Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-07-2021 18:37
Behavioral task
behavioral1
Sample
xnew.exe
Resource
win7v20210410
General
-
Target
xnew.exe
-
Size
5.7MB
-
MD5
be3d7c9e59675e027f450c74a7a2e724
-
SHA1
a50603600e623fdad2d7fc6032f1f696ff2afc1e
-
SHA256
22577366b67db3949feb69639228d19b85258f269ca7a3546565d09c142bb8d7
-
SHA512
e90a87e3e25183c903186d13f366616fbd7d0dfe773a5c2e45a52690f04a20f41b70bb9115bc18cd1b0d7ea585a0e60efd999c3e360aeef93085ceb301a404ab
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule C:\ProgramData\OneDrive\OneDrive.exe xmrig C:\ProgramData\OneDrive\OneDrive.exe xmrig C:\ProgramData\OneDrive\OneDrive.exe xmrig -
Executes dropped EXE 2 IoCs
Processes:
OneDrive.exeOneDrive.exepid process 3228 OneDrive.exe 1240 OneDrive.exe -
Drops startup file 1 IoCs
Processes:
xnew.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk xnew.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
OneDrive.exeOneDrive.exedescription pid process Token: SeLockMemoryPrivilege 3228 OneDrive.exe Token: SeLockMemoryPrivilege 3228 OneDrive.exe Token: SeLockMemoryPrivilege 1240 OneDrive.exe Token: SeLockMemoryPrivilege 1240 OneDrive.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
xnew.exepid process 3968 xnew.exe 3968 xnew.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
xnew.exepid process 3968 xnew.exe 3968 xnew.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
xnew.execmd.exeWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 3968 wrote to memory of 1424 3968 xnew.exe cmd.exe PID 3968 wrote to memory of 1424 3968 xnew.exe cmd.exe PID 1424 wrote to memory of 2416 1424 cmd.exe WScript.exe PID 1424 wrote to memory of 2416 1424 cmd.exe WScript.exe PID 2416 wrote to memory of 3340 2416 WScript.exe cmd.exe PID 2416 wrote to memory of 3340 2416 WScript.exe cmd.exe PID 1424 wrote to memory of 2152 1424 cmd.exe WScript.exe PID 1424 wrote to memory of 2152 1424 cmd.exe WScript.exe PID 3340 wrote to memory of 3228 3340 cmd.exe OneDrive.exe PID 3340 wrote to memory of 3228 3340 cmd.exe OneDrive.exe PID 2152 wrote to memory of 1048 2152 WScript.exe cmd.exe PID 2152 wrote to memory of 1048 2152 WScript.exe cmd.exe PID 1048 wrote to memory of 1240 1048 cmd.exe OneDrive.exe PID 1048 wrote to memory of 1240 1048 cmd.exe OneDrive.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xnew.exe"C:\Users\Admin\AppData\Local\Temp\xnew.exe"1⤵
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\OneDrive\bat.bat" "2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\OneDrive\Hide.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\OneDrive\start.cmd" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\OneDrive\OneDrive.exeOneDrive.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\OneDrive\Hide.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\OneDrive\start.cmd" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\OneDrive\OneDrive.exeOneDrive.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\OneDrive\Hide.vbsMD5
9d3e53a45a2a66903b60df0da9c43204
SHA1155d4626973b7c5263a74d7d3ddda4b7f9f41a5f
SHA256810f546dd3db6b16cedb00e725443bbfea6193533633a905bad53e76c92c3a5c
