Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    11-06-2021 03:37

General

  • Target

    595C00BF9CA4BAA42B4490F2782CF2D3.exe

  • Size

    1.1MB

  • MD5

    595c00bf9ca4baa42b4490f2782cf2d3

  • SHA1

    d1441cc336655f36efc3db070f84701a1f68e51a

  • SHA256

    6884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5

  • SHA512

    aaa673adb4511d7e4ba5836f6874b047e8c2b31f86e005d46094a47626d23f97d72874307538c451541dbb44905503df2227902e9f4ccffa4d9836981abcd2e6

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Drops startup file 6 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\595C00BF9CA4BAA42B4490F2782CF2D3.exe
    "C:\Users\Admin\AppData\Local\Temp\595C00BF9CA4BAA42B4490F2782CF2D3.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\server.exe
      "C:\Windows\server.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        3⤵
          PID:1604
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall delete allowedprogram "C:\Windows\server.exe"
          3⤵
            PID:812
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
            3⤵
              PID:912

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Replication Through Removable Media

        1
        T1091

        Persistence

        Modify Existing Service

        1
        T1031

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Replication Through Removable Media

        1
        T1091

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\app
          MD5

          24e9e7d7eea4de90c8fc67ae1145abf2

          SHA1

          dd9bb46ccc6340ca892cf17ebe32b9bdbadee2d1

          SHA256

          bd6c1d15579254e8879ada07376f93cb2e959f45670374892fde2efaf4194f6c

          SHA512

          5572afd61c7ba666515a987f23ad0a05ab753bdc28cfa492adb30200207427a4a38699d3b7981e0750414775a4ce72a209511951d38a8673c709b08774fca01f

        • C:\Windows\server.exe
          MD5

          595c00bf9ca4baa42b4490f2782cf2d3

          SHA1

          d1441cc336655f36efc3db070f84701a1f68e51a

          SHA256

          6884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5

          SHA512

          aaa673adb4511d7e4ba5836f6874b047e8c2b31f86e005d46094a47626d23f97d72874307538c451541dbb44905503df2227902e9f4ccffa4d9836981abcd2e6

        • \??\c:\windows\server.exe
          MD5

          595c00bf9ca4baa42b4490f2782cf2d3

          SHA1

          d1441cc336655f36efc3db070f84701a1f68e51a

          SHA256

          6884ac9f82a44a7702c4807deec1640b66eb71f6c750dd0ca1d5d78632e626b5

          SHA512

          aaa673adb4511d7e4ba5836f6874b047e8c2b31f86e005d46094a47626d23f97d72874307538c451541dbb44905503df2227902e9f4ccffa4d9836981abcd2e6

        • memory/812-69-0x0000000000000000-mapping.dmp
        • memory/912-70-0x0000000000000000-mapping.dmp
        • memory/1604-67-0x0000000000000000-mapping.dmp
        • memory/1740-61-0x0000000000000000-mapping.dmp
        • memory/1740-66-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
          Filesize

          4KB

        • memory/1788-59-0x00000000757C1000-0x00000000757C3000-memory.dmp
          Filesize

          8KB

        • memory/1788-60-0x0000000002FA0000-0x0000000002FA1000-memory.dmp
          Filesize

          4KB