Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
17s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/06/2024, 23:53
Static task
static1
General
-
Target
mine3.exe
-
Size
3.5MB
-
MD5
70e341f67ff1080b9e9258a65369232f
-
SHA1
b59ca5efcbc82346e95a8a69e96e0659a1b09205
-
SHA256
9ec9b48a75aaa71be277321cf9eee25a40343b0fcbf93bdae4c895af133f4e12
-
SHA512
89c52e6c02db5c102b76be5c36e348a1fdbd6d27fd441d4b307414d72564d0c982ea5ddae95005b433ebd79437ec62cbbd80d1ff841a1c995b3303961d3e334e
-
SSDEEP
98304:+3GWxmPjzreXXdB3X1tNWnbFMFLzcn0qVrpmJFjjCE:+3G3rzreXXjX1tNOxMFLIn6J7
Malware Config
Signatures
-
XMRig Miner payload 5 IoCs
resource yara_rule behavioral1/files/0x000100000002aa25-18.dat family_xmrig behavioral1/files/0x000100000002aa25-18.dat xmrig behavioral1/memory/1644-21-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp xmrig behavioral1/memory/1644-22-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp xmrig behavioral1/memory/1644-23-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
pid Process 656 enced.exe 1644 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings mine3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1644 svchost.exe Token: SeLockMemoryPrivilege 1644 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1644 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3652 wrote to memory of 1196 3652 mine3.exe 80 PID 3652 wrote to memory of 1196 3652 mine3.exe 80 PID 1196 wrote to memory of 656 1196 WScript.exe 82 PID 1196 wrote to memory of 656 1196 WScript.exe 82 PID 1196 wrote to memory of 656 1196 WScript.exe 82 PID 656 wrote to memory of 4384 656 enced.exe 84 PID 656 wrote to memory of 4384 656 enced.exe 84 PID 4384 wrote to memory of 1644 4384 cmd.exe 85 PID 4384 wrote to memory of 1644 4384 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\mine3.exe"C:\Users\Admin\AppData\Local\Temp\mine3.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\685F.tmp\6860.tmp\6861.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exesvchost5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1644
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166B
MD5386111a0272bbea006a609dcf40bdb3a
SHA13d3e93757be3480f5ac13b1d22e1a176cb1bc7df
SHA256117d3372f76040e45673473df7f5e3837d46a6853ffd2363be26b93a92dd0e2f
SHA512f9081fa4950f9298dd2199727b4bebcf2a081b7d3bd0b87ade76abceb5ba79bc3378507f015387dd0834ff615f5cb5f8049e20ec9f48df075f86578441d36f16
-
Filesize
3KB
MD543cc764d70e3988d6c79dcda228a0232
SHA1b1af34e7f1ab3c4f0b569d1154a480cf494d324c
SHA256835694daf882bb7d474c3b5ddf251961f1c9c5a3ad63bf5ac29707a75375606e
SHA512ba85a828f80de83759fe932e60c08d2ead4a9cb6722cea60363471bc4f66c1bda131d5a53fdaaa6d3dda6db56a01d655e2ff927e6316a91843d8c7606404202a
-
Filesize
89KB
MD57cd05433a3b4b84ac94175d3a64c1c02
SHA1f7f5a17f7bedb00bdfaee7ad4f5d41072c6fcd3d
SHA25631c68e8eef0bdf19be5850194ad47dad4620dd450c97d6578d6fa345d56a25b6
SHA512a084530e4ee25a16795827bbf445a70cd02a527caf483b40cbe83badfae3f62101c801484e0bb45623c66c839751b98f946ce93089d07d1687a96a4367280f98
-
Filesize
99B
MD59daf6eb9778b66b523f6f4f6c956ed4c
SHA1caa17396d526a963dc7d4f2e164deaa71484956d
SHA256d98328c99f703fcec40891d2173bbb8ad20b0f5f34642db82ecbb0eb7ea19d10
SHA51214eefcb99170c40780585380762e7c8d1f5d261950aee01625dca7deab40b8ea271cd83cf4cb1ad2dd0b32c43e5e7dd2a5c39f7fd9bd9d48eb20054bf6f154ab
-
Filesize
9.0MB
MD581d19b38ee6bccd0acb83280012e4a34
SHA19852f0df5ef32231062f5a6bd474918a26da6865
SHA256d40e416f072fcbcdddddd302c9960f08039a4f8b6d8ca82eaf0f854f5938b61f
SHA51214312ef19da9006a2733e59a8264e7af79b98d29a63de5678f42e7bbc51ca3d9fe58a0c7cd305125b3020b917bb5a2093a4c375db1ce52963a20f157c9e28b33