Overview

overview

10

Static

static

033bd23a23...55.exe

windows7_x64

10

033bd23a23...55.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-12-2021 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    033bd23a236b70e2fe45c57a9b9a1155.exe

  • Size

    950KB

  • MD5

    033bd23a236b70e2fe45c57a9b9a1155

  • SHA1

    cf55475105cf32e3fb63d70dda18b7cb8d794041

  • SHA256

    56125010c5571fa10c9eb077f5620108f9dae9d5aea04880bfe8ee2a112c3c13

  • SHA512

    d41ed9bedeeb04dd578fbcde94dcba2a278d751b9e5308e5f87d59f7e3c5e01c5ee1f559e10ca16344bab8653c0d530a535cc96065fcad12632ee10978f0d0c3

Score
10/10
xmrigdiscoveryevasionminerspywarestealersuricatatrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Disables taskbar notifications via registry modification
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 22 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\033bd23a236b70e2fe45c57a9b9a1155.exe
    "C:\Users\Admin\AppData\Local\Temp\033bd23a236b70e2fe45c57a9b9a1155.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\Pictures\Adobe Films\6kxoOdJ16_mgNmlNYUIn9buw.exe
      "C:\Users\Admin\Pictures\Adobe Films\6kxoOdJ16_mgNmlNYUIn9buw.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1564
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 580
      2⤵
      • Program crash
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:300
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1048
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    1⤵
    • Executes dropped EXE
    PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Pictures\Adobe Films\6kxoOdJ16_mgNmlNYUIn9buw.exe
    MD5

    3f22bd82ee1b38f439e6354c60126d6d

    SHA1

    63b57d818f86ea64ebc8566faeb0c977839defde

    SHA256

    265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

    SHA512

    b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

    Download Submit
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    MD5

    5414af7b560e0b1fdd25b5aaeeaad6f0

    SHA1

    d57aa9e795b5f5fe817e481a3679187acf084fbc

    SHA256

    8165f81eb06073e19f184f4846fc6d0620d3d047d2cb2a64f12b28b03bd3c27e

    SHA512

    67f419043a73fa80812e29e0a35d6eb908577ebb856921d0529d323de14bac4b99d017cffbb8d137a66262cd21147c19cba92eaabbbb1ff9794b9ce278a85218

    Download Submit
  • C:\Windows\System32\alg.exe
    MD5

    e6ad28f9b9c6e50aa30fc29fa3339096

    SHA1

    e2c93213c5087ef9693530d874a9a540ebd6b7e0

    SHA256

    cc307a73649dea03fa7ee99c95a02e1da3aa83c43b3df0168c35772c87ab495e

    SHA512

    455fea6ed34ed2775bd53103679ebf66ea9c01657d9dc0b27ed1c7524b398dc6225c830bb2bc310c7fee39ba8ed682cd5b74009b8cd757227760f4ba290d9f1e

    Download Submit
  • \Users\Admin\Pictures\Adobe Films\6kxoOdJ16_mgNmlNYUIn9buw.exe
    MD5

    3f22bd82ee1b38f439e6354c60126d6d

    SHA1

    63b57d818f86ea64ebc8566faeb0c977839defde

    SHA256

    265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

    SHA512

    b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

    Download Submit
  • \Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    MD5

    5414af7b560e0b1fdd25b5aaeeaad6f0

    SHA1

    d57aa9e795b5f5fe817e481a3679187acf084fbc

    SHA256

    8165f81eb06073e19f184f4846fc6d0620d3d047d2cb2a64f12b28b03bd3c27e

    SHA512

    67f419043a73fa80812e29e0a35d6eb908577ebb856921d0529d323de14bac4b99d017cffbb8d137a66262cd21147c19cba92eaabbbb1ff9794b9ce278a85218

    Download Submit
  • \Windows\System32\alg.exe
    MD5

    e6ad28f9b9c6e50aa30fc29fa3339096

    SHA1

    e2c93213c5087ef9693530d874a9a540ebd6b7e0

    SHA256

    cc307a73649dea03fa7ee99c95a02e1da3aa83c43b3df0168c35772c87ab495e

    SHA512

    455fea6ed34ed2775bd53103679ebf66ea9c01657d9dc0b27ed1c7524b398dc6225c830bb2bc310c7fee39ba8ed682cd5b74009b8cd757227760f4ba290d9f1e

    Download Submit
  • memory/300-68-0x0000000000000000-mapping.dmp
    Download
  • memory/300-70-0x0000000000620000-0x0000000000621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1048-64-0x00000000FFEA0000-0x00000000FFF6F000-memory.dmp
    Filesize

    828KB

    Download
  • memory/1048-69-0x00000000FFEA0000-0x00000000FFF6F000-memory.dmp
    Filesize

    828KB

    Download
  • memory/1564-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1660-67-0x000000013F760000-0x000000013F828000-memory.dmp
    Filesize

    800KB

    Download
  • memory/1936-58-0x0000000000C50000-0x0000000000D73000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1936-54-0x0000000000C50000-0x0000000000D73000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1936-57-0x0000000003B00000-0x0000000003C4E000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1936-56-0x00000000760F1000-0x00000000760F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1936-55-0x0000000000C50000-0x0000000000D73000-memory.dmp
    Filesize

    1.1MB

    Download