Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

mBBBgvD.exe

windows7-x64

10

mBBBgvD.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2025, 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mBBBgvD.exe

  • Size

    2.3MB

  • MD5

    120b148606efb6400aa3aeb9ce44a668

  • SHA1

    e7488d6d0893c4d074f69718c8ee32da42d98207

  • SHA256

    607626fde0a0263edd41db4721523682cb343600ef083fc78f23f04ca8be04b1

  • SHA512

    6a5888c08f9378805978f53fd01a93dcc7f202198c12e57376c794e3f60d04c1b67dd6f51156c2ded32ae318cf73baa2b9f811fe1e99de4ddc86ac35bc2a2a43

  • SSDEEP

    49152:W1vr8uwYtUeKFj/c2e4r7XplKVZo0juLx1hZf18E2yujq3:W1freFj/c2e4rinaj8E2hg

Score
10/10
xmrigxwormdiscoveryminerrattrojan

Malware Config

Extracted

Family

xworm

C2

95.164.19.68:1987

Mutex

humtwXiPPZ6S5Ma5

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xmrig family
    xmrig
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mBBBgvD.exe
    "C:\Users\Admin\AppData\Local\Temp\mBBBgvD.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Users\Admin\AppData\Roaming\8oEhnOmMoa.exe
      "C:\Users\Admin\AppData\Roaming\8oEhnOmMoa.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=83WC3ZPssiBd2F1wky22B8jUzY9vMUhR7DT8D7fqbm3SRjBzHiRm4ShbVzFZ72oousCnk8UTWMMRq9L2HHkka8D9Mm6TWM6 --pass=x --cpu-max-threads-hint=20
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3824
    • C:\Users\Admin\AppData\Roaming\r8oGWMoAuS.exe
      "C:\Users\Admin\AppData\Roaming\r8oGWMoAuS.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\8oEhnOmMoa.exe
    Filesize

    2.1MB

    MD5

    b2a071577416531d00c3292c79d4948e

    SHA1

    9918560650b15f7320361c003ab74c4c2009fe80

    SHA256

    3fcadd3a9814a92abb993d778461db81480ba979b0da02f61947bc9fa99dbea6

    SHA512

    6a939c6c43819fc84108a240d530aeb41c3ddfda52bf33430e24db9fba69e5c8577b3cace41c929179b306bf75c132410b45cc70d3e0692ad95ed34dec658175

    Download Submit

  • C:\Users\Admin\AppData\Roaming\r8oGWMoAuS.exe
    Filesize

    47KB

    MD5

    3849de855221df5c59aaf6da5ed9d7e6

    SHA1

    09d3eb1497ab5f7309bb89650108385e2c9f17c5

    SHA256

    0373a886b98fcfec95445ba4232269961bd6eddda3612f08d0c57a2c3ba7ea6d

    SHA512

    d6c1adf42b0b8d56a5a0f5dba64cc0053b8051fe08f8e8e642d3663ea8fc2639f24cd2ad42e8d8e9012c42ded48a2cf1251230c70d7c61021ba196928e2e02be

    Download Submit

  • memory/2544-28-0x00007FFF68E30000-0x00007FFF698F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2544-22-0x00007FFF68E33000-0x00007FFF68E35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2544-23-0x0000000000BC0000-0x0000000000DD8000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2544-24-0x00000000018B0000-0x00000000018C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2544-34-0x00007FFF68E30000-0x00007FFF698F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3824-39-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-38-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-33-0x0000000000EE0000-0x0000000000F00000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3824-32-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-44-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-35-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-36-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-40-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-43-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-29-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-30-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3824-37-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4680-41-0x000000001B1F0000-0x000000001B200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-42-0x00007FFF68E30000-0x00007FFF698F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4680-25-0x00000000004A0000-0x00000000004B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4680-27-0x00007FFF68E30000-0x00007FFF698F1000-memory.dmp

    Filesize

    10.8MB

    Download