Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19/09/2024, 07:29
Static task
static1
Behavioral task
behavioral1
Sample
xr miner.exe
Resource
win10-20240404-en
General
-
Target
xr miner.exe
-
Size
29.8MB
-
MD5
8c6ef23e59af6beccf80a34d46d352e4
-
SHA1
51db51ccb62843de50d22726f75be98742f166d4
-
SHA256
28c665278cb244896fb360cc5d2a773b0b75c4a334075ec6462e426a5ab91908
-
SHA512
3e1fc68353dbef2c073bb146df16aebfb1b180754e4af30c21b846e77739f298458d84c7e180680b9d6e95f2d8c9f3517d609efca2c8f8fd0e619106c72d03f8
-
SSDEEP
393216:dUhODqcltF1nEyaT+lYiUoxvC36/9xIyADAm+dfy5vN1fJhxUXpFWZ6Pys9HaF+X:dDqstzNs+SihxLQA+vN1CXKUDiSlUTa
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 804 powershell.exe 2256 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2360 services64.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1776 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4912 conhost.exe 804 powershell.exe 804 powershell.exe 804 powershell.exe 2256 powershell.exe 2256 powershell.exe 2256 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 4912 conhost.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeIncreaseQuotaPrivilege 804 powershell.exe Token: SeSecurityPrivilege 804 powershell.exe Token: SeTakeOwnershipPrivilege 804 powershell.exe Token: SeLoadDriverPrivilege 804 powershell.exe Token: SeSystemProfilePrivilege 804 powershell.exe Token: SeSystemtimePrivilege 804 powershell.exe Token: SeProfSingleProcessPrivilege 804 powershell.exe Token: SeIncBasePriorityPrivilege 804 powershell.exe Token: SeCreatePagefilePrivilege 804 powershell.exe Token: SeBackupPrivilege 804 powershell.exe Token: SeRestorePrivilege 804 powershell.exe Token: SeShutdownPrivilege 804 powershell.exe Token: SeDebugPrivilege 804 powershell.exe Token: SeSystemEnvironmentPrivilege 804 powershell.exe Token: SeRemoteShutdownPrivilege 804 powershell.exe Token: SeUndockPrivilege 804 powershell.exe Token: SeManageVolumePrivilege 804 powershell.exe Token: 33 804 powershell.exe Token: 34 804 powershell.exe Token: 35 804 powershell.exe Token: 36 804 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeIncreaseQuotaPrivilege 2256 powershell.exe Token: SeSecurityPrivilege 2256 powershell.exe Token: SeTakeOwnershipPrivilege 2256 powershell.exe Token: SeLoadDriverPrivilege 2256 powershell.exe Token: SeSystemProfilePrivilege 2256 powershell.exe Token: SeSystemtimePrivilege 2256 powershell.exe Token: SeProfSingleProcessPrivilege 2256 powershell.exe Token: SeIncBasePriorityPrivilege 2256 powershell.exe Token: SeCreatePagefilePrivilege 2256 powershell.exe Token: SeBackupPrivilege 2256 powershell.exe Token: SeRestorePrivilege 2256 powershell.exe Token: SeShutdownPrivilege 2256 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeSystemEnvironmentPrivilege 2256 powershell.exe Token: SeRemoteShutdownPrivilege 2256 powershell.exe Token: SeUndockPrivilege 2256 powershell.exe Token: SeManageVolumePrivilege 2256 powershell.exe Token: 33 2256 powershell.exe Token: 34 2256 powershell.exe Token: 35 2256 powershell.exe Token: 36 2256 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1452 wrote to memory of 4912 1452 xr miner.exe 72 PID 1452 wrote to memory of 4912 1452 xr miner.exe 72 PID 1452 wrote to memory of 4912 1452 xr miner.exe 72 PID 4912 wrote to memory of 4340 4912 conhost.exe 73 PID 4912 wrote to memory of 4340 4912 conhost.exe 73 PID 4340 wrote to memory of 804 4340 cmd.exe 75 PID 4340 wrote to memory of 804 4340 cmd.exe 75 PID 4912 wrote to memory of 3116 4912 conhost.exe 77 PID 4912 wrote to memory of 3116 4912 conhost.exe 77 PID 3116 wrote to memory of 1776 3116 cmd.exe 79 PID 3116 wrote to memory of 1776 3116 cmd.exe 79 PID 4340 wrote to memory of 2256 4340 cmd.exe 81 PID 4340 wrote to memory of 2256 4340 cmd.exe 81 PID 4912 wrote to memory of 3364 4912 conhost.exe 82 PID 4912 wrote to memory of 3364 4912 conhost.exe 82 PID 3364 wrote to memory of 2360 3364 cmd.exe 84 PID 3364 wrote to memory of 2360 3364 cmd.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\xr miner.exe"C:\Users\Admin\AppData\Local\Temp\xr miner.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\xr miner.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1776
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe4⤵
- Executes dropped EXE
PID:2360
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5fc355d8b2a713e9a3a9b233e769008be
SHA1a1b27007359b33ee21d82e5d2a7591c7b94da98e
SHA25667feb23513b3b5d466540f2861d2cde78604a826680d3cd1ae0182f8e8f9338a
SHA512fdc7cfb1fffe4ac97db7d460d001862ad0e204dc4b198acfab0c14d0a062b61c55f401e891bd14c871d52322db46c1a92a0b866bee9628896644ff5f356873c3
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
10.5MB
MD509b8581726e3ed193f5319ad114592e8
SHA19200f8204419ea76bac7169d0b7e949c426a8ae2
SHA256900aaa105cfbf1f81efdb50cdf98293f7c3a365c48dfea6a5dd2d8d44c07112e
SHA5120f42c05590ca0f6d7514b8ef57e2fd15704d483e57bf95b911408a8a638b0cdcc35dd5fea702fa91ea1798eed1c1fe14a059da41daa0df6aa2b8368606167a45
-
Filesize
9.1MB
MD57517202a5c167e209d19ff78ea113ed4
SHA1335bcf1c8c92fc9c38e7a34e2ba234e1a1ac4f32
SHA2568845e4842c2e63aa263c15495d711362bec1a2dbc0e484f174929e34c5520082
SHA512cd83366ab703da2b7677bb01358a36fefe89763324960535924e41cb49e87a9d81835722a667520d0207e1e2e0b67e252347c80e20ee3f40261c9286701bff30