40ba07f9761a6565642d7aae57f2f4622030e33fe80eb46a543446dcb8e3f1ca

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
15-03-2021 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
Size

730KB
MD5

07f1fa24a6fcb3708ab0689a2706ad8c
SHA1

5da69784e467f242b4f0318fed2b3aed988c6466
SHA256

04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be
SHA512

59a67d2e495b948a45f32f67e3e2a85f0d8343942677e16d8f53162b42ba3a535dd72b713ca1ab59f871a7cbb614f13626741b782b2b2cc4c875bf3a82e83bfb

Score

9^/10

miner persistence upx

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3440-3-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/3440-5-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rTGuKMQbwh = "C:\\Users\\Admin\\AppData\\Local\\ZEZFEZ~1\\MYPROC~1.EXE"	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe

description	pid	process	target process
PID 1452 set thread context of 3440	1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe

pid	process
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe

description	pid	process	target process
PID 1452 wrote to memory of 3440	1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe	notepad.exe
PID 1452 wrote to memory of 3440	1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe	notepad.exe
PID 1452 wrote to memory of 3440	1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe	notepad.exe
PID 1452 wrote to memory of 3440	1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe	notepad.exe
PID 1452 wrote to memory of 3440	1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe	notepad.exe
PID 1452 wrote to memory of 3440	1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe	notepad.exe
PID 1452 wrote to memory of 3440	1452	04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
"C:\Users\Admin\AppData\Local\Temp\04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\notepad.exe
-a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u boyeu1017@gmail.com -p x -t 2
2⤵
PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-2-0x0000000000D40000-0x0000000000DFA000-memory.dmp

Filesize
744KB

Download
memory/3440-4-0x00000000004873E0-mapping.dmp

Download
memory/3440-3-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3440-5-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download