Analysis
-
max time kernel
63s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12/02/2022, 08:41
Static task
static1
Behavioral task
behavioral1
Sample
36a91c2436063a936deafe03ce15685a4a952bc03d125fd4b79315a829d96c95.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
36a91c2436063a936deafe03ce15685a4a952bc03d125fd4b79315a829d96c95.exe
-
Size
7.6MB
-
MD5
9e9b8e1845d216ee1504fa90ff6d5371
-
SHA1
911c96b3976e0846ff1f46ecd0f8c855405d81da
-
SHA256
36a91c2436063a936deafe03ce15685a4a952bc03d125fd4b79315a829d96c95
-
SHA512
c93e7be4bcc63a5106b4fc1d951c4c63854c5a2ea7a2fa278f580d375c764569ca3d23033b6ba027aea16f14faeb78923d643a99b9599440226a4483755e1448
Malware Config
Extracted
Family
cryptbot
C2
tishun65.top
morvak06.top
Attributes
-
payload_url
http://dankvu08.top/download.php?file=teamer.exe
Signatures
-
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
description pid Process Token: SeShutdownPrivilege 2328 svchost.exe Token: SeCreatePagefilePrivilege 2328 svchost.exe Token: SeShutdownPrivilege 2328 svchost.exe Token: SeCreatePagefilePrivilege 2328 svchost.exe Token: SeShutdownPrivilege 2328 svchost.exe Token: SeCreatePagefilePrivilege 2328 svchost.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe Token: SeBackupPrivilege 4464 TiWorker.exe Token: SeRestorePrivilege 4464 TiWorker.exe Token: SeSecurityPrivilege 4464 TiWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36a91c2436063a936deafe03ce15685a4a952bc03d125fd4b79315a829d96c95.exe"C:\Users\Admin\AppData\Local\Temp\36a91c2436063a936deafe03ce15685a4a952bc03d125fd4b79315a829d96c95.exe"1⤵PID:1464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4464