Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4e9292f02e...05.exe

windows7-x64

10

4e9292f02e...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    23/05/2024, 11:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e9292f02efc44abd5a2671439283405.exe

  • Size

    5.0MB

  • MD5

    4e9292f02efc44abd5a2671439283405

  • SHA1

    8fe8f59ad5cbb35115a3e997848b1f9c968dccfb

  • SHA256

    53b0c0f60949cc15b4514b8fb1642bef07c5c65a48e4adc247da22a254b66437

  • SHA512

    f0774ed0643c9c35de61c133e03640596b3dd64f8d26c4b9b959fe51678a4775be39fb2ddea8402342b3f341642a3e0a80f656dd567239535c270df5d25fbc43

  • SSDEEP

    98304:sF322L5o+zIKbC+YO61IxwSXxfuGtaoZohphcnZCdHHugWdDfDHOaRighoYU:sF322lor4C/O6etbTZohXZdnupDfD1R0

Score
10/10
xmrigevasionexecutionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 8 IoCs
    miner
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e9292f02efc44abd5a2671439283405.exe
    "C:\Users\Admin\AppData\Local\Temp\4e9292f02efc44abd5a2671439283405.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1652
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2384
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1948
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3032
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQCW"
      2⤵
      • Launches sc.exe
      PID:2176
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQCW" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2600
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:2692
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQCW"
      2⤵
      • Launches sc.exe
      PID:2704
  • C:\ProgramData\Google\Chrome\updater.exe
    C:\ProgramData\Google\Chrome\updater.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2148
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:2492
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      2KB

      MD5

      3e9af076957c5b2f9c9ce5ec994bea05

      SHA1

      a8c7326f6bceffaeed1c2bb8d7165e56497965fe

      SHA256

      e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

      SHA512

      933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

      Download Submit

    • \ProgramData\Google\Chrome\updater.exe
      Filesize

      5.0MB

      MD5

      4e9292f02efc44abd5a2671439283405

      SHA1

      8fe8f59ad5cbb35115a3e997848b1f9c968dccfb

      SHA256

      53b0c0f60949cc15b4514b8fb1642bef07c5c65a48e4adc247da22a254b66437

      SHA512

      f0774ed0643c9c35de61c133e03640596b3dd64f8d26c4b9b959fe51678a4775be39fb2ddea8402342b3f341642a3e0a80f656dd567239535c270df5d25fbc43

      Download Submit

    • memory/2472-25-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-22-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-23-0x00000000001F0000-0x0000000000210000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2472-21-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-27-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-24-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-26-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-28-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-16-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-17-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-19-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-20-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-18-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2472-29-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2492-11-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2492-10-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2492-9-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2492-8-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2492-7-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2492-13-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download