Overview

overview

10

Static

static

5

386382628b...a5.exe

windows7_x64

10

386382628b...a5.exe

windows10_x64

10

Analysis

  • max time kernel
    158s
  • max time network
    173s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    16-10-2021 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    386382628bdab18db3b929a566756da5.exe

  • Size

    15.9MB

  • MD5

    386382628bdab18db3b929a566756da5

  • SHA1

    fcd17baf5894cede249211bab735f97d8f6b5770

  • SHA256

    90e4fd2f0792a3068a2048c3dd0fd42e1f7e4da082d76cbe52989757a4a987d5

  • SHA512

    8916ea2666d16430c26b55fd11f0195a96f352f79cc884029b380f8001cf46f1aa0a9b86d36d8dbc15f39c95b163301546ccbafcde3bedd78ae5267063f52a05

Score
10/10
suricata

Malware Config

Signatures

  • suricata: ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin

    suricata: ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin

    suricata
  • Executes dropped EXE 1 IoCs
  • autoit_exe 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\386382628bdab18db3b929a566756da5.exe
    "C:\Users\Admin\AppData\Local\Temp\386382628bdab18db3b929a566756da5.exe"
    1⤵
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        3⤵
        • Creates scheduled task(s)
        PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\32.exe
    MD5

    92db5c0ef23537fc42654904c83248b7

    SHA1

    8106cdd679416fe075720fa4069c1b857a90ebed

    SHA256

    b10359a841665c6d12aa319a4b1e73bcd4b9dbffdf1e50d3950da04fa99ca258

    SHA512

    8cd475f82955c9a7c6b8c4bb3dd388982286dfca24bb87f81ac72df7a9fbb40ace80c4aa41dd1c4329507c9d66e4bc8415b5bd3d910de9a92863f34346210e05

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\64.exe
    MD5

    8429562f032e9f70369729e23ff37b2c

    SHA1

    6c6518a42567e69182c577f870f3284ea78da1a1

    SHA256

    506fdf48fcdb4e3d973ffb1e4e85801f5f860dbfea91735eb14e97f74d39b1d4

    SHA512

    7fa4ef8d22d30d6634c6c1a457fa92e13ee765bb1ca744edb08b5d8bd9484341adc8b11cc3a7e0d4c68bc8fa7bfdac722b8f4f09dad9dee1515002e362a587ad

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    MD5

    43141e85e7c36e31b52b22ab94d5e574

    SHA1

    cfd7079a9b268d84b856dc668edbb9ab9ef35312

    SHA256

    ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

    SHA512

    9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
    MD5

    dee195c4307bfa52752b04330f601e88

    SHA1

    462964034bcae3a5976929b501d03e77f083d323

    SHA256

    8d2c6b30d2548766cc2915619d2ce1044cc2fd90090c981e98e2e0bd8d3191eb

    SHA512

    283d3f350d93100169be0e1a04b680047884eb729c882fd545667fac6b22a39c2cafda269ca0b61d228ebeca2b960537e2ee61aa827abe8092c357994bcf73fd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
    MD5

    9160347bec74471e1a79edfd950629ae

    SHA1

    c149a7e5aab6e349a70b7b458d0eaaa9d301c790

    SHA256

    0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

    SHA512

    b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

    Download Submit
  • memory/400-121-0x0000000000000000-mapping.dmp
    Download
  • memory/3600-120-0x0000000005BC0000-0x0000000005BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4504-119-0x0000000000000000-mapping.dmp
    Download
  • memory/4560-115-0x0000000000000000-mapping.dmp
    Download