Overview

overview

10

Static

static

a4863b8da0...3f.exe

windows7_x64

10

a4863b8da0...3f.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    05-12-2021 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4863b8da0f8b001d7c28b956139e23f.exe

  • Size

    1.3MB

  • MD5

    a4863b8da0f8b001d7c28b956139e23f

  • SHA1

    7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4

  • SHA256

    c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181

  • SHA512

    8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d

Score
10/10
xmrigdiscoveryminerpersistencespywarestealersuricata

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE DCRAT Activity (GET)

    suricata: ET MALWARE DCRAT Activity (GET)

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe
    "C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe
      "C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3416
      • C:\Windows\system\explorer.exe
        "C:\Windows\system\explorer.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1364
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2380
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Documents and Settings\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\fvecpl\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\PerfLogs\ShellExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1196
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\PasswordOnWakeSettingFlyout\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3132
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "a4863b8da0f8b001d7c28b956139e23f" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\a4863b8da0f8b001d7c28b956139e23f.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Ole DB\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2384
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2372
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4084
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:3696
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4048
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3720
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3808

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a4863b8da0f8b001d7c28b956139e23f.exe.log
      MD5

      4a1ed3846791b69d7fa47b440e9e0c89

      SHA1

      426942cf26fbc0a96bdc525a6a625726471abaca

      SHA256

      cd4a447c7269df5cced4fa6a981c156f51b652d3026e4008027d6092b76ba7a5

      SHA512

      52341fafc8510e04546fcaf3dedc720d73bf88e217217ddc8b2c5dd9f74e8f6a233793bc63e4ee970da8872371560331dae56479af2d4afdb5f8597fdf3e5dfd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\a4863b8da0f8b001d7c28b956139e23f.exe
      MD5

      a4863b8da0f8b001d7c28b956139e23f

      SHA1

      7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4

      SHA256

      c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181

      SHA512

      8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d

      Download Submit
    • C:\Windows\System\explorer.exe
      MD5

      a4863b8da0f8b001d7c28b956139e23f

      SHA1

      7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4

      SHA256

      c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181

      SHA512

      8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d

      Download Submit
    • C:\Windows\system\explorer.exe
      MD5

      a4863b8da0f8b001d7c28b956139e23f

      SHA1

      7d1d9bca4bf89e00e465f98f759f6d5b958fe4e4

      SHA256

      c2452b97cff633876bc788ac4f72eb39f459a6c58f2a44f8443de1049b66d181

      SHA512

      8b2fb4c0ec99bc92ad2c6081fc84fd6e83ca7b01f46fe87469bbf506ea8323d680f72edbd633396c0f2fd3d550ad0740a36c52c4af2457aefd27fe23b3781f1d

      Download Submit
    • memory/2312-163-0x000000001BBC3000-0x000000001BBC5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2312-164-0x000000001BBC5000-0x000000001BBC7000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2312-162-0x000000001BBC0000-0x000000001BBC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2312-146-0x0000000000000000-mapping.dmp
      Download
    • memory/2648-121-0x0000000001530000-0x0000000001537000-memory.dmp
      Filesize

      28KB

      Download
    • memory/2648-123-0x0000000001880000-0x0000000001882000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2648-126-0x0000000001520000-0x0000000001522000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2648-127-0x0000000001840000-0x0000000001846000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2648-128-0x0000000001820000-0x0000000001824000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2648-117-0x0000000003360000-0x0000000003362000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2648-124-0x0000000001830000-0x0000000001835000-memory.dmp
      Filesize

      20KB

      Download
    • memory/2648-125-0x0000000001860000-0x0000000001865000-memory.dmp
      Filesize

      20KB

      Download
    • memory/2648-118-0x00000000011F0000-0x00000000011FA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2648-122-0x0000000001810000-0x0000000001815000-memory.dmp
      Filesize

      20KB

      Download
    • memory/2648-115-0x0000000000F80000-0x0000000000F81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2648-120-0x0000000001510000-0x0000000001517000-memory.dmp
      Filesize

      28KB

      Download
    • memory/2648-119-0x0000000001500000-0x0000000001501000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3416-145-0x000000001BAD0000-0x000000001BAD2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3416-129-0x0000000000000000-mapping.dmp
      Download