Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 01:20
Static task
static1
Behavioral task
behavioral1
Sample
40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
Resource
win10v2004-20240611-en
General
-
Target
40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
-
Size
3.1MB
-
MD5
2f03ead3988fc2b5e16470ed0a96557d
-
SHA1
4d0dcb7ebb340af8887fdec5f665eb091db9caf6
-
SHA256
40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779
-
SHA512
799830b418d6bf37a4d7bcd9649ee6d2f0551101029fecb5e44e8115fd7e29daabd8e662e316565bd6e1e36aaf9c26a82c49c7bd65e7eb28a73e9c3930c90ca6
-
SSDEEP
49152:ByTeFwtj0HLirwzPPk/iZuKsZxof6SD3nlOyT3Pwsu8/Cf6PyBXEjk1:ByVEer3/iQZxofZXlOaN/Cf66NEa
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
resource yara_rule behavioral1/files/0x0006000000016fa9-51.dat family_xmrig behavioral1/files/0x0006000000016fa9-51.dat xmrig -
Detects executables packed with VMProtect. 4 IoCs
resource yara_rule behavioral1/files/0x00080000000167e8-40.dat INDICATOR_EXE_Packed_VMProtect behavioral1/memory/3068-41-0x0000000000400000-0x000000000055E000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/3068-43-0x0000000000400000-0x000000000055E000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/3068-56-0x0000000000400000-0x000000000055E000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Creates new service(s) 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2116 cmd.exe -
Executes dropped EXE 5 IoCs
pid Process 1276 w.exe 344 csrss.exe 2868 csrss.exe 3068 svchost.exe 2380 chrome.exe -
Loads dropped DLL 3 IoCs
pid Process 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 1852 cmd.exe 3068 svchost.exe -
resource yara_rule behavioral1/files/0x00080000000167e8-40.dat vmprotect behavioral1/memory/3068-41-0x0000000000400000-0x000000000055E000-memory.dmp vmprotect behavioral1/memory/3068-43-0x0000000000400000-0x000000000055E000-memory.dmp vmprotect behavioral1/memory/3068-56-0x0000000000400000-0x000000000055E000-memory.dmp vmprotect -
Drops file in Windows directory 21 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\chrome\chrome.exe w.exe File created C:\Windows\Fonts\systam33\1.ini cmd.exe File created C:\Windows\Fonts\systam33\svchost.ini 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe File created C:\Windows\Fonts\systam33\w.exe 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe File created C:\Windows\Fonts\chrome\config.json w.exe File opened for modification C:\Windows\Fonts\systam33\w.bat 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe File created C:\Windows\Fonts\chrome\xmrig-asm.lib w.exe File opened for modification C:\Windows\Fonts\chrome\xmrig-asm.lib w.exe File created C:\Windows\Fonts\systam33\svchost.exe 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe File opened for modification C:\Windows\Fonts\chrome\config.json w.exe File opened for modification C:\Windows\Fonts\chrome\WinRing0x64.sys w.exe File created C:\Windows\Fonts\systam33\w.bat 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe File created C:\Windows\Fonts\systam33\csrss.exe 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe File opened for modification C:\Windows\Fonts\systam33\csrss.exe 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe File created C:\Windows\Fonts\chrome\chrome.exe w.exe File created C:\Windows\Fonts\chrome\WinRing0x64.sys w.exe File opened for modification C:\Windows\Fonts\systam33\svchost.log svchost.exe File opened for modification C:\Windows\Fonts\chrome\config.json chrome.exe File opened for modification C:\Windows\Fonts\systam33\svchost.ini 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe File opened for modification C:\Windows\Fonts\systam33\svchost.exe 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe File opened for modification C:\Windows\Fonts\systam33\w.exe 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2668 sc.exe 3052 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 7 IoCs
