Analysis
-
max time kernel
135s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:36
Static task
static1
Behavioral task
behavioral1
Sample
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe
Resource
win10v2004-20220414-en
General
-
Target
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe
-
Size
5.2MB
-
MD5
b8a9c4416fda57f7f6c2a9f714ccddf7
-
SHA1
7364b591eb1f949c8df4d9ec99300accb12f3932
-
SHA256
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a
-
SHA512
f018f8cab0cb9ed08a70036009f20072729d13b9e73bc3ef7ade2218e5b54dc110747c6e660136a6c248d57ab983c8d935648ac1fb8b08bfc87221bf0a52ef89
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4392-135-0x0000000000400000-0x00000000013AE000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
taskshell.exepid process 4392 taskshell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe -
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMI Update Service = "C:\\ProgramData\\WMI Provider Host\\taskshell.exe" 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exepid process 3272 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exetaskshell.exedescription pid process Token: SeDebugPrivilege 3272 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe Token: SeLockMemoryPrivilege 4392 taskshell.exe Token: SeLockMemoryPrivilege 4392 taskshell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exedescription pid process target process PID 3272 wrote to memory of 4392 3272 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe taskshell.exe PID 3272 wrote to memory of 4392 3272 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe taskshell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe"C:\Users\Admin\AppData\Local\Temp\89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\WMI Provider Host\taskshell.exe"C:\ProgramData\WMI Provider Host\taskshell.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WMI Provider Host\config.jsonFilesize
2KB
MD57e4f178a012ae8d777805a493169d93d
SHA17e1282eaa2f36ff2abc6bf1eb64b375b47d84122
SHA2561e6401bfde7dedb96cc2dd87dcc0083293113c2414dd5d3d27c4633963ce85e2
SHA5120a543c178546b85d181813e8d7a815e827c030d99ac1f31711a51f616f39100562372459e1d484450a863e1fdcbf79f03e790b80c19994dfc22384d96844fe11
-
C:\ProgramData\WMI Provider Host\taskshell.exeFilesize
5.1MB
MD5b7171cde96b09f4d3bdb3b2bb510dec9
SHA1934ba3b48a0235b18bdfdc62cb62601eb20ab653
SHA2563cd3732916ceb1386d540de478b0a743666b9d98b8d8f2fe9364029d8d6266ab
SHA512fafa112e3e82161b5a5d416aa311b707575fd373e7db4ac86ee056d249bdeaf9e3e8ce16b34480d703a59f253445c33ff2237f27564d364ffc2c2b45d23f5447
-
memory/3272-130-0x0000000000B00000-0x0000000001032000-memory.dmpFilesize
5.2MB
-
memory/3272-131-0x0000000005F10000-0x00000000064B4000-memory.dmpFilesize
5.6MB
-
memory/3272-134-0x0000000006B30000-0x0000000006BC2000-memory.dmpFilesize
584KB
-
memory/4392-132-0x0000000000000000-mapping.dmp
-
memory/4392-135-0x0000000000400000-0x00000000013AE000-memory.dmpFilesize
15.7MB
-
memory/4392-140-0x00000000001A0000-0x00000000001B0000-memory.dmpFilesize
64KB