be99618c
SHA2568e2544d48424c95cfb8cf375251b37f44e6fcd9f405e5e7d395578fdcb0bdf2b
SHA51208340daee594a59b4e0186e9494b6d15958dbe64553093c0094ec821b290e5f120cab678e96648cee76972c329f1d5c73a7d3d31026638a2c6e8baf129afcda1
-
Filesize
511KB
MD5b1e1f59681c15cb6e81adda76fd31437
SHA1904cc741cb7da6a716e6720aa3aae004c66c6a1e
SHA256c3c5670a90ff94cce5268b56266aa364d1d0e317d19231c3e9f30ce8ca282ebf
SHA512bb5149258c41d369c58a83b1a9b6d8b4fceb26385295bfa0204939522cad004afb1c613fea10575cc8e3c0285ca9bcf92c79d4a938e6ab7063a2477d56c37a6c
-
Filesize
503KB
MD5afa5f1752b721c97dd367dd88e0a037e
SHA140e2794c0a6ff0433f9ac30cbe9d02ea0fb1cc1c
SHA256cf1b9f3c56c5dfd0f41c5dc492aced8e0eaa20c865556c6698bbb94b7d79d8f7
SHA5126f2b29494a4ff17a4f48dee38a36a0841b4dbb171d636d1233f34c8165b41880be59dfed45f4738b8bb95d1071616463bad94cde4caefe8c2ef3047601a4d88d
-
Filesize
345KB
MD524c54350b178274c31089f90fbe206e2
SHA1c5d293e1d0d589dca4b0f46ecd10dd383b0a36b3
SHA256f38d187b1f8b67536aedc770a13d51181a35765d669fe19f527639044666b4d5
SHA51284f218feb86f0d404a6cf5513da5f9f069fad00133d9ddddf1b6cb96caad0d28d907811aac7a83db14a2b5375b2ffc24e4d6cc81d25534ec490aa86c634c2ccc
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB