Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2025, 23:05
General
-
Target
rig.exe
-
Size
2.4MB
-
MD5
570a9cc9fd20159e92707abe69676299
-
SHA1
864cb610c0c80cf8ff00fd4aaae9b05fa63fd990
-
SHA256
ba52bd426e17cf8902ae05eb8caea7e0510d668db97dedd2cabcd1dc5a06063f
-
SHA512
ba11d2e1888f736d1934e78db6397ae04ea49422beb7392575422ea51cd459ac9b0c8a274397ab828792728364d145c16fc2390242a17a56a8ad02fa4c580f92
-
SSDEEP
49152:BfOqHErn3OFIJDOmxFVIdtKfBDhqGDZdB4hYk/0AK0uOkJA79OB8OITieIr:fcne+9Omb+dtKfBD3rZOkJA79OBkbI
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
Xmrig family
-
XMRig Miner payload 3 IoCs
resource yara_rule behavioral1/memory/3832-6-0x0000000000CC0000-0x000000000120D000-memory.dmp xmrig behavioral1/memory/3832-5-0x0000000000CC0000-0x000000000120D000-memory.dmp xmrig behavioral1/memory/3832-24-0x0000000000CC0000-0x000000000120D000-memory.dmp xmrig -
resource yara_rule behavioral1/memory/3832-6-0x0000000000CC0000-0x000000000120D000-memory.dmp vmprotect behavioral1/memory/3832-5-0x0000000000CC0000-0x000000000120D000-memory.dmp vmprotect behavioral1/memory/3832-24-0x0000000000CC0000-0x000000000120D000-memory.dmp vmprotect -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rig.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3832 rig.exe 3832 rig.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 3832 rig.exe 3832 rig.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1584 taskmgr.exe Token: SeSystemProfilePrivilege 1584 taskmgr.exe Token: SeCreateGlobalPrivilege 1584 taskmgr.exe Token: SeLockMemoryPrivilege 3832 rig.exe Token: SeLockMemoryPrivilege 3832 rig.exe Token: 33 1584 taskmgr.exe Token: SeIncBasePriorityPrivilege 1584 taskmgr.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe -
Suspicious use of SendNotifyMessage 44 IoCs
pid Process 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe 1584 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rig.exe"C:\Users\Admin\AppData\Local\Temp\rig.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1584