pid Process 2700 PING.EXE 2928 PING.EXE 2756 PING.EXE 3028 PING.EXE 2856 PING.EXE 2900 PING.EXE 1892 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe Token: SeIncBasePriorityPrivilege 1276 w.exe Token: SeLockMemoryPrivilege 2380 chrome.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2380 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1276 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 28 PID 2044 wrote to memory of 1276 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 28 PID 2044 wrote to memory of 1276 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 28 PID 2044 wrote to memory of 1276 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 28 PID 2044 wrote to memory of 1852 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 29 PID 2044 wrote to memory of 1852 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 29 PID 2044 wrote to memory of 1852 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 29 PID 2044 wrote to memory of 1852 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 29 PID 2044 wrote to memory of 2116 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 31 PID 2044 wrote to memory of 2116 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 31 PID 2044 wrote to memory of 2116 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 31 PID 2044 wrote to memory of 2116 2044 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe 31 PID 1852 wrote to memory of 2716 1852 cmd.exe 32 PID 1852 wrote to memory of 2716 1852 cmd.exe 32 PID 1852 wrote to memory of 2716 1852 cmd.exe 32 PID 1852 wrote to memory of 2716 1852 cmd.exe 32 PID 1852 wrote to memory of 2700 1852 cmd.exe 34 PID 1852 wrote to memory of 2700 1852 cmd.exe 34 PID 1852 wrote to memory of 2700 1852 cmd.exe 34 PID 1852 wrote to memory of 2700 1852 cmd.exe 34 PID 2116 wrote to memory of 2928 2116 cmd.exe 35 PID 2116 wrote to memory of 2928 2116 cmd.exe 35 PID 2116 wrote to memory of 2928 2116 cmd.exe 35 PID 2116 wrote to memory of 2928 2116 cmd.exe 35 PID 1276 wrote to memory of 1696 1276 w.exe 36 PID 1276 wrote to memory of 1696 1276 w.exe 36 PID 1276 wrote to memory of 1696 1276 w.exe 36 PID 1276 wrote to memory of 1696 1276 w.exe 36 PID 1696 wrote to memory of 2756 1696 cmd.exe 38 PID 1696 wrote to memory of 2756 1696 cmd.exe 38 PID 1696 wrote to memory of 2756 1696 cmd.exe 38 PID 1696 wrote to memory of 2756 1696 cmd.exe 38 PID 1852 wrote to memory of 2668 1852 cmd.exe 39 PID 1852 wrote to memory of 2668 1852 cmd.exe 39 PID 1852 wrote to memory of 2668 1852 cmd.exe 39 PID 1852 wrote to memory of 2668 1852 cmd.exe 39 PID 1852 wrote to memory of 3028 1852 cmd.exe 40 PID 1852 wrote to memory of 3028 1852 cmd.exe 40 PID 1852 wrote to memory of 3028 1852 cmd.exe 40 PID 1852 wrote to memory of 3028 1852 cmd.exe 40 PID 1852 wrote to memory of 344 1852 cmd.exe 41 PID 1852 wrote to memory of 344 1852 cmd.exe 41 PID 1852 wrote to memory of 344 1852 cmd.exe 41 PID 1852 wrote to memory of 344 1852 cmd.exe 41 PID 1852 wrote to memory of 2856 1852 cmd.exe 42 PID 1852 wrote to memory of 2856 1852 cmd.exe 42 PID 1852 wrote to memory of 2856 1852 cmd.exe 42 PID 1852 wrote to memory of 2856 1852 cmd.exe 42 PID 1852 wrote to memory of 2868 1852 cmd.exe 43 PID 1852 wrote to memory of 2868 1852 cmd.exe 43 PID 1852 wrote to memory of 2868 1852 cmd.exe 43 PID 1852 wrote to memory of 2868 1852 cmd.exe 43 PID 1852 wrote to memory of 2900 1852 cmd.exe 44 PID 1852 wrote to memory of 2900 1852 cmd.exe 44 PID 1852 wrote to memory of 2900 1852 cmd.exe 44 PID 1852 wrote to memory of 2900 1852 cmd.exe 44 PID 1852 wrote to memory of 3052 1852 cmd.exe 45 PID 1852 wrote to memory of 3052 1852 cmd.exe 45 PID 1852 wrote to memory of 3052 1852 cmd.exe 45 PID 1852 wrote to memory of 3052 1852 cmd.exe 45 PID 3068 wrote to memory of 2380 3068 svchost.exe 47 PID 3068 wrote to memory of 2380 3068 svchost.exe 47 PID 3068 wrote to memory of 2380 3068 svchost.exe 47 PID 3068 wrote to memory of 2380 3068 svchost.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe"C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\Fonts\systam33\w.exe"C:\Windows\Fonts\systam33\w.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~1BEA.tmp.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:2756
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\Fonts\systam33\w.bat" "2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\mode.commode con: cols=16 lines=23⤵PID:2716
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2700
-