SHA51263b48df98b489907df4e92ece7bc50d48867d74dd6bce485a2c708bf9cd7f1bbd797fb287e4b17cf92d87b8b2d4d04b75c2317a200f33903dc36822672cc8efc
-
C:\ProgramData\OneDrive\OneDrive.exeMD5
7e747dc3069cd41f41e95fe241ad3fe3
SHA1b0c4fec61662662f4a436ab0021d10f9c2fa72da
SHA2563efa2b3639c8c357edee22cf6ddcf47b4be0631c3abdd6fe5eb119eff31fef41
SHA51208d14dfc8f98cf917e61935afaec56389705b17abf0f40f07cf8ffcdb34c60c45b2064d27bf70ffb5073a87021e13e5fd3b6cd22bdaa3ff0bf01baa2f19ff5e8
-
C:\ProgramData\OneDrive\OneDrive.exeMD5
7e747dc3069cd41f41e95fe241ad3fe3
SHA1b0c4fec61662662f4a436ab0021d10f9c2fa72da
SHA2563efa2b3639c8c357edee22cf6ddcf47b4be0631c3abdd6fe5eb119eff31fef41
SHA51208d14dfc8f98cf917e61935afaec56389705b17abf0f40f07cf8ffcdb34c60c45b2064d27bf70ffb5073a87021e13e5fd3b6cd22bdaa3ff0bf01baa2f19ff5e8
-
C:\ProgramData\OneDrive\OneDrive.exeMD5
7e747dc3069cd41f41e95fe241ad3fe3
SHA1b0c4fec61662662f4a436ab0021d10f9c2fa72da
SHA2563efa2b3639c8c357edee22cf6ddcf47b4be0631c3abdd6fe5eb119eff31fef41
SHA51208d14dfc8f98cf917e61935afaec56389705b17abf0f40f07cf8ffcdb34c60c45b2064d27bf70ffb5073a87021e13e5fd3b6cd22bdaa3ff0bf01baa2f19ff5e8
-
C:\ProgramData\OneDrive\bat.batMD5
58cc6845de149329e70735ddfeb15929
SHA105e988b00c98ac78a51799f42a440e6deee8b57f
SHA2566af13cac95660c368b511f827ed20214028499cc8b39fad60df42526fcd1bf64
SHA512d0adf5eb00047bcb8a429a69ba89fc2b78b907af779a46d99d464398c1efc8081f7d40c83f0312406a7d4d391af58ad1e2dd38d6cb96e94a6be91d5539edd43e
-
C:\ProgramData\OneDrive\config.jsonMD5
b6391bd3c1f12cc1a7d0e9340ac64163
SHA11be90c7983362dd2efd83b6f9a2f36a23788cb38
SHA25641e8a2598eb0929655feb8ad6eeffd5e3f762368557f361b37e296ce9586c13c
SHA5121034825bad67098ca4c1e5b7040cfba008fd3e7a28cf47261fc891ce15c04c6d4d45b297215c0f34f932c13536e003702aa9c3f148e50fcdcbc45b7cc3851bca
-
C:\ProgramData\OneDrive\start.cmdMD5
e59c417c96b0fece601eed82898106ce
SHA1d962291aa061ac1a26290f8eaae617c2a0bd538b
SHA2562ceb591c8490c88f3519a156dc4fb7c9dd1423bd19e77f03116613a06c86e307
SHA5126a8bff6b11a3a2f5d75bfc4cf00d3d0e48f777f983c927493cc79a9ffa00f24d078903c833cb2833d1c5c0d09316927243343a689aa7ae559fa0a8d961fb9b90
-
memory/1048-126-0x0000000000000000-mapping.dmp
-
memory/1240-135-0x0000025F9F850000-0x0000025F9F870000-memory.dmpFilesize
128KB
-
memory/1240-134-0x0000025F9F870000-0x0000025F9F890000-memory.dmpFilesize
128KB
-
memory/1240-136-0x0000025F9F890000-0x0000025F9F8B0000-memory.dmpFilesize
128KB
-
memory/1240-127-0x0000000000000000-mapping.dmp
-
memory/1424-114-0x0000000000000000-mapping.dmp
-
memory/2152-120-0x0000000000000000-mapping.dmp
-
memory/2416-117-0x0000000000000000-mapping.dmp
-
memory/3228-124-0x00000295A6630000-0x00000295A6650000-memory.dmpFilesize
128KB
-
memory/3228-132-0x00000295A6690000-0x00000295A66B0000-memory.dmpFilesize
128KB
-
memory/3228-131-0x00000295A6670000-0x00000295A6690000-memory.dmpFilesize
128KB
-
memory/3228-133-0x00000295A66B0000-0x00000295A66D0000-memory.dmpFilesize
128KB
-
memory/3228-130-0x00000295A6650000-0x00000295A6670000-memory.dmpFilesize
128KB
-
memory/3228-121-0x0000000000000000-mapping.dmp
-
memory/3340-119-0x0000000000000000-mapping.dmp