Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e05bb1093f...3e.exe

windows7-x64

10

e05bb1093f...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2025, 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e05bb1093fc6e48f0092aa1925080612b07b78b3e4232844b6bd455b9561083e.exe

  • Size

    993KB

  • MD5

    3a3c88a6665e33e283c9a42cba74bb2c

  • SHA1

    617bb1632b6d70ff39bb8c907bb9998aa4bae87e

  • SHA256

    e05bb1093fc6e48f0092aa1925080612b07b78b3e4232844b6bd455b9561083e

  • SHA512

    9f97ab6ffd3b020d5159778e1284d8dc58128530e7eae6784583c312121ea60b11ece86e71426a038b532cb0f7c58e8d2a2863ba9a99525ee17ed9e57c4afe88

  • SSDEEP

    24576:y/Xj1RPW7Dw/EgpozVIBOb2L9D+7TFzULvD+9s0EqkJGtVxJ:y/zu7Dw/RoRHLJzEX0EhJGt

Score
10/10
xmrigdefense_evasiondiscoveryminerpersistence

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • XMRig Miner payload 21 IoCs
    miner
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Cryptocurrency Miner

    Makes network request to known mining pool URL.

    miner
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e05bb1093fc6e48f0092aa1925080612b07b78b3e4232844b6bd455b9561083e.exe
    "C:\Users\Admin\AppData\Local\Temp\e05bb1093fc6e48f0092aa1925080612b07b78b3e4232844b6bd455b9561083e.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Roaming\Sysfiles\AudioDriver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\AudioDriver.exe" -o stratum+tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x -k -v=0 --donate-level=1 -t 4
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Sysfiles\AudioDriver.exe
    Filesize

    975KB

    MD5

    8458b267c77b32ff52d9261de11e16fe

    SHA1

    2f23b4fcbbe786a896d93c56403eba9a3ab2abe6

    SHA256

    3db71c95cdb156b4901ad6185f66ae555cfc012316cca1ebcfe34c680f32a51f

    SHA512

    0e39d4e6a42aa9f265908698167a18c0d9be306c217f0aba0b17a9a40add99cf1b50596085aa60d81e96f823ce87f1fc0b3fdbb2017c39cb6639be439194bef2

    Download Submit

  • memory/2784-23-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-24-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-38-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-11-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-37-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-13-0x00000000771B0000-0x00000000771B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2784-15-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-14-0x00000000000B1000-0x00000000000DD000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2784-16-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-17-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-36-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-35-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-34-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-21-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-33-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-22-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-26-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-25-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-32-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-27-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-28-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-29-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-30-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2784-31-0x00000000000B0000-0x00000000002FE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3052-0-0x0000000074301000-0x0000000074302000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3052-2-0x0000000074300000-0x00000000748AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3052-20-0x0000000006370000-0x00000000065BE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3052-19-0x0000000074300000-0x00000000748AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3052-18-0x0000000074300000-0x00000000748AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3052-9-0x0000000006370000-0x00000000065BE000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3052-1-0x0000000074300000-0x00000000748AB000-memory.dmp

    Filesize

    5.7MB

    Download