Analysis
-
max time kernel
3s -
max time network
5s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 19:24
Static task
static1
Behavioral task
behavioral1
Sample
0672f13398e67c43c7157c82ebc12bab.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0672f13398e67c43c7157c82ebc12bab.exe
Resource
win10v2004-en-20220113
General
-
Target
0672f13398e67c43c7157c82ebc12bab.exe
-
Size
1.3MB
-
MD5
0672f13398e67c43c7157c82ebc12bab
-
SHA1
7d0f4d5a05767f7ef534d7b05c72d5498918597d
-
SHA256
93d7032a2106ff7bfe17dd46bf426aea166fdb883b37f377e2818f1882e494b1
-
SHA512
3be366a7b80fc25a4569fef8361174b391b3fa01f9eed4039094a083ce9dc69a265b5041c9da2b9fd736cfd2af540ca0c51a5e70a3bbdb0fce2a076eefb57a5a
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Processes:
resource yara_rule behavioral2/memory/3972-133-0x0000000140000000-0x000000014274C000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0672f13398e67c43c7157c82ebc12bab.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0672f13398e67c43c7157c82ebc12bab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0672f13398e67c43c7157c82ebc12bab.exe -
Processes:
resource yara_rule behavioral2/memory/3140-130-0x00007FF628B60000-0x00007FF628F9E000-memory.dmp themida behavioral2/memory/3140-131-0x00007FF628B60000-0x00007FF628F9E000-memory.dmp themida behavioral2/memory/3140-132-0x00007FF628B60000-0x00007FF628F9E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0672f13398e67c43c7157c82ebc12bab.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" 0672f13398e67c43c7157c82ebc12bab.exe -
Processes:
0672f13398e67c43c7157c82ebc12bab.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0672f13398e67c43c7157c82ebc12bab.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0672f13398e67c43c7157c82ebc12bab.exedescription pid process target process PID 3140 set thread context of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 set thread context of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
0672f13398e67c43c7157c82ebc12bab.exedescription pid process target process PID 3140 wrote to memory of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 wrote to memory of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 wrote to memory of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 wrote to memory of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 wrote to memory of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 wrote to memory of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 wrote to memory of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 wrote to memory of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 wrote to memory of 3972 3140 0672f13398e67c43c7157c82ebc12bab.exe bfsvc.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe PID 3140 wrote to memory of 1080 3140 0672f13398e67c43c7157c82ebc12bab.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0672f13398e67c43c7157c82ebc12bab.exe"C:\Users\Admin\AppData\Local\Temp\0672f13398e67c43c7157c82ebc12bab.exe"1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "TONcoin" "ton"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-134-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/3140-130-0x00007FF628B60000-0x00007FF628F9E000-memory.dmpFilesize
4.2MB
-
memory/3140-131-0x00007FF628B60000-0x00007FF628F9E000-memory.dmpFilesize
4.2MB
-
memory/3140-132-0x00007FF628B60000-0x00007FF628F9E000-memory.dmpFilesize
4.2MB
-
memory/3972-133-0x0000000140000000-0x000000014274C000-memory.dmpFilesize
39.3MB