Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

taskhost.exe

windows7-x64

10

taskhost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    taskhost.exe

  • Size

    19.8MB

  • MD5

    74595855031cc4eb18b48346f876cd2e

  • SHA1

    24bf72be8f93f2da8defe6c47004ecde786458ef

  • SHA256

    2ea5e2feaf74e9ea6d7760ae2a20742a8861157607584e566e32b1ba329d378a

  • SHA512

    33227d3e36a95fd4b9fcee533997bab9080a735c52417a10114a01d81c15eebcccca1cb99c6cfaf70691fc5149a41f8cffd4ee5fd54e0a593aaeb1ca6438b240

  • SSDEEP

    393216:xao4ZbKh+7uRQSn44pfrovhexQ0s0kl1X5+twDyClkzmv7PXVTpa:xaoAW+qpf6hKQJ+tcH6zmv7Xa

Score
10/10
xmrigevasionminerthemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Themida packer 46 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • AutoIT Executable 41 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /flushdns
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\system32\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • Gathers network information
        PID:2580
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c gpupdate /force
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\system32\gpupdate.exe
        gpupdate /force
        3⤵
          PID:2492
      • C:\ProgramData\Setup\Packs.exe
        C:\ProgramData\Setup\Packs.exe -ppidar
        2⤵
        • Executes dropped EXE
        PID:2516
      • C:\ProgramData\WindowsTask\audiodg.exe
        C:\ProgramData\WindowsTask\audiodg.exe
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:468
      • C:\ProgramData\WindowsTask\MicrosoftHost.exe
        C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://185.139.69.167:3333 -u CPU --donate-level=1 -k --cpu-priority=0 -t4
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Setup\Packs.exe
      Filesize

      7.8MB

      MD5

      2c478377002d8f8c188252f338e10d17

      SHA1

      71c3b3154ae57c9e692c32653ab8859c23680b30

      SHA256

      bda32a05036ce8fabd53f41509c114c5bf2c9d8343fb7725b6b21903ca44a89c

      SHA512

      fd183050382e834dadec658d0f9673607049a605c5c7dafe997d74b3921dafca0b677b8cfba9733cfd1d9c80581133281778f6be46f7080c5d743ea2c6f99dde

      Download Submit

    • C:\ProgramData\WindowsTask\MicrosoftHost.exe
      Filesize

      5.2MB

      MD5

      1ee4321c311d7e58208c61630fa3f278

      SHA1

      67ef36cf785ec0d4602eb35a98c23420beba2e2a

      SHA256

      463ce847b6f7b32d1f4f49dfaaa2ce4a1061b6dfca1fb6a1bf39f7f40117266d

      SHA512

      f0bbf219926d7316bce936e4c362f2b5195420b7ee14538dd61d8a362921351cdde80705fcff8249773284a10067149f5a60291fa965aaaaca65fc535a5a8ffd

      Download Submit

    • C:\ProgramData\WindowsTask\WinRing0x64.sys
      Filesize

      14KB

      MD5

      0c0195c48b6b8582fa6f6373032118da

      SHA1

      d25340ae8e92a6d29f599fef426a2bc1b5217299

      SHA256

      11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

      SHA512

      ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

      Download Submit

    • C:\ProgramData\WindowsTask\audiodg.exe
      Filesize

      5.7MB

      MD5

      5bda5e3354916c14aeef5e9c1589ea99

      SHA1

      a9bf3059461f569a290fbbfe0e59d9629f5749ec

      SHA256

      7fa2c88d0732f4f432320d0b8cdc8a024b5efcae99da74dcd06dc91089ffd101

      SHA512

      5a9b55bf1124002e67468f133f47008426f19f1acb7de76eb001fc94ff4e9170142fa8b394bc8cee8d805a8484724135ef0251f029bd1304954b0aa2a2f8a987

      Download Submit

    • memory/468-83-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-134-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-108-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-103-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-98-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-92-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-87-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-119-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-124-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-80-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-129-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-112-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-69-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-51-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-52-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-54-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-55-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-57-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-58-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-56-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/468-53-0x000000013F9E0000-0x00000001408AB000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/1932-31-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-7-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-61-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-50-0x00000000073D0000-0x000000000829B000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/1932-68-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-77-0x00000000073D0000-0x000000000829B000-memory.dmp

      Filesize

      14.8MB

      Download

    • memory/1932-79-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-34-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-0-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-86-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-15-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-9-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-91-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-1-0x0000000077AF0000-0x0000000077AF2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1932-97-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-8-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-102-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-6-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-107-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-5-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-114-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-4-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-118-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-3-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-123-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-2-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/1932-128-0x000000013FCA0000-0x000000014194F000-memory.dmp

      Filesize

      28.7MB

      Download

    • memory/2364-62-0x00000000003F0000-0x0000000000410000-memory.dmp

      Filesize

      128KB

      Download