Analysis
-
max time kernel
58s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 13:45
Static task
static1
Behavioral task
behavioral1
Sample
184c9d5da1fa33549b3978e8dd9924d4.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
184c9d5da1fa33549b3978e8dd9924d4.exe
-
Size
6.2MB
-
MD5
184c9d5da1fa33549b3978e8dd9924d4
-
SHA1
bdb1af8ed719cbf252aa941082edc8e40988d68f
-
SHA256
e6ab57bf15408c7bbc263ceddc341df6df2ffec5e590867d1dc03b5ea17f936c
-
SHA512
0afd402928f7431e555539f6106aaa3ffc783a0ca0c9c0419eef6e2b46440ca798565bbbc74f936794a599e7708a97a274f3a182967d36f7b456f208c850baa6
Malware Config
Signatures
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4636-2-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig behavioral2/memory/4636-3-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig -
Processes:
yara_rule upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
184c9d5da1fa33549b3978e8dd9924d4.exedescription ioc process File created C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 184c9d5da1fa33549b3978e8dd9924d4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 1439 IoCs
Processes:
184c9d5da1fa33549b3978e8dd9924d4.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\hi.pak 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\snmp.acl.template 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcr120.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\DismountDeny.mpa 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\bci.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\de.pak 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\sr.pak 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\uk.pak 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\JavaAccessBridge-64.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_iio.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\System\ado\msado60.tlb 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklist 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File created C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.cpl 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\CompressUnblock.m4a 184c9d5da1fa33549b3978e8dd9924d4.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml 184c9d5da1fa33549b3978e8dd9924d4.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 828 4636 WerFault.exe 184c9d5da1fa33549b3978e8dd9924d4.exe -
Modifies Internet Explorer start page 1 TTPs 4 IoCs
Processes:
184c9d5da1fa33549b3978e8dd9924d4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.hryUVWlmjK.com" 184c9d5da1fa33549b3978e8dd9924d4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.YfByULximv.com" 184c9d5da1fa33549b3978e8dd9924d4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ZviHZfUpkM.com" 184c9d5da1fa33549b3978e8dd9924d4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.NOqLJLfPGV.com" 184c9d5da1fa33549b3978e8dd9924d4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
184c9d5da1fa33549b3978e8dd9924d4.exedescription pid process Token: SeLockMemoryPrivilege 4636 184c9d5da1fa33549b3978e8dd9924d4.exe Token: SeLockMemoryPrivilege 4636 184c9d5da1fa33549b3978e8dd9924d4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\184c9d5da1fa33549b3978e8dd9924d4.exe"C:\Users\Admin\AppData\Local\Temp\184c9d5da1fa33549b3978e8dd9924d4.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4636 -s 14842⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4636-2-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/4636-3-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/4636-6-0x0000000000180000-0x00000000001C0000-memory.dmpFilesize
256KB
-
memory/4636-7-0x00000000001C0000-0x00000000001E2000-memory.dmpFilesize
136KB
-
memory/4636-8-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB