Analysis
-
max time kernel
576s -
max time network
584s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 13:14
General
-
Target
mine.exe
-
Size
5.9MB
-
MD5
09d83c47610228fcfa9ac97cddd492fe
-
SHA1
fc63d772dfbf7cde2323f39fadcafbae86894c6a
-
SHA256
3d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
-
SHA512
2b6e85774a56c58e5ce133406924e38d6b4de8fffd5a46b27813cf738b69a28c877f440a863217fa6983813353a54798b608b1db1f95375ddf4a19e82be2a940
Malware Config
Signatures
-
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
-
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 6 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Windows directory 50 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\mine.exe"C:\Users\Admin\AppData\Local\Temp\mine.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEC2.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEC3.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'4⤵
- Creates scheduled task(s)
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\ImportTrace.xltm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeC:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftApi.exe.logMD5
91da0e0d6c73120560eafe3fb0a762fa
SHA1450b05f8ca5afb737da4312cf7d1603e695ec136
SHA256bbb62e473ac1b24a55b9fca67848cebc87764d47a6bf60f51d85ed6de28575d1
SHA51205fb7457b58d099581121c9afc361543a5d2d4b3444994be5cf6a36b3010a76a13310698f77452e2921dc6d1ac511240d95588030a5983eaee7899b625f4e11a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreanDriver.exe.logMD5
b0fa3a2c527d3e19302605f3f326855b
SHA13b5e7bf9d44a1280da080ec1565b7ed466a620ae
SHA256836183e565e09910a755b9477c674e9b6bd8b9ec8cd4b6dc70ffaf6aed6a3402
SHA5127b42119fe44567d21060bba50f202c0dba100d753073fa7123b28160b70a8f62c745af5146f0f1bc3e877470445b2a91fd262ea737561cbb69649a23e3462252
-
C:\Users\Admin\AppData\Local\Temp\tmpBEC2.tmp.cmdMD5
3c5113ab1b42946ffdc89349b2c6d209
SHA16898e37d08571dc49af526f5be014f59f5f51988
SHA25632b16e36907b4fc7b1c790f128288324cc28d4ed5e6bd2835ad8101d9d8a9dee
SHA512a133ad3cfc408a9b90e03a777627cc4c3faa1773f3ba8fe8afc688eefa9ee911f01fd3eac239fd4a2338eb53c509883c399df9b94ec8058f4df6feb700348405
-
C:\Users\Admin\AppData\Local\Temp\tmpBEC3.tmp.cmdMD5
d01ed91c2a99548628d82f6c86064252
SHA1f0daf48fc3f84e6e6b80020e58138daf203e38a5
SHA2561c145762349dfd3d710f2b80c833c6e0f4ea14f0891fa64d0bddbe3e7dfb83dd
SHA5122553e27e4d7ca42d50398c970d104db99f8004838afb8dbab5b8a70e7c220cc630db3a4e1b5a58d5a652ba82f3252d5de53f07e1ba6d4a2c2a66ffd958e76db8
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ICSharpCode.SharpZipLib.dllMD5
5a5ab6c6bf9a23d07bc72cc19c37a432
SHA112fd67b780088a9d95eecd06c59658447e42f65c
SHA25685ff339d1e0b853b0f544530fb022a30254f398d8cecfcdfa9e3c0310c3f4791
SHA51216f5d6af94daa0833d4a95fcf261273f7610a6aaba01b775a358bee6c4ff25d90ad93abfcaf917256038d0abd272502c10e4e8933a062d456db3db077a7221bd
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeMD5
09d83c47610228fcfa9ac97cddd492fe
SHA1fc63d772dfbf7cde2323f39fadcafbae86894c6a
SHA2563d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
SHA5122b6e85774a56c58e5ce133406924e38d6b4de8fffd5a46b27813cf738b69a28c877f440a863217fa6983813353a54798b608b1db1f95375ddf4a19e82be2a940
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeMD5
09d83c47610228fcfa9ac97cddd492fe
SHA1fc63d772dfbf7cde2323f39fadcafbae86894c6a
SHA2563d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
SHA5122b6e85774a56c58e5ce133406924e38d6b4de8fffd5a46b27813cf738b69a28c877f440a863217fa6983813353a54798b608b1db1f95375ddf4a19e82be2a940
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
