Analysis
-
max time kernel
139s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:36
Static task
static1
Behavioral task
behavioral1
Sample
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe
Resource
win10v2004-20220414-en
General
-
Target
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe
-
Size
5.2MB
-
MD5
b8a9c4416fda57f7f6c2a9f714ccddf7
-
SHA1
7364b591eb1f949c8df4d9ec99300accb12f3932
-
SHA256
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a
-
SHA512
f018f8cab0cb9ed08a70036009f20072729d13b9e73bc3ef7ade2218e5b54dc110747c6e660136a6c248d57ab983c8d935648ac1fb8b08bfc87221bf0a52ef89
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1620-59-0x0000000000400000-0x00000000013AE000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
taskshell.exepid process 1620 taskshell.exe -
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Loads dropped DLL 1 IoCs
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exepid process 836 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMI Update Service = "C:\\ProgramData\\WMI Provider Host\\taskshell.exe" 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exepid process 836 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exetaskshell.exedescription pid process Token: SeDebugPrivilege 836 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe Token: SeLockMemoryPrivilege 1620 taskshell.exe Token: SeLockMemoryPrivilege 1620 taskshell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exedescription pid process target process PID 836 wrote to memory of 1620 836 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe taskshell.exe PID 836 wrote to memory of 1620 836 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe taskshell.exe PID 836 wrote to memory of 1620 836 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe taskshell.exe PID 836 wrote to memory of 1620 836 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe taskshell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe"C:\Users\Admin\AppData\Local\Temp\89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WMI Provider Host\taskshell.exe"C:\ProgramData\WMI Provider Host\taskshell.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WMI Provider Host\config.jsonFilesize
2KB
MD57e4f178a012ae8d777805a493169d93d
SHA17e1282eaa2f36ff2abc6bf1eb64b375b47d84122
SHA2561e6401bfde7dedb96cc2dd87dcc0083293113c2414dd5d3d27c4633963ce85e2
SHA5120a543c178546b85d181813e8d7a815e827c030d99ac1f31711a51f616f39100562372459e1d484450a863e1fdcbf79f03e790b80c19994dfc22384d96844fe11
-
C:\ProgramData\WMI Provider Host\taskshell.exeFilesize
5.1MB
MD5b7171cde96b09f4d3bdb3b2bb510dec9
SHA1934ba3b48a0235b18bdfdc62cb62601eb20ab653
SHA2563cd3732916ceb1386d540de478b0a743666b9d98b8d8f2fe9364029d8d6266ab
SHA512fafa112e3e82161b5a5d416aa311b707575fd373e7db4ac86ee056d249bdeaf9e3e8ce16b34480d703a59f253445c33ff2237f27564d364ffc2c2b45d23f5447
-
\ProgramData\WMI Provider Host\taskshell.exeFilesize
5.1MB
MD5b7171cde96b09f4d3bdb3b2bb510dec9
SHA1934ba3b48a0235b18bdfdc62cb62601eb20ab653
SHA2563cd3732916ceb1386d540de478b0a743666b9d98b8d8f2fe9364029d8d6266ab
SHA512fafa112e3e82161b5a5d416aa311b707575fd373e7db4ac86ee056d249bdeaf9e3e8ce16b34480d703a59f253445c33ff2237f27564d364ffc2c2b45d23f5447
-
memory/836-54-0x00000000002B0000-0x00000000007E2000-memory.dmpFilesize
5.2MB
-
memory/836-55-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1620-57-0x0000000000000000-mapping.dmp
-
memory/1620-59-0x0000000000400000-0x00000000013AE000-memory.dmpFilesize
15.7MB
-
memory/1620-64-0x00000000003F0000-0x0000000000400000-memory.dmpFilesize
64KB