Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

c93b7adbca...16.exe

windows7-x64

10

c93b7adbca...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2024, 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c93b7adbca782227238b433836fce87fc21927d590dda5401fd0b8fd2b9a8816.exe

  • Size

    5.1MB

  • MD5

    80d925050159e9a4db249e9b5242629a

  • SHA1

    710322120a60664f35a98a902f8a8d4977039b95

  • SHA256

    c93b7adbca782227238b433836fce87fc21927d590dda5401fd0b8fd2b9a8816

  • SHA512

    337167fc67bf2d9d001e8e03b2cfdc3e278c6176daf9d3474bf9bf58e315f25227e2c4ad42c9bad6224e258b672df6c6122cf8a883ee37dd3f1801b12f641419

  • SSDEEP

    98304:xRjPz9KDzUU8O5/B/LJ25E9SVh86sS3TRknQ3ss2MApp9meypA3cPDu7:xFKoU8O5/b2XViSjX310SeyGc7u7

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • UPX dump on OEP (original entry point) 13 IoCs
  • XMRig Miner payload 9 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c93b7adbca782227238b433836fce87fc21927d590dda5401fd0b8fd2b9a8816.exe
    "C:\Users\Admin\AppData\Local\Temp\c93b7adbca782227238b433836fce87fc21927d590dda5401fd0b8fd2b9a8816.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2096
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\system32\wusa.exe
        wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Drops file in Windows directory
        PID:2500
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      2⤵
      • Launches sc.exe
      PID:2768
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      2⤵
      • Launches sc.exe
      PID:2544
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      2⤵
      • Launches sc.exe
      PID:2420
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      2⤵
      • Launches sc.exe
      PID:2408
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      2⤵
      • Launches sc.exe
      PID:2432
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2416
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2448
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2460
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "JIOGRCSG"
      2⤵
      • Launches sc.exe
      PID:2972
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "JIOGRCSG" binpath= "C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:1624
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:2472
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "JIOGRCSG"
      2⤵
      • Launches sc.exe
      PID:2560
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c93b7adbca782227238b433836fce87fc21927d590dda5401fd0b8fd2b9a8816.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:2724
    • C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe
      C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
          • Drops file in Windows directory
          PID:2564
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop UsoSvc
        2⤵
        • Launches sc.exe
        PID:1596
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        2⤵
        • Launches sc.exe
        PID:868
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop wuauserv
        2⤵
        • Launches sc.exe
        PID:2308
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop bits
        2⤵
        • Launches sc.exe
        PID:2036
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop dosvc
        2⤵
        • Launches sc.exe
        PID:2864
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2836
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2424
      • C:\Windows\system32\conhost.exe
        C:\Windows\system32\conhost.exe
        2⤵
          PID:2056
        • C:\Windows\system32\nslookup.exe
          nslookup.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2072

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe
        Filesize

        829KB

        MD5

        17bf5cec8497597a882d27a8c68ce1d6

        SHA1

        4396f7f7fcdbdb6c51289dc3824c8c46f324e376

        SHA256

        15cbd6cc7eada84c6b7488611a638bad4d46ad1d66955df2d7e8b6b2618b5f86

        SHA512

        c1aef448cb92cb0a918fc0198018910c77880d78f8e66efd81f3e82934357b67ccd3d70b55624d05e43b7f678cb6c6cc5e6aea3f139cbdc22b17237f37eb6825

        Download Submit

      • C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe
        Filesize

        320KB

        MD5

        b1ad48d0d3193164bfdec84193d45a26

        SHA1

        9806df4a6afc8d3092de6314edec9b114717ccf5

        SHA256

        207645738a5c83959134be471e858eb05938f22da97e9c661d1d113e3cd4e800

        SHA512

        3a3916671105888d3b9bc76a5e014a5214306ff2e1c1d070702e895040127fc229bcc3838b8fa5bd79efad405342f2495afbbdbf5daf34383b6382138d4985fe

        Download Submit

      • \ProgramData\zvycwxhpsxqt\lutlgidagtja.exe
        Filesize

        757KB

        MD5

        bebfc6d366c1309e73ffd36a4ae8c0a9

        SHA1

        b2ef35e29c802502fe6178044f3b4d87dc6473e2

        SHA256

        99cd31279935bb2380afecfb2df60fc861bb04250daa18f0e10d54d9294fcaea

        SHA512

        b8e8a5b54495f1c985d9e693e27624407ad27ef930606a6233e480c51194cb0403b0b3fa0bb6a0dd7c2f760afea3032576fb3758fc9c9e53c91444b09489e6cc

        Download Submit

      • \ProgramData\zvycwxhpsxqt\lutlgidagtja.exe
        Filesize

        673KB

        MD5

        e0d866604a525de2aa62461fa9126c30

        SHA1

        8661c92c1058cb69f86cf97c0d257fab8c449faa

        SHA256

        87190747f7ea316c59b16aa3aec343ca65dbd043ff595aa32159ebd7cbb2c744

        SHA512

        3c59e7670f8e88c4a63454b7820efdf9352c68a72b73ce26cec85e64db7d09c17bad5423ce90eca11769701e65e84e619ec12f3b778204a0a2ea5ae49e93b706

        Download Submit

      • memory/2056-25-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2056-26-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2056-27-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2056-28-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2056-29-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2056-31-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2072-44-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-45-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-52-0x0000000000860000-0x0000000000880000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2072-51-0x00000000002E0000-0x0000000000300000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2072-50-0x0000000000860000-0x0000000000880000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2072-47-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-49-0x00000000002E0000-0x0000000000300000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2072-48-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-46-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-35-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-43-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-34-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-36-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-38-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-39-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-40-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-41-0x00000000000B0000-0x00000000000D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2072-37-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2072-42-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

        Download

      • memory/2160-24-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2160-21-0x0000000000A40000-0x0000000000AC0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2160-17-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2160-19-0x0000000000850000-0x0000000000858000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2160-18-0x0000000000A40000-0x0000000000AC0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2160-16-0x0000000019ED0000-0x000000001A1B2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2160-20-0x000007FEF4FF0000-0x000007FEF598D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2160-23-0x0000000000A40000-0x0000000000AC0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2160-22-0x0000000000A40000-0x0000000000AC0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2952-6-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2952-5-0x0000000000520000-0x0000000000528000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2952-7-0x0000000002830000-0x00000000028B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2952-9-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2952-11-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2952-4-0x000000001B610000-0x000000001B8F2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2952-8-0x0000000002834000-0x0000000002837000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2952-10-0x000000000283B000-0x00000000028A2000-memory.dmp

        Filesize

        412KB

        Download