\??\c:\users\admin\appdata\roaming\servicemicrosoftapi\microsoftapi.exeMD5
09d83c47610228fcfa9ac97cddd492fe
SHA1fc63d772dfbf7cde2323f39fadcafbae86894c6a
SHA2563d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
SHA5122b6e85774a56c58e5ce133406924e38d6b4de8fffd5a46b27813cf738b69a28c877f440a863217fa6983813353a54798b608b1db1f95375ddf4a19e82be2a940
-
memory/480-366-0x0000000000000000-mapping.dmp
-
memory/480-371-0x000001EE75122000-0x000001EE75124000-memory.dmpFilesize
8KB
-
memory/480-370-0x000001EE75120000-0x000001EE75122000-memory.dmpFilesize
8KB
-
memory/1008-142-0x000001CF6A150000-0x000001CF6A152000-memory.dmpFilesize
8KB
-
memory/1008-143-0x000001CF6A153000-0x000001CF6A155000-memory.dmpFilesize
8KB
-
memory/1008-144-0x000001CF6ADF0000-0x000001CF6ADF1000-memory.dmpFilesize
4KB
-
memory/1008-167-0x000001CF6A156000-0x000001CF6A158000-memory.dmpFilesize
8KB
-
memory/1008-171-0x000001CF6A158000-0x000001CF6A159000-memory.dmpFilesize
4KB
-
memory/1008-138-0x000001CF6A120000-0x000001CF6A121000-memory.dmpFilesize
4KB
-
memory/1008-132-0x0000000000000000-mapping.dmp
-
memory/1120-126-0x0000000000000000-mapping.dmp
-
memory/1272-127-0x0000000000000000-mapping.dmp
-
memory/1304-133-0x0000000000000000-mapping.dmp
-
memory/1576-181-0x00007FF947920000-0x00007FF949815000-memory.dmpFilesize
31.0MB
-
memory/1576-180-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-179-0x00007FF94B6E0000-0x00007FF94C7CE000-memory.dmpFilesize
16.9MB
-
memory/1576-352-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-176-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-351-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-175-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-174-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-350-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-173-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-349-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-172-0x00007FF7D74D0000-0x00007FF7DAA86000-memory.dmpFilesize
53.7MB
-
memory/1696-338-0x000001C244B54000-0x000001C244B56000-memory.dmpFilesize
8KB
-
memory/1696-331-0x0000000000000000-mapping.dmp
-
memory/1696-334-0x000001C2447B0000-0x000001C2447B1000-memory.dmpFilesize
4KB
-
memory/1696-337-0x000001C244B52000-0x000001C244B54000-memory.dmpFilesize
8KB
-
memory/1696-336-0x000001C244B50000-0x000001C244B52000-memory.dmpFilesize
8KB
-
memory/1884-328-0x00000277BB450000-0x00000277BB452000-memory.dmpFilesize
8KB
-
memory/1884-330-0x00000277A2960000-0x00000277A2961000-memory.dmpFilesize
4KB
-
memory/1940-364-0x000002DCC88B0000-0x000002DCC88B2000-memory.dmpFilesize
8KB
-
memory/1940-365-0x000002DCC88B2000-0x000002DCC88B4000-memory.dmpFilesize
8KB
-
memory/1940-360-0x0000000000000000-mapping.dmp
-
memory/2156-358-0x0000029957440000-0x0000029957442000-memory.dmpFilesize
8KB
-
memory/2156-353-0x0000000000000000-mapping.dmp
-
memory/2156-359-0x0000029957442000-0x0000029957444000-memory.dmpFilesize
8KB
-
memory/2620-131-0x0000000000000000-mapping.dmp
-
memory/3004-130-0x0000000000000000-mapping.dmp
-
memory/3292-124-0x00007FF900000000-0x00007FF900002000-memory.dmpFilesize
8KB
-
memory/3292-125-0x00007FF900030000-0x00007FF900031000-memory.dmpFilesize
4KB
-
memory/3292-122-0x00007FF765CA0000-0x00007FF765CA1000-memory.dmpFilesize
4KB
-
memory/3292-119-0x0000000000000000-mapping.dmp
-
memory/3808-322-0x0000000000000000-mapping.dmp
-
memory/4060-115-0x00007FF900030000-0x00007FF900031000-memory.dmpFilesize
4KB
-
memory/4060-117-0x00007FF68FC70000-0x00007FF68FC71000-memory.dmpFilesize
4KB
-
memory/4060-114-0x00007FF900000000-0x00007FF900002000-memory.dmpFilesize
8KB