Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 15:00

General

  • Target

    vaultFile11542278852936095360.exe

  • Size

    209KB

  • MD5

    2c728b8d169a71f995b2b06f70e1949c

  • SHA1

    566799671a67ade9ac1319ee9c9526798afd8aeb

  • SHA256

    fa679f8844ab283168f56247764b5e44cddd0aad6aea878fb213b80b54d51ce4

  • SHA512

    cc07d587e64982232570cb7b7fdc858a449cdb1fc268a0954d69d2a90b4fcf3e73d0c44706d9533d7d4e8d2ad977f06819459711b22604615039b181370af707

  • SSDEEP

    3072:p86dHxGNd5E9o7lOCET1NNAhTtaWmZzFfokt+F9EepWL2tI2b3UH8XAwKYEJ:plJ4Nwo7lOpT2hkWGzxU7pBwHSXEJ

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vaultFile11542278852936095360.exe
    "C:\Users\Admin\AppData\Local\Temp\vaultFile11542278852936095360.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /im xmrig.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4404
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC WEEKLY /D MON,TUE,WED,THU,FRI,SAT,SUN /TN "SYSTEM HEALTH1" /TR "C:\ProgramData\x64n\xmrig.exe" /ST 09:59
        3⤵
        • Creates scheduled task(s)
        PID:1140
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC WEEKLY /D MON,TUE,WED,THU,FRI,SAT,SUN /TN "SYSTEM HEALTH2" /TR "C:\ProgramData\x64n\xmrig.exe" /ST 12:59
        3⤵
        • Creates scheduled task(s)
        PID:4148
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC WEEKLY /D MON,TUE,WED,THU,FRI,SAT,SUN /TN "SYSTEM HEALTH3" /TR "C:\ProgramData\x64n\xmrig.exe" /ST 18:59
        3⤵
        • Creates scheduled task(s)
        PID:568
      • C:\ProgramData\x64n\xmrig.exe
        "C:\ProgramData\x64n\xmrig.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\winlog.vbs

    Filesize

    5KB

    MD5

    406ef562a1ed4e5ae5a3da786511e016

    SHA1

    8e440da9b8c0fa43e764854dfd84ac9e622fa82e

    SHA256

    25aac05954d8717268c556f0708c69b6df5279c46f44b05c03308333f8e57cf1

    SHA512

    2cf0ac454119d9ac24e9893796779ee476fe85b30b43d654dce1d7b8241d76431e6d22efd21a31fe6404762bc39cec7ad93549ac93cea225ef82a1d0da5a788e

  • C:\ProgramData\x64n\config.json

    Filesize

    499B

    MD5

    c251d06f10c3f0817e72bc550fca6aff

    SHA1

    cf8def7f3c672c37b9444866393249052d342871

    SHA256

    65de0b18a398e13d6c147de67ddd1ab558bb2a3d8778220e33f685e16b47c965

    SHA512

    88cfa3e350f6afb8c48381aa7b24ceb069a2a81016e11ef7cee588b766c101bf56ebd08b023b350ee448b16458a6d8b3fe69549146aeda8ac2f4194e7244b5e2

  • C:\ProgramData\x64n\xmrig.exe

    Filesize

    576KB

    MD5

    8f7e699ceed3fd1ae22b55edcf246596

    SHA1

    1a1b2a2a18651f0ae79b34a8707f8f6ece5cbe2b

    SHA256

    6fe91d487876165347db6c5bd084101d32704755325b3648099c7b4d02b315a2

    SHA512

    859e4ede427b20d76ee472575df7e076639f73aa9686aa71969b66b8eb4efc837c03a8d93351059a849b33c081372028a42be55a37360cb155bdce78e3301eec

  • C:\ProgramData\xmrig-2.3.1-gcc-win64.zip

    Filesize

    256KB

    MD5

    6ba688f68b6066a81ac9f0f26409bf80

    SHA1

    709cf2d33bb0fc3302bc3c53bacaf5a391da927d

    SHA256

    5e9f714e5273c69b70a7cf80bd299330ff725bb986823cf8797ab132f7d06bc3

    SHA512

    87d448463aba4589afb89137f0fc8715a261d74303c31f3f1be0d9aa53261e8cc2d3a09c4de8dbfe8cec70e2650b3d256df5864adc7f36ad38f0975bb527fb5f

  • memory/2256-64-0x0000000000400000-0x0000000000499000-memory.dmp

    Filesize

    612KB

  • memory/2256-65-0x0000000000400000-0x0000000000499000-memory.dmp

    Filesize

    612KB