0672f13398e67c43c7157c82ebc12bab.exe

General
Target

0672f13398e67c43c7157c82ebc12bab.exe

Filesize

1MB

Completed

20-01-2022 19:26

Score
10/10
MD5

0672f13398e67c43c7157c82ebc12bab

SHA1

7d0f4d5a05767f7ef534d7b05c72d5498918597d

SHA256

93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • Modifies Windows Defender Real-time Protection settings

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Downloads MZ/PE file
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3972-133-0x0000000140000000-0x000000014274C000-memory.dmpupx
  • Checks BIOS information in registry
    0672f13398e67c43c7157c82ebc12bab.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion0672f13398e67c43c7157c82ebc12bab.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion0672f13398e67c43c7157c82ebc12bab.exe
  • Themida packer

    Description

    Detects Themida, an advanced Windows software protection system.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3140-130-0x00007FF628B60000-0x00007FF628F9E000-memory.dmpthemida
    behavioral2/memory/3140-131-0x00007FF628B60000-0x00007FF628F9E000-memory.dmpthemida
    behavioral2/memory/3140-132-0x00007FF628B60000-0x00007FF628F9E000-memory.dmpthemida
  • Adds Run key to start application
    0672f13398e67c43c7157c82ebc12bab.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"0672f13398e67c43c7157c82ebc12bab.exe
  • Checks whether UAC is enabled
    0672f13398e67c43c7157c82ebc12bab.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA0672f13398e67c43c7157c82ebc12bab.exe
  • Suspicious use of SetThreadContext
    0672f13398e67c43c7157c82ebc12bab.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3140 set thread context of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 set thread context of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
  • Suspicious use of WriteProcessMemory
    0672f13398e67c43c7157c82ebc12bab.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3140 wrote to memory of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 wrote to memory of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 wrote to memory of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 wrote to memory of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 wrote to memory of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 wrote to memory of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 wrote to memory of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 wrote to memory of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 wrote to memory of 397231400672f13398e67c43c7157c82ebc12bab.exebfsvc.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
    PID 3140 wrote to memory of 108031400672f13398e67c43c7157c82ebc12bab.exeexplorer.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\0672f13398e67c43c7157c82ebc12bab.exe
    "C:\Users\Admin\AppData\Local\Temp\0672f13398e67c43c7157c82ebc12bab.exe"
    Checks BIOS information in registry
    Adds Run key to start application
    Checks whether UAC is enabled
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\bfsvc.exe
      C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe
      PID:3972
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "TONcoin" "ton"
      PID:1080
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/1080-134-0x0000000140000000-0x000000014002A000-memory.dmp

                    • memory/3140-130-0x00007FF628B60000-0x00007FF628F9E000-memory.dmp

                    • memory/3140-131-0x00007FF628B60000-0x00007FF628F9E000-memory.dmp

                    • memory/3140-132-0x00007FF628B60000-0x00007FF628F9E000-memory.dmp

                    • memory/3972-133-0x0000000140000000-0x000000014274C000-memory.dmp