Analysis
-
max time kernel
201s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 13:55
Static task
static1
Behavioral task
behavioral1
Sample
13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe
Resource
win7-20220414-en
General
-
Target
13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe
-
Size
506KB
-
MD5
b153ea5996f9a64f1c1da4bb7298680e
-
SHA1
cec8c0b3853836265a11d2cdb1cda41c4a0ac79c
-
SHA256
13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73
-
SHA512
1420231956da8ca362569f2fbcdc86d3e03741701b9a38a100392d427f3d4bf37a1077e32b252651feaa9dbf7b82c351431986527f7ca49560e36f5fac0d593b
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\syrmwiuivxxcemrs\LTM Agent.exe xmrig -
Executes dropped EXE 3 IoCs
Processes:
83208120.exentutrf.exeLTM Agent.exepid process 3468 83208120.exe 220 ntutrf.exe 3044 LTM Agent.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exentutrf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ntutrf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
83208120.exentutrf.exepid process 3468 83208120.exe 3468 83208120.exe 3468 83208120.exe 3468 83208120.exe 3468 83208120.exe 3468 83208120.exe 3468 83208120.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe 220 ntutrf.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 648 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
83208120.exentutrf.exeLTM Agent.exedescription pid process Token: SeDebugPrivilege 3468 83208120.exe Token: SeDebugPrivilege 220 ntutrf.exe Token: SeLockMemoryPrivilege 3044 LTM Agent.exe Token: SeLockMemoryPrivilege 3044 LTM Agent.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exentutrf.exedescription pid process target process PID 1180 wrote to memory of 3468 1180 13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe 83208120.exe PID 1180 wrote to memory of 3468 1180 13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe 83208120.exe PID 220 wrote to memory of 3044 220 ntutrf.exe LTM Agent.exe PID 220 wrote to memory of 3044 220 ntutrf.exe LTM Agent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe"C:\Users\Admin\AppData\Local\Temp\13cdd5d789b46a4913b3414b6cf9928ebcdb725bf7664974c0d5851be1c37a73.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\240630062\83208120.exe"C:\Users\Admin\AppData\Local\Temp\240630062\83208120.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exeC:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\syrmwiuivxxcemrs\LTM Agent.exe"C:\Users\Admin\AppData\Local\Temp\syrmwiuivxxcemrs\LTM Agent.exe" --donate-level 1 -o xmr-eu1.nanopool.org:14433 -u 8AahDWVyjfUVpZMHPDz28ggYvNY11zoFTKrrM5F1LPfB1AjHoPVdR4L6PXF6iawSfwgfD7xbAwqgeCLeNTQKkCeWLhDqhp6 -k --tls --coin monero --threads=12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240630062\83208120.exeFilesize
899KB
MD5b1170755eb3405b9c0bc87b8ac283c2c
SHA1549fc9a313cdecb5e1d5046fc7f1595360210618
SHA2560e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7
SHA51216495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33
-
C:\Users\Admin\AppData\Local\Temp\240630062\83208120.exeFilesize
899KB
MD5b1170755eb3405b9c0bc87b8ac283c2c
SHA1549fc9a313cdecb5e1d5046fc7f1595360210618
SHA2560e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7
SHA51216495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33
-
C:\Users\Admin\AppData\Local\Temp\syrmwiuivxxcemrs\LTM Agent.exeFilesize
6.5MB
MD5df17112395adb8d45a4c623c06ee76d1
SHA17ce7def2a89b4b9f6a00660d3cd0aee958b1e8f9
SHA25687ca7cd083a35bc3c82d4403539706dff98a880c926115a1c09871a86f1ab5a1
SHA512fa89bff5d774183f87e8ab5d6c247a848c1e2101a32040920c43ca6cb9b1ec2cd88b1da699f1130528b6358c3e745732a8e8aaa70d0d4f6fc3af54aa56927620
-
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exeFilesize
899KB
MD5b1170755eb3405b9c0bc87b8ac283c2c
SHA1549fc9a313cdecb5e1d5046fc7f1595360210618
SHA2560e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7
SHA51216495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33
-
C:\Users\Admin\AppData\Roaming\cyn\kpzewomn\ntutrf.exeFilesize
899KB
MD5b1170755eb3405b9c0bc87b8ac283c2c
SHA1549fc9a313cdecb5e1d5046fc7f1595360210618
SHA2560e5b586435e345c935b163bbec17ced49c4577de6e8bd00c56e38615edc467d7
SHA51216495edfbcd7b07a4d7dcdeb3efa1ed798eb00c086ad9c20d34b90121c5a73b8921f9860a405ddf4469793a045f8e31c79216bb4c1d0d5d1c07986d297de4b33
-
memory/220-139-0x00007FFE537D0000-0x00007FFE54291000-memory.dmpFilesize
10.8MB
-
memory/1180-130-0x0000000000B90000-0x0000000000C18000-memory.dmpFilesize
544KB
-
memory/1180-131-0x00007FFE537D0000-0x00007FFE54291000-memory.dmpFilesize
10.8MB
-
memory/3044-140-0x0000000000000000-mapping.dmp
-
memory/3044-142-0x00000000001A0000-0x00000000001B4000-memory.dmpFilesize
80KB
-
memory/3044-143-0x00000000010D0000-0x00000000010F0000-memory.dmpFilesize
128KB
-
memory/3044-144-0x0000000001600000-0x0000000001620000-memory.dmpFilesize
128KB
-
memory/3468-136-0x00007FFE537D0000-0x00007FFE54291000-memory.dmpFilesize
10.8MB
-
memory/3468-135-0x00000000001A0000-0x000000000028A000-memory.dmpFilesize
936KB
-
memory/3468-132-0x0000000000000000-mapping.dmp