Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03/08/2024, 02:27
General
-
Target
81d7d198766e05c765cc4814cb3db8e3.exe
-
Size
18KB
-
MD5
81d7d198766e05c765cc4814cb3db8e3
-
SHA1
24f4bf8122663db5fd7ef441e5d963c657de81c1
-
SHA256
7ef0dbe74ba624afab311c9dcb533bf6faccd794ce5c824d4f734d11b7dd9c3d
-
SHA512
2c166b96a65482fb2aabdac3ee3de99d7264cd179f11788692f6fe43256561228764e9129b4f230b0a084339ff3805421a14d1dcf96a7ea4a2531ee41bffc3c1
-
SSDEEP
384:elK/PKenMK6H1/UhTzCp4JyPzZhAuYqH8JEwEj/GrKwtgG/Xi/GlNEplhrrFcckQ:dKKf6V4veyX1ayIq1c
Malware Config
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
XMRig Miner payload 14 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\81d7d198766e05c765cc4814cb3db8e3.exe"C:\Users\Admin\AppData\Local\Temp\81d7d198766e05c765cc4814cb3db8e3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GameProcessHelper.exe"C:\Users\Admin\AppData\Local\Temp\GameProcessHelper.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\OmegaOmega.exe"C:\Users\Admin\AppData\Local\Temp\OmegaOmega.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Media\OmegaOmega.exe"C:\Users\Admin\AppData\Roaming\Windows Media\OmegaOmega.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Media\01100011 01110000 01110101\xmrig.exe"C:\Users\Admin\AppData\Roaming\Windows Media\01100011 01110000 01110101\xmrig.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
942B
MD56bdda504525dab642f6b2501909f5db9
SHA14ee3f943422d4ab46886aad80c0aebdf231a0426
SHA256c295416053705f71b5287254d10d37efcbce5a07deda8785b1e5fc0985eeb00c
SHA512c5ad8170c259ccd214cc43d759620b87e43f6dba8e0ff0a4f9ae2f3a962cec33d57f93f0514603ecde3809c882cc7f3be525e5e3c05bd9f2532acf11b2ee76b4
-
Filesize
14KB
MD5b63f1761996a673dc4ac26af70886e38
SHA144b4943cf03e249b6f6e203d7f036571d8809d74
SHA256088b1532727ab21a9e22b04f610305999d197afa5dbe17446f4e2a996ffc836a
SHA512351ab37b75e2c84ed7a149c7a40aa8b1d1c54acb20789abe4ed2617d1dc451b4d95200cf9b1e3c9a1a5c219f043602674f9fc6ad780d03c2535933df34d28f32
-
Filesize
14KB
MD5c85b809746b4014d0c3bab307457a682
SHA1fd8e16b9a623d1c7be174f0443ba6ec02af946ef
SHA2563d5d031286fea012a784fc3ae8e4f3227b4b74e57d8b33324608f5d9cc487f19
SHA512a4828e2395526ea2eed02e3badfe3175155efde3c76823946042cdc7ecaadaf62361e17f56f95fb8e0001f2723b0e1fbb85bb85e609f125b21daa9ac707b172e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
374B
MD5a81505bbd0055ce9bda43cae27082a96
SHA107a3e93db7dfe28e962369a1102daabcb2040369
SHA2567cca9027b06a2ef1c6679d616d74a50be2089c2e53190c806df8adebfc4a137a
SHA5121d51ba72cc3d86eae01bf7a8097c9a537eb8e1b5263f1755c839dd856bff646337ff3accf43055d5598ff485c176546351937800320c43944bcf60f7fd513355
-
Filesize
6.9MB
MD5061df86f0d1cdf06e773594385661f6b
SHA139ea13d5df4a9ed12eddfc50386f05d46abfe703
SHA2564d378e530f50238ac45aff750b63e8dbe0dfac89a051e4cfb1aef7513076fdd0
SHA5129fb523f4b7776a7aee79d7a7758708caff82e24b77ebbe1951622ed2227770a68f5ec9ff1eb21d8322c39ce9948b975bc0bec97c4fa334116893aae4a5ebcf74
-
Filesize
50B
MD5eb66e6a1bbe7fc49252cbbb8a19b6cdf
SHA1437b804962bd8b51b6ccd7f535e35641f8531061
SHA256c2b0f9bd5970fd525aaac069ddf2d00825544b547c9f7c8e941b9155d4bcd051
SHA5123b92f734e517ec0434711d118d09f618e9db2dfb0155fafbb1bc4529d3e8e472b2c1040fd8a00da712fb65064df3ee7e2406ae7e3bac8554ec3105caac3cc16e
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
80KB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
10.0MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
7.7MB