Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 01:53
Static task
static1
Behavioral task
behavioral1
Sample
min.exe
Resource
win10-en-20211208
General
-
Target
min.exe
-
Size
6.3MB
-
MD5
7e80c2ae5587b824d8230e782089e86b
-
SHA1
90f0912a29b9cc7a55bd4b561e1a574e005cecf6
-
SHA256
43d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
-
SHA512
db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
RegHost.exeRegHost.exeRegHost.exeRegHost.exepid process 4464 RegHost.exe 1308 RegHost.exe 2728 RegHost.exe 2684 RegHost.exe -
Processes:
resource yara_rule behavioral1/memory/4712-118-0x0000000140000000-0x000000014274C000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RegHost.exeRegHost.exeRegHost.exemin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion min.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion min.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe -
Processes:
resource yara_rule behavioral1/memory/3300-115-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmp themida behavioral1/memory/3300-116-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmp themida behavioral1/memory/3300-117-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/4464-123-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp themida behavioral1/memory/4464-124-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp themida behavioral1/memory/4464-125-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/1308-130-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp themida behavioral1/memory/1308-131-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp themida behavioral1/memory/1308-132-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/2728-137-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp themida behavioral1/memory/2728-138-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp themida behavioral1/memory/2728-139-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
min.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" min.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe -
Processes:
min.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA min.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
min.exeRegHost.exeRegHost.exeRegHost.exedescription pid process target process PID 3300 set thread context of 4712 3300 min.exe bfsvc.exe PID 3300 set thread context of 4708 3300 min.exe explorer.exe PID 4464 set thread context of 660 4464 RegHost.exe bfsvc.exe PID 4464 set thread context of 912 4464 RegHost.exe explorer.exe PID 1308 set thread context of 1728 1308 RegHost.exe bfsvc.exe PID 1308 set thread context of 1740 1308 RegHost.exe explorer.exe PID 2728 set thread context of 2744 2728 RegHost.exe bfsvc.exe PID 2728 set thread context of 396 2728 RegHost.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exepid process 4708 explorer.exe 4708 explorer.exe 4708 explorer.exe 4708 explorer.exe 4708 explorer.exe 4708 explorer.exe 4708 explorer.exe 4708 explorer.exe 4708 explorer.exe 4708 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 912 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe 396 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
min.exeexplorer.exeRegHost.exeexplorer.exeRegHost.exedescription pid process target process PID 3300 wrote to memory of 4712 3300 min.exe bfsvc.exe PID 3300 wrote to memory of 4712 3300 min.exe bfsvc.exe PID 3300 wrote to memory of 4712 3300 min.exe bfsvc.exe PID 3300 wrote to memory of 4712 3300 min.exe bfsvc.exe PID 3300 wrote to memory of 4712 3300 min.exe bfsvc.exe PID 3300 wrote to memory of 4712 3300 min.exe bfsvc.exe PID 3300 wrote to memory of 4712 3300 min.exe bfsvc.exe PID 3300 wrote to memory of 4712 3300 min.exe bfsvc.exe PID 3300 wrote to memory of 4712 3300 min.exe bfsvc.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 3300 wrote to memory of 4708 3300 min.exe explorer.exe PID 4708 wrote to memory of 4464 4708 explorer.exe RegHost.exe PID 4708 wrote to memory of 4464 4708 explorer.exe RegHost.exe PID 4464 wrote to memory of 660 4464 RegHost.exe bfsvc.exe PID 4464 wrote to memory of 660 4464 RegHost.exe bfsvc.exe PID 4464 wrote to memory of 660 4464 RegHost.exe bfsvc.exe PID 4464 wrote to memory of 660 4464 RegHost.exe bfsvc.exe PID 4464 wrote to memory of 660 4464 RegHost.exe bfsvc.exe PID 4464 wrote to memory of 660 4464 RegHost.exe bfsvc.exe PID 4464 wrote to memory of 660 4464 RegHost.exe bfsvc.exe PID 4464 wrote to memory of 660 4464 RegHost.exe bfsvc.exe PID 4464 wrote to memory of 660 4464 RegHost.exe bfsvc.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 4464 wrote to memory of 912 4464 RegHost.exe explorer.exe PID 912 wrote to memory of 1308 912 explorer.exe RegHost.exe PID 912 wrote to memory of 1308 912 explorer.exe RegHost.exe PID 1308 wrote to memory of 1728 1308 RegHost.exe bfsvc.exe PID 1308 wrote to memory of 1728 1308 RegHost.exe bfsvc.exe PID 1308 wrote to memory of 1728 1308 RegHost.exe bfsvc.exe PID 1308 wrote to memory of 1728 1308 RegHost.exe bfsvc.exe PID 1308 wrote to memory of 1728 1308 RegHost.exe bfsvc.exe PID 1308 wrote to memory of 1728 1308 RegHost.exe bfsvc.exe PID 1308 wrote to memory of 1728 1308 RegHost.exe bfsvc.exe PID 1308 wrote to memory of 1728 1308 RegHost.exe bfsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\min.exe"C:\Users\Admin\AppData\Local\Temp\min.exe"1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe6⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQAP2qRJuOQami_vJaEGhoLhb3Upt_Ju7WwLXQ9ktcpis6qe8⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "None" "Microsoft%20Basic%20Display%20Adapter" "Toncoin" "ton"8⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"9⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
7e80c2ae5587b824d8230e782089e86b
SHA190f0912a29b9cc7a55bd4b561e1a574e005cecf6
SHA25643d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
SHA512db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
7e80c2ae5587b824d8230e782089e86b
SHA190f0912a29b9cc7a55bd4b561e1a574e005cecf6
SHA25643d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
SHA512db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
7e80c2ae5587b824d8230e782089e86b
SHA190f0912a29b9cc7a55bd4b561e1a574e005cecf6
SHA25643d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
SHA512db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
7e80c2ae5587b824d8230e782089e86b
SHA190f0912a29b9cc7a55bd4b561e1a574e005cecf6
SHA25643d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
SHA512db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
7e80c2ae5587b824d8230e782089e86b
SHA190f0912a29b9cc7a55bd4b561e1a574e005cecf6
SHA25643d66e78f5334cc183e22aa29c64a9fdf4356e5a0c5052489fd7edc127460a6c
SHA512db0e42e94976b9fe4d75a502b0a32f3ec4e6b993de02781ccef11a4aebc0fb0cedf1d43cd2280faa186edb66ff869f2b883f091889958625081b1a97cde5203a
-
memory/396-142-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/912-128-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1308-132-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmpFilesize
9.3MB
-
memory/1308-130-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmpFilesize
9.3MB
-
memory/1308-131-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmpFilesize
9.3MB
-
memory/1740-135-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/2728-139-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmpFilesize
9.3MB
-
memory/2728-137-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmpFilesize
9.3MB
-
memory/2728-138-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmpFilesize
9.3MB
-
memory/3300-116-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmpFilesize
9.3MB
-
memory/3300-115-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmpFilesize
9.3MB
-
memory/3300-117-0x00007FF78B5A0000-0x00007FF78BEE9000-memory.dmpFilesize
9.3MB
-
memory/4464-124-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmpFilesize
9.3MB
-
memory/4464-125-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmpFilesize
9.3MB
-
memory/4464-123-0x00007FF6E2360000-0x00007FF6E2CA9000-memory.dmpFilesize
9.3MB
-
memory/4708-121-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/4708-119-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/4712-118-0x0000000140000000-0x000000014274C000-memory.dmpFilesize
39.3MB