Analysis
-
max time kernel
136s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:04
Static task
static1
Behavioral task
behavioral1
Sample
f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe
Resource
win10v2004-20220414-en
General
-
Target
f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe
-
Size
982KB
-
MD5
504b942b2155be474f4c649f14b01b2a
-
SHA1
de56b9060343204ce66d66934e65c1b8afb97fcd
-
SHA256
f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a
-
SHA512
cf618d58cfbf647e4d256e402aaaa452f3ee9140fbd6613d1bebe064e5ae661cc2eaf5c2faf04acf2a68900610ca6ff82051f5b42f75ac6d5b364d0252013931
Malware Config
Signatures
-
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Executes dropped EXE 1 IoCs
Processes:
minerd.exepid process 4340 minerd.exe -
Loads dropped DLL 3 IoCs
Processes:
minerd.exepid process 4340 minerd.exe 4340 minerd.exe 4340 minerd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exedescription pid process target process PID 1092 wrote to memory of 4340 1092 f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe minerd.exe PID 1092 wrote to memory of 4340 1092 f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe minerd.exe PID 1092 wrote to memory of 4340 1092 f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe minerd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe"C:\Users\Admin\AppData\Local\Temp\f4673230c670e9d06fda094c57a6bdb475e4ce9c564d0274abfbf6de4e11820a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Miner\minerd.exe-a scrypt:1048576 -o stratum+tcp://95.217.0.105:3334 -u hi.a:user -p pa -t 12⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Miner\libcurl-4.dllFilesize
392KB
MD55b7ac25acd989d7b8a34356c9756baae
SHA1e0730d0ef6d407beb3793919bfa5bff9fc2161b8
SHA256647c3b3ee1831bd4ff7352420998252ff829c1ec6422df424b0a5b94a9b0f2ab
SHA5121fc2d1ceedad6ea7176f9135595afbe78d2279e84f48f3589517a279e1222c2e50e067a11e9dee41495660fa7fb76c9bf0b2a712902a0d369e52cc44f8cd5185
-
C:\Users\Admin\AppData\Local\Temp\Miner\libcurl-4.dllFilesize
392KB
MD55b7ac25acd989d7b8a34356c9756baae
SHA1e0730d0ef6d407beb3793919bfa5bff9fc2161b8
SHA256647c3b3ee1831bd4ff7352420998252ff829c1ec6422df424b0a5b94a9b0f2ab
SHA5121fc2d1ceedad6ea7176f9135595afbe78d2279e84f48f3589517a279e1222c2e50e067a11e9dee41495660fa7fb76c9bf0b2a712902a0d369e52cc44f8cd5185
-
C:\Users\Admin\AppData\Local\Temp\Miner\libwinpthread-1.dllFilesize
237KB
MD5033b8b7a02840c53f11b116f829f5ee8
SHA1fba2470808b23fca7c25e18b948a8fc241116cfe
SHA256b9a5f5e2b12a102259f1564610e120a719afdc6b21577ddefb76fec0d6dfec0f
SHA512d2d0c2fa1c9f95420cb508d2370c29e743c8b2b41164b8389acd59c138cd3b9a3f360e8efea2a4fa635eaceb6ae7a54911ecb265cf808e47fb4716dfd6f5cdc7
-
C:\Users\Admin\AppData\Local\Temp\Miner\libwinpthread-1.dllFilesize
237KB
MD5033b8b7a02840c53f11b116f829f5ee8
SHA1fba2470808b23fca7c25e18b948a8fc241116cfe
SHA256b9a5f5e2b12a102259f1564610e120a719afdc6b21577ddefb76fec0d6dfec0f
SHA512d2d0c2fa1c9f95420cb508d2370c29e743c8b2b41164b8389acd59c138cd3b9a3f360e8efea2a4fa635eaceb6ae7a54911ecb265cf808e47fb4716dfd6f5cdc7
-
C:\Users\Admin\AppData\Local\Temp\Miner\minerd.exeFilesize
194KB
MD5d299dfef00859284869c183540f8e381
SHA1ca922c47486e0c0b568609a3ea5d62c7eafbf51d
SHA256bca59846ab83bc5bf5d9b956a8a4c2ec1f7525ca1bc2211d43bf8732158434fd
SHA512d996e5c9dae440ec9773c43d6673c70045106e4faab05962f2a090b6ba518ab4e04aa4b2ee1c4b60e88e9f7a1ff3c5fd8f9ca09f424248b6d967b21295c0ae3a
-
C:\Users\Admin\AppData\Local\Temp\Miner\minerd.exeFilesize
194KB
MD5d299dfef00859284869c183540f8e381
SHA1ca922c47486e0c0b568609a3ea5d62c7eafbf51d
SHA256bca59846ab83bc5bf5d9b956a8a4c2ec1f7525ca1bc2211d43bf8732158434fd
SHA512d996e5c9dae440ec9773c43d6673c70045106e4faab05962f2a090b6ba518ab4e04aa4b2ee1c4b60e88e9f7a1ff3c5fd8f9ca09f424248b6d967b21295c0ae3a
-
C:\Users\Admin\AppData\Local\Temp\Miner\zlib1.dllFilesize
110KB
MD5af80fcb8f710f36157cbcb9385ba241c
SHA1b9aa9f2a839310d80d3616786bc52365d1564828
SHA2564a7dbfc031b1d84d153b418175c366b47c91be0c587389c23e10a4b93fd7b9d6
SHA512902da40aed9aaa1c71ea001f624a83d7258c8c4ab4eba9eaba5ca5f6fadad9f39e9814671d6bcea17f16079485dcd448668f497127261d85499c7b1bbc734ebc
-
C:\Users\Admin\AppData\Local\Temp\Miner\zlib1.dllFilesize
110KB
MD5af80fcb8f710f36157cbcb9385ba241c
SHA1b9aa9f2a839310d80d3616786bc52365d1564828
SHA2564a7dbfc031b1d84d153b418175c366b47c91be0c587389c23e10a4b93fd7b9d6
SHA512902da40aed9aaa1c71ea001f624a83d7258c8c4ab4eba9eaba5ca5f6fadad9f39e9814671d6bcea17f16079485dcd448668f497127261d85499c7b1bbc734ebc
-
memory/4340-130-0x0000000000000000-mapping.dmp
-
memory/4340-139-0x0000000062E80000-0x0000000062EA3000-memory.dmpFilesize
140KB
-
memory/4340-140-0x0000000070800000-0x0000000070859000-memory.dmpFilesize
356KB