Analysis
-
max time kernel
94s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:39
Static task
static1
Behavioral task
behavioral1
Sample
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe
Resource
win10v2004-20220414-en
General
-
Target
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe
-
Size
19.2MB
-
MD5
19263218df8fc863e249a5300abd8856
-
SHA1
0775d23e9c3aca70961fe1498735c650f441c5df
-
SHA256
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482
-
SHA512
cc793a66cf206bf8e48a55e0c84dfc361d44896b5a69534d27b9376bd7d7be59067a667e5077fbea48f40c7841994c57e1bcdfabe14c42d4a59271a9ea4b44a9
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs
-
XMRig Miner Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2308-136-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral2/memory/2308-137-0x00000000004014F0-mapping.dmp xmrig behavioral2/memory/2308-139-0x0000000000400000-0x0000000000873000-memory.dmp xmrig behavioral2/memory/2308-141-0x0000000000400000-0x0000000000873000-memory.dmp xmrig -
Drops file in Drivers directory 1 IoCs
Processes:
System.exedescription ioc process File opened for modification C:\Windows\System32\Drivers\Etc\Hosts System.exe -
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 2996 System.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.exe = "C:\\Users\\Admin\\AppData\\Roaming\\System.exe" System.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
System.exedescription pid process target process PID 2996 set thread context of 2308 2996 System.exe dwm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exeSystem.exepid process 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe 2996 System.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exeSystem.exedwm.exedescription pid process Token: SeDebugPrivilege 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe Token: SeDebugPrivilege 2996 System.exe Token: SeLockMemoryPrivilege 2308 dwm.exe Token: SeLockMemoryPrivilege 2308 dwm.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exeSystem.exedescription pid process target process PID 4952 wrote to memory of 2996 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe System.exe PID 4952 wrote to memory of 2996 4952 5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe System.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe PID 2996 wrote to memory of 2308 2996 System.exe dwm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe"C:\Users\Admin\AppData\Local\Temp\5750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System.exe"C:\Users\Admin\AppData\Roaming\System.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe -B -a cryptonight --donate-level=1 --url=gulf.moneroocean.stream:10001 -u 43NsyECLTgtEFJ3cbXQAHCe7dvuijrjXENAEZWPucGh6GgdHC5eYHHcXNjyvSDeK4QfaXSbg8rQTw1EiCmZnmpuY9d8MxqY -p Admin -k --randomx-mode=light --cpu-priority=0 -t 13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System.exeFilesize
19.2MB
MD519263218df8fc863e249a5300abd8856
SHA10775d23e9c3aca70961fe1498735c650f441c5df
SHA2565750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482
SHA512cc793a66cf206bf8e48a55e0c84dfc361d44896b5a69534d27b9376bd7d7be59067a667e5077fbea48f40c7841994c57e1bcdfabe14c42d4a59271a9ea4b44a9
-
C:\Users\Admin\AppData\Roaming\System.exeFilesize
19.2MB
MD519263218df8fc863e249a5300abd8856
SHA10775d23e9c3aca70961fe1498735c650f441c5df
SHA2565750a4e7e392665b01ccfdd4af273ccbe096b14516c7a3e0f2fbb068ad25e482
SHA512cc793a66cf206bf8e48a55e0c84dfc361d44896b5a69534d27b9376bd7d7be59067a667e5077fbea48f40c7841994c57e1bcdfabe14c42d4a59271a9ea4b44a9
-
memory/2308-136-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/2308-137-0x00000000004014F0-mapping.dmp
-
memory/2308-139-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/2308-140-0x000001A241C10000-0x000001A241C20000-memory.dmpFilesize
64KB
-
memory/2308-141-0x0000000000400000-0x0000000000873000-memory.dmpFilesize
4.4MB
-
memory/2308-142-0x000001A241E30000-0x000001A241E34000-memory.dmpFilesize
16KB
-
memory/2996-132-0x0000000000000000-mapping.dmp
-
memory/2996-135-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmpFilesize
10.8MB
-
memory/4952-130-0x0000000000650000-0x0000000001984000-memory.dmpFilesize
19.2MB
-
memory/4952-131-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmpFilesize
10.8MB