Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ejecutable.exe

windows7-x64

10

ejecutable.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 00:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ejecutable.exe

  • Size

    9.8MB

  • MD5

    fd8d4e6fc696f111119fd0bdb615005e

  • SHA1

    2cee425a78c2c30db1db92ecab39a91afe1e0321

  • SHA256

    9ce775734b47d214e97b659997419b6f08ed83988d3f6e853b8ee2f0306a0a4c

  • SHA512

    91eed4cae6a2c14dbb70bf6e026d7789b534557e3141a7f6698f406fc0dde8be5235799fdc7618c630ae6c1cf84d8042ed0579ccb6fb969789df7a88eb245fe9

  • SSDEEP

    98304:t5i+bn565ESeSgza8U1S9UpjXOfEQ502MSQeVlIonoOvv7NpF8K:t5/bnA5neSgzXU8+E50moOvv7Nr8K

Score
10/10
xmrigdiscoveryevasionminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (40563) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • XMRig Miner payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 3 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ejecutable.exe
    "C:\Users\Admin\AppData\Local\Temp\ejecutable.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "sc stop npf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\system32\sc.exe
        sc stop npf
        3⤵
        • Launches sc.exe
        PID:2932
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "sc delete npf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\system32\sc.exe
        sc delete npf
        3⤵
        • Launches sc.exe
        PID:5112
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "sc create npf type= kernel start= auto binpath= C:\Users\Admin\AppData\Local\Temp\npf.sys"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\system32\sc.exe
        sc create npf type= kernel start= auto binpath= C:\Users\Admin\AppData\Local\Temp\npf.sys
        3⤵
        • Launches sc.exe
        PID:2952
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "sc start npf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Windows\system32\sc.exe
        sc start npf
        3⤵
        • Launches sc.exe
        PID:2760
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "netstat -ano | findstr TCP"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\system32\NETSTAT.EXE
        netstat -ano
        3⤵
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:3336
      • C:\Windows\system32\findstr.exe
        findstr TCP
        3⤵
          PID:4644
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:4780
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:4580
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:944
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:3728
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:432
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:2980
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:1736
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:856
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:4348
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:2240
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:4504
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:5116
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:1248
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:4084
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:3892
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:4508
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:4584
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:3372
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:2928
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:1044
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
        2⤵
        • Modifies registry class
        PID:344
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1920
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2264
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1248
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3596
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4016
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3856
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2260
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1168
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2892
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1044
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2156
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1516
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4828
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5092
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5024
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3764
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2348
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4044
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2476
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3144
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Packet.dll
      Filesize

      105KB

      MD5

      899a5bf1669610cdb78d322ac8d9358b

      SHA1

      80a2e420b99ffe294a523c6c6d87ed09dfc8d82b

      SHA256

      ab3cce674f5216895fd26a073771f82b05d4c8b214a89f0f288a59774a06b14b

      SHA512

      41f2459793ac04e433d8471780e770417afac499dc3c5413877d4a4499656c9669c069d24e638d0aaf43af178a763acb656ffd34d710eb5e3c94682db1559056

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\m6nk9h\WinRing0x64.sys
      Filesize

      14KB

      MD5

      0c0195c48b6b8582fa6f6373032118da

      SHA1

      d25340ae8e92a6d29f599fef426a2bc1b5217299

      SHA256

      11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

      SHA512

      ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\m6nk9h\config.json
      Filesize

      1KB

      MD5

      8afbb1177ab70f9d24dacd22a6793ee4

      SHA1

      b7ba0a4bd964868922143bedb93470202c0bfef4

      SHA256

      54f0d371f9918c81e3ce7a557d6da1ac4639995c5a6e409822f0e496d3a1d290

      SHA512

      2d05fb6e7e39b499b27aed4a7adf77fce1dcedc335d969be157dec91a78ed7b839ba50887d5a6de1b6f3635ae7d35dc6cd1ec064590ef76fe3ae8443fdaa5624

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\m6nk9h\kthreaddk
      Filesize

      2.0MB

      MD5

      a7013a2c7fd3a6168a7c0d9eed825c32

      SHA1

      a3b6cf6090a425466606125aa881fdf56c1c2a67

      SHA256

      a2f3ecd329d2713855257bf922b8a092cbb1193327ba197351804275286df7dd

      SHA512

      e2e6e447806adb5d27c77f8dc32772fc49ba5532e255e1a38e92a404efccbc8f3d820d4d674a51968e5c3c1079cb834253232bf13e6ff9d437c7d0e2551ba49d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wpcap.dll
      Filesize

      361KB

      MD5

      a672f1cf00fa5ac3f4f59577f77d8c86

      SHA1

      b68e64401d91c75cafa810086a35cd0838c61a4b

      SHA256

      35aab6caaaf1720a4d888ae0de9e2a8e19604f3ea0e4dd882c3eeae4f39af117

      SHA512

      a566e7571437be765279c915dd6e13f72203eff0dc3838a154fc137ed828e05644d650fd8432d1fb4c1e1d84ee00ef9bde90225c68c3ca8a5da349065e7ebfd6

      Download Submit

    • memory/2864-9-0x0000000001C80000-0x0000000001C9F000-memory.dmp

      Filesize

      124KB

      Download