Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    31s
  • max time network
    17s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/06/2024, 23:53

General

  • Target

    mine3.exe

  • Size

    3.5MB

  • MD5

    70e341f67ff1080b9e9258a65369232f

  • SHA1

    b59ca5efcbc82346e95a8a69e96e0659a1b09205

  • SHA256

    9ec9b48a75aaa71be277321cf9eee25a40343b0fcbf93bdae4c895af133f4e12

  • SHA512

    89c52e6c02db5c102b76be5c36e348a1fdbd6d27fd441d4b307414d72564d0c982ea5ddae95005b433ebd79437ec62cbbd80d1ff841a1c995b3303961d3e334e

  • SSDEEP

    98304:+3GWxmPjzreXXdB3X1tNWnbFMFLzcn0qVrpmJFjjCE:+3G3rzreXXjX1tNOxMFLIn6J7

Score
10/10

Malware Config

Signatures

  • XMRig Miner payload 5 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mine3.exe
    "C:\Users\Admin\AppData\Local\Temp\mine3.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\685F.tmp\6860.tmp\6861.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4384
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
            svchost
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\685F.tmp\6860.tmp\6861.bat

    Filesize

    166B

    MD5

    386111a0272bbea006a609dcf40bdb3a

    SHA1

    3d3e93757be3480f5ac13b1d22e1a176cb1bc7df

    SHA256

    117d3372f76040e45673473df7f5e3837d46a6853ffd2363be26b93a92dd0e2f

    SHA512

    f9081fa4950f9298dd2199727b4bebcf2a081b7d3bd0b87ade76abceb5ba79bc3378507f015387dd0834ff615f5cb5f8049e20ec9f48df075f86578441d36f16

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.json

    Filesize

    3KB

    MD5

    43cc764d70e3988d6c79dcda228a0232

    SHA1

    b1af34e7f1ab3c4f0b569d1154a480cf494d324c

    SHA256

    835694daf882bb7d474c3b5ddf251961f1c9c5a3ad63bf5ac29707a75375606e

    SHA512

    ba85a828f80de83759fe932e60c08d2ead4a9cb6722cea60363471bc4f66c1bda131d5a53fdaaa6d3dda6db56a01d655e2ff927e6316a91843d8c7606404202a

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe

    Filesize

    89KB

    MD5

    7cd05433a3b4b84ac94175d3a64c1c02

    SHA1

    f7f5a17f7bedb00bdfaee7ad4f5d41072c6fcd3d

    SHA256

    31c68e8eef0bdf19be5850194ad47dad4620dd450c97d6578d6fa345d56a25b6

    SHA512

    a084530e4ee25a16795827bbf445a70cd02a527caf483b40cbe83badfae3f62101c801484e0bb45623c66c839751b98f946ce93089d07d1687a96a4367280f98

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs

    Filesize

    99B

    MD5

    9daf6eb9778b66b523f6f4f6c956ed4c

    SHA1

    caa17396d526a963dc7d4f2e164deaa71484956d

    SHA256

    d98328c99f703fcec40891d2173bbb8ad20b0f5f34642db82ecbb0eb7ea19d10

    SHA512

    14eefcb99170c40780585380762e7c8d1f5d261950aee01625dca7deab40b8ea271cd83cf4cb1ad2dd0b32c43e5e7dd2a5c39f7fd9bd9d48eb20054bf6f154ab

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe

    Filesize

    9.0MB

    MD5

    81d19b38ee6bccd0acb83280012e4a34

    SHA1

    9852f0df5ef32231062f5a6bd474918a26da6865

    SHA256

    d40e416f072fcbcdddddd302c9960f08039a4f8b6d8ca82eaf0f854f5938b61f

    SHA512

    14312ef19da9006a2733e59a8264e7af79b98d29a63de5678f42e7bbc51ca3d9fe58a0c7cd305125b3020b917bb5a2093a4c375db1ce52963a20f157c9e28b33

  • memory/1644-19-0x00000259279C0000-0x00000259279E0000-memory.dmp

    Filesize

    128KB

  • memory/1644-21-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp

    Filesize

    12.2MB

  • memory/1644-22-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp

    Filesize

    12.2MB

  • memory/1644-23-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp

    Filesize

    12.2MB