Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 17:37
Static task
static1
Behavioral task
behavioral1
Sample
ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral2
Sample
ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe
Resource
win11-20240704-en
General
-
Target
ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe
-
Size
4.8MB
-
MD5
713ed47553b56e8ef7e5dd2833395594
-
SHA1
a8ea35bb4a054d7686157f8d5e117881ad4bf124
-
SHA256
ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f
-
SHA512
78456d3741fe92fc1ed7f3310e7582fe727ca0977af0598502177d4ddafa3f035f551d9164982791c45af61d6115d36c6f91f3fd2dbe679a80120009abfdc06a
-
SSDEEP
98304:6qwmqwyPesWCyNiycBRHSh5lFhpt8AZlkje6Qd9mb/IPXj4WiT:6qwmqwyPJZyNiycB4N2jVi9m7EiT
Malware Config
Signatures
-
LoaderBot executable 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023494-14.dat loaderbot behavioral1/memory/428-22-0x0000000000640000-0x0000000000A3E000-memory.dmp loaderbot -
XMRig Miner payload 15 IoCs
resource yara_rule behavioral1/memory/4392-38-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/1056-41-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4424-44-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4424-45-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4424-47-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4720-50-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4720-51-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4720-52-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/1232-55-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/1232-56-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/1232-57-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4724-60-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4724-61-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4724-62-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig behavioral1/memory/4724-63-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation clamer.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation poldawr.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url poldawr.exe -
Executes dropped EXE 6 IoCs
pid Process 4844 clamer.exe 428 poldawr.exe 4392 Driver.exe 1056 Driver.exe 4424 Driver.exe 4720 Driver.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\poldawr.exe" poldawr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe 428 poldawr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 428 poldawr.exe Token: SeLockMemoryPrivilege 4392 Driver.exe Token: SeLockMemoryPrivilege 4392 Driver.exe Token: SeLockMemoryPrivilege 4424 Driver.exe Token: SeLockMemoryPrivilege 4424 Driver.exe Token: SeLockMemoryPrivilege 4720 Driver.exe Token: SeLockMemoryPrivilege 4720 Driver.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1632 2296 ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe 82 PID 2296 wrote to memory of 1632 2296 ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe 82 PID 1632 wrote to memory of 4844 1632 cmd.exe 85 PID 1632 wrote to memory of 4844 1632 cmd.exe 85 PID 4844 wrote to memory of 428 4844 clamer.exe 88 PID 4844 wrote to memory of 428 4844 clamer.exe 88 PID 4844 wrote to memory of 428 4844 clamer.exe 88 PID 428 wrote to memory of 4392 428 poldawr.exe 91 PID 428 wrote to memory of 4392 428 poldawr.exe 91 PID 428 wrote to memory of 1056 428 poldawr.exe 96 PID 428 wrote to memory of 1056 428 poldawr.exe 96 PID 428 wrote to memory of 4424 428 poldawr.exe 98 PID 428 wrote to memory of 4424 428 poldawr.exe 98 PID 428 wrote to memory of 4720 428 poldawr.exe 103 PID 428 wrote to memory of 4720 428 poldawr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe"C:\Users\Admin\AppData\Local\Temp\ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.execlamer.exe -priverdD3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\poldawr.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\poldawr.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 45⤵
- Executes dropped EXE
PID:1056
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 45⤵PID:1232
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 45⤵PID:4724
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37B
MD528151380c82f5de81c1323171201e013
SHA1ae515d813ba2b17c8c5ebdae196663dc81c26d3c
SHA256bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d
SHA51246b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253
-
Filesize
4.4MB
MD5638dec887f2509a5cf5b14b54f537090
SHA11dcffcea58044f5f899ada8a50c9d702d96762fb
SHA256d39995aa446861b523a59675c685ef3c144cdf872b734325b77118bedaf1b8c3
SHA51276757e27c28b518b04dc90168e1bcf2c65d876a8f0747679d94c152200b7d7d35852bc38681a2d84f0100d394bf1e087aed243a9359b0ce08d719ed44b4fb555
-
Filesize
4.0MB
MD59eeeab9a8e8a28fb1f293a89f16f7c47
SHA147bb11577a5e26c5361981c13a3f14d3a8a9d29d
SHA2565d3f2718aa12bf295540debe06aba1634bd1a22a6dbec4acec16dad34508c9cf
SHA512338fe11bfca57e59a0718a160b9233cbedcdd6cf670fa82b3ed9bd11c593acb0bc11184f4884470302ac715c3ef98d63528a46e11765febcd2a84515f4594d91
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322