55e326edd8ef12202de73dbc00c036fc01b17e808b3553080279f49946800eb3

General

Target

teamredminer-v0.3.4-win/start_cnv8.bat
Size

1KB
MD5

2a3678b82753d786ac3a98c6ae19cc49
SHA1

274dddcba965bf2949d64c687e719cb66030b484
SHA256

ee912ceb57f257d5a6a3911b0954aa4de7d8eb46dd6e1bb8d6f245a2c400f404
SHA512

1b31a7a5083606966f92814901f66e9266c16733669027171fbd21ed0ac4f981f0d0426ebe8d2544b2cd32fa03352d1f43fc17cf0372eb9f6cd2383bd916df1e

Score

9^/10

miner

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Loads dropped DLL 3 IoCs

Processes:

teamredminer.exe

pid process

2368 teamredminer.exe
2368 teamredminer.exe
2368 teamredminer.exe

pid	process
2368	teamredminer.exe
2368	teamredminer.exe
2368	teamredminer.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\modified\@SYSWOW64@\rat.exe	autoit_exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3892 2368 WerFault.exe teamredminer.exe
952 2368 WerFault.exe teamredminer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

teamredminer.exe

description pid process

Token: 33 2368 teamredminer.exe
Token: SeIncBasePriorityPrivilege 2368 teamredminer.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

teamredminer.exe

pid process

2368 teamredminer.exe

pid	pid_target	process	target process
3892	2368	WerFault.exe	teamredminer.exe
952	2368	WerFault.exe	teamredminer.exe

description	pid	process
Token: 33	2368	teamredminer.exe
Token: SeIncBasePriorityPrivilege	2368	teamredminer.exe

pid	process
2368	teamredminer.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2176 wrote to memory of 2368	2176	cmd.exe	teamredminer.exe
PID 2176 wrote to memory of 2368	2176	cmd.exe	teamredminer.exe
PID 2176 wrote to memory of 2368	2176	cmd.exe	teamredminer.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\teamredminer-v0.3.4-win\start_cnv8.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\teamredminer-v0.3.4-win\teamredminer.exe
teamredminer.exe -a cnv8 -o stratum+tcp://pool.supportxmr.com:7777 -u 479c6JsyawEVAMNZU8GMmXgVPTxd1vdejR6vVpsm7z8y2AvP7C5hz2g5gfrqyffpvLPLYb2eUmmWA5yhRw5ANYyePX7SvLE -p x
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1084
3⤵
- Program crash
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1084
3⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2368 -ip 2368
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2368 -ip 2368
1⤵
PID:4648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\modified\@SYSWOW64@\rat.exe
Filesize
4.9MB

MD5
0d46a5e73dc74ebc14753f25796be25d

SHA1
ce737d3ce162912f5a0d8b13db022595b36b889c

SHA256
1e1635f254c180f6c7205444a14251a8dfb299f872b70bd41c69db711c349c15

SHA512
e00e107d9f194eadaa2d383b634a3a580ba43400909643bcfa5c41e069ff21f8a4f0101c3a311e11485dc4bd132463dfc555dc45fc0917ab8fb9be8e6ec47e33

Download Submit
C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\temp\2368_73ae0000_tls.dll
Filesize
1024B

MD5
cdb20c9209e6696a90d91f603ff02eb6

SHA1
071bd4956ad197662562b5b624f93435e3bde9b4

SHA256
49ef66592408bf827b966e589f7ff316a17ad566bcbccd54e1c64166e470f228

SHA512
caa6ac49d2c84795795f89b4b0daf1ef7e75fecdb20a6155e46fcc37b0a40aac9d9bd1fe30cdecf5ef4154d14fef9058a8f7f205954aee886e3f5384ca847548

Download Submit
C:\Users\Admin\AppData\Local\ERR\Sandbox\done\9.89.79.69\local\temp\2368_75700000_tls.dll
Filesize
1024B

MD5
7cbf39771c5187619bcb90ddc3fd3a56

SHA1
950e1aee6d1baaa33f89501cc8abe1e1d13df751

SHA256
7edd2bad8be17a0ef8f9b0f6b95d4f3469cc961e1f02660b4708a529bb914d82

SHA512
b6cbf9d275facbadd6b8ae1dd19cf63e5a5a2fd90ea53e3cd2dfa2e2f0530b153999e86491d579003c3342666c2d74a75b596383b1e03fb4060af4e296cc8353

Download Submit
memory/2368-130-0x0000000000000000-mapping.dmp

Download
memory/2368-132-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-133-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-134-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-135-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-136-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-138-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-137-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-140-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-139-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-142-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2368-143-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/2368-148-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/2368-151-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2368-154-0x0000000000C70000-0x0000000000FB5000-memory.dmp

Filesize
3.3MB

Download
memory/2368-156-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/2368-158-0x0000000076F10000-0x00000000770B3000-memory.dmp

Filesize
1.6MB

Download
memory/2368-157-0x00000000758D0000-0x0000000075E83000-memory.dmp

Filesize
5.7MB

Download
memory/2368-164-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-165-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-166-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-167-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-168-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-169-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-170-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-172-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-171-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-174-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-173-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-175-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-176-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-177-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-178-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-179-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-180-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-181-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-182-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-183-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-184-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-185-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-186-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-187-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-188-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-189-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-190-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-191-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-192-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-193-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-194-0x0000000073DD0000-0x0000000073DF8000-memory.dmp

Filesize
160KB

Download
memory/2368-198-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-197-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-199-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-200-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-201-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-202-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-203-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-204-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-205-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-206-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-207-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download
memory/2368-208-0x0000000073AE0000-0x0000000073CF0000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads