Analysis
-
max time kernel
147s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:26
Static task
static1
Behavioral task
behavioral1
Sample
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe
Resource
win10v2004-20220414-en
General
-
Target
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe
-
Size
2.4MB
-
MD5
05e5b7a1ba45c36e63bb4bc1d39874c9
-
SHA1
db184def60fb765dd0c14db6d77661611011c097
-
SHA256
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e
-
SHA512
979ece9f909d9b7c299d688cd6aa9997f33c6bd5660f082e976df92797359709bf6c4b199d6429b31edcd8bf3d7d45696f3e534fac537ce1f441322d1fd15ade
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1164-72-0x00000000004E78B0-mapping.dmp xmrig behavioral1/memory/1164-75-0x0000000000400000-0x00000000004ED000-memory.dmp xmrig behavioral1/memory/1164-78-0x0000000000400000-0x00000000004ED000-memory.dmp xmrig -
Processes:
resource yara_rule behavioral1/memory/1164-71-0x0000000000400000-0x00000000004ED000-memory.dmp upx behavioral1/memory/1164-73-0x0000000000400000-0x00000000004ED000-memory.dmp upx behavioral1/memory/1164-74-0x0000000000400000-0x00000000004ED000-memory.dmp upx behavioral1/memory/1164-75-0x0000000000400000-0x00000000004ED000-memory.dmp upx behavioral1/memory/1164-78-0x0000000000400000-0x00000000004ED000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
notepad.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\TiDxYXjUUK = "\"C:\\Users\\Admin\\AppData\\Local\\MUUEQU~1\\javaxp.exe\"" notepad.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exenotepad.exedescription pid process target process PID 1640 set thread context of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 916 set thread context of 1164 916 notepad.exe notepad.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe -
Modifies registry class 2 IoCs
Processes:
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rh1556396373q.ysg a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\rh1556396373q.ysg\ = aa0bc406b686c63ce39d6a24125616d4 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
notepad.exepid process 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe 916 notepad.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
notepad.exenotepad.exedescription pid process Token: SeDebugPrivilege 916 notepad.exe Token: SeLockMemoryPrivilege 1164 notepad.exe Token: SeLockMemoryPrivilege 1164 notepad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exepid process 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exenotepad.exedescription pid process target process PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 1640 wrote to memory of 916 1640 a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe PID 916 wrote to memory of 1164 916 notepad.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe"C:\Users\Admin\AppData\Local\Temp\a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\muuEquuwjW\cfgi"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\muuEquuwjW\cfgiFilesize
550B
MD5ecf7d1daa62b857e40a493f631724288
SHA164b3b1fe9f5ba2373a29a5fb65c48a01dda0d368
SHA256df7a381eb21a2b0045bba660c9af597157e07c202a49446a166894ec6f214a69
SHA512042eb8e953188ca9b574e1f14d1bc95aaa643ca7d31bf6ba7b10fa97964332ff6a0b97a90d8199ed99eece61d8c47c08f0af9ccfdb67c4d25c4931fd03c970e6
-
memory/916-67-0x0000000000403F50-mapping.dmp
-
memory/916-63-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/916-70-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/916-61-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/916-77-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/916-65-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/916-66-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/916-58-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/916-59-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1164-72-0x00000000004E78B0-mapping.dmp
-
memory/1164-73-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/1164-74-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/1164-75-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/1164-71-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/1164-78-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/1640-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1640-57-0x0000000000400000-0x0000000000769000-memory.dmpFilesize
3.4MB