-
C:\Windows\SysWOW64\sc.exesc create UmRdpSerivce binPath= C:\Windows\Fonts\systam33\svchost.exe start= auto3⤵
- Launches sc.exe
PID:2668
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3028
-
-
C:\Windows\Fonts\systam33\csrss.execsrss set UmRdpSerivce DisplayName "Remote Desktop Services UserMode Port Redriector"3⤵
- Executes dropped EXE
PID:344
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2856
-
-
C:\Windows\Fonts\systam33\csrss.execsrss set UmRdpSerivce Description "Allows the redirection of Printers/Drives/Ports for RDP connectoins"3⤵
- Executes dropped EXE
PID:2868
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2900
-
-
C:\Windows\SysWOW64\sc.exesc start UmRdpSerivce3⤵
- Launches sc.exe
PID:3052
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1892
-
-
C:\Windows\SysWOW64\regini.exeregini 1.ini3⤵PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~1AD1.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2928
-
-
-
C:\Windows\Fonts\systam33\svchost.exeC:\Windows\Fonts\systam33\svchost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\Fonts\chrome\chrome.exeC:\Windows\Fonts\chrome\chrome.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD5515c5ab1bba53eb7acbf281eba8374e0
SHA16765a6f12b36bdd914aab7b093b8738d7288d4e0
SHA256a48bcdb7a59fce333ddcd1e33e6547df049231ad42f032440aaa51075f9ac943
SHA512cc7416c518866fa1969f22ccdcae7658ab3c6a6de424829565937b41f455338d7e13c401131ff2611e8d8af4d5c26994ed6a81896f62dd2c995cde8824045ffa
-
Filesize
124B
MD59e8e1faaaf54789725159a1e527e8a15
SHA1edec5b0de9a98b93106d8e951b323007d6b62726
SHA2564150d0db0898ea43c5ac912fa94dc8567783755d3252bd28e3d40c5de4758851
SHA512723c6751215188cfd81d57d873522b56724a0a6c7fdfe38c730a648a43b98db024bcd482de224b5d4201188f91d264bb4dacc653fdea2d1a3f0a8dc11e979b81
-
Filesize
5.2MB
MD56b592d1cceaf329c68acaff75fb80be2
SHA1ebf5f792c4672973d366b14715b828e9e6e18dac
SHA256f6be8784ea31ee34b36efe2cb5d68bfec8fa33ab1a550c6fccb63cf469fe1208
SHA5124d32d48c29487eea40e3decfe9cc05e40c356df46eca51ac4ccef0bbb31abfb441f592b3bbd491ef5748865637f4420ebfbb76ab5e3df221148e8de8ba8f5138
-
Filesize
2KB
MD53a2058068bc4a85ecd8edb7a7ebd3b09
SHA16f3ee264746612708e6cb1edd5b1e998bb9cfd5e
SHA256f332695c2d7a40f634b93befbb479d854934cdf7d09bac8450382ea94c971239
SHA51239e18d39522a2db7e0c9db438e51901810efa20fb3d9125467e4025fff012024decf2601d2d9731b619d5f189715fcafff07f751c9e579fcfee3394897f5e3d3
-
Filesize
73B
MD5792c1d6adbc2d208c00b35e55d1d98d6
SHA1dd15327dd92517b395d0873f1655e60097455a29
SHA256f093e254d918363e7f1e61b1f3b76692395f96d124fae1b77cb791e3a1a286bd
SHA512c1ccaef5f5ff78a613d2dd1271af4427ad94797d3f9bf26f5a30637376435dfd7a51cc23844dc9ac6553b43775507d3b2def8b867f1a5305feb1ad0c4bfe1801
-
Filesize
684KB
MD5cf7341a71cb0117e651fd1b4dc414657
SHA1b34b4aa0f90fa9e02d4bd3fc64644b07d27876f4
SHA256d55e4e16c8c60095c9897bea7db8fb71bf099008a3bc942a6062ffd5c0f05b27
SHA512a161caafacaea87caada40b52753512ca83242e3c5a129793686843fdecb667e0fa5b92a384c260a7f11f38009fa787a39e8487628fb52bb81c1dd813c293859
-
Filesize
252B
MD562eb1b85bc112779e5bf0d380e92476d
SHA1e32ecf8b742db94681b9dc6ad6bc7da966699fb2
SHA25649fa9854a9283cf2f82d1a2e9be542ee438069542f3ab8acbb93e130968df463
SHA5123a44c33a3793b29f0d060265e1e448b228b49f404a6dec88222798606da57063a7cf6f03bcc0aa93bd9c4e05d4b1e70da136a1eac901dd6e727837cfe4607df3
-
Filesize
531B
MD548b7fb879283096712fca22f385750f1
SHA17ba4395c9a84f6df15fb38cbc325fed38ee3a75a
SHA256d6f5b894cfb148c85f5176ddb7426d82c742769c38a0c5be29b93a1b9fdfce3b
SHA512fe3849c9139721978781bce2bb3fa97270f61df890ed79b6ecf4d7499351f12d474341dbcb89a9afb15bf54e081b79f06e34667832afee1377ec719a6326473b
-
Filesize
286KB
MD5b80172424d378e595b8ed4254ea7a492
SHA156d2049d50c38ff3e0fda94f0af5344c253abe35
SHA256c67b6e6bde919aec414bc2176a77d6082758636e8d60d2ca83198a10d4cec9c7
SHA5127de17c82076248e253335319970010b73e87ecb5c3ed00387a9d353edc31afbfcc58f09afbe3edacc1cef8b637d4d272cbf13d857135e7fbb364c0f3a7a9dd85
-
Filesize
2.2MB
MD5e18bb32fccbca160f1e64777065a7f9c
SHA1c94a7c7f6e74bbd25e6e3a2f20d1888de1d73c39
SHA2568d3e6f50c5ec01cff2af94c635942daf3a55a43453639755acc1b5d27c51b6ab
SHA5128c4ec28de9443ae439b256afa108902ecf75a091d177be03abe059e75db597c3451917fd8f37f48e3024be5521678781a7029fce71ac367d1b8491a08ee3ca05