Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 14:45
Static task
static1
Behavioral task
behavioral1
Sample
599495b2243464459d5f62ec590a4c9c.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
599495b2243464459d5f62ec590a4c9c.exe
-
Size
6.4MB
-
MD5
599495b2243464459d5f62ec590a4c9c
-
SHA1
a8b7c985a9c94f5783e0677c2999cd3642bf349e
-
SHA256
d8593fb8a15f7cffc852e02aeabb571e89f23561325e47b9bff099e36ddca47c
-
SHA512
b379073ccdbf1f5f34e69ad3bbfcde4c04a513cf744676d3341d0bf06d6d9ea811aee5d75fed04efd062bd94a60ffba9d50e7e719b74043da29302cdf58b42de
Malware Config
Signatures
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1316-2-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig behavioral2/memory/1316-3-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig -
Processes:
yara_rule upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
599495b2243464459d5f62ec590a4c9c.exedescription ioc process File created C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 599495b2243464459d5f62ec590a4c9c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 1525 IoCs
Processes:
599495b2243464459d5f62ec590a4c9c.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\fxplugins.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jpeg.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.bat 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jaas_nt.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoCanary.png 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\id.pak 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\FlickLearningWizard.exe 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\System\msadc\msadds.dll 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ja.pak 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\en-US.pak 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\ink\micaut.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\t2k.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\.eclipseproduct 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\sound.properties 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA 599495b2243464459d5f62ec590a4c9c.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar 599495b2243464459d5f62ec590a4c9c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF 599495b2243464459d5f62ec590a4c9c.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2124 1316 WerFault.exe 599495b2243464459d5f62ec590a4c9c.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
599495b2243464459d5f62ec590a4c9c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.bdXNSVzEHU.com" 599495b2243464459d5f62ec590a4c9c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.vIJPuoFqxn.com" 599495b2243464459d5f62ec590a4c9c.exe -
Processes:
599495b2243464459d5f62ec590a4c9c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 599495b2243464459d5f62ec590a4c9c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 599495b2243464459d5f62ec590a4c9c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 599495b2243464459d5f62ec590a4c9c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
599495b2243464459d5f62ec590a4c9c.exedescription pid process Token: SeLockMemoryPrivilege 1316 599495b2243464459d5f62ec590a4c9c.exe Token: SeLockMemoryPrivilege 1316 599495b2243464459d5f62ec590a4c9c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\599495b2243464459d5f62ec590a4c9c.exe"C:\Users\Admin\AppData\Local\Temp\599495b2243464459d5f62ec590a4c9c.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1316 -s 5482⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1316-2-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/1316-3-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/1316-6-0x0000000000180000-0x00000000001C0000-memory.dmpFilesize
256KB
-
memory/1316-7-0x00000000001C0000-0x00000000001E2000-memory.dmpFilesize
136KB
-
memory/1316-8-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB