Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exe
Resource
win7-20220414-en
General
-
Target
ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exe
-
Size
1.1MB
-
MD5
0c218ef7f1dd22804e307ce6b9965e2f
-
SHA1
63500daa7edee18a57d6ac649a6743e95591d591
-
SHA256
ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7
-
SHA512
5ee16ee9c3cd397da493bb3f87aead7ee0b9bf3d6274d71ae0be6902d83242a7080821371d44b2a5ac06ec66c1a2037a4763dfc9f1b853a330f3fe2ba9138e4e
Malware Config
Signatures
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3744-134-0x0000026952BE0000-0x0000026952D06000-memory.dmp xmrig behavioral2/memory/3744-135-0x0000026953000000-0x0000026953132000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
loader.exepid process 3884 loader.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
loader.exepid process 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe 3884 loader.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exesvchost.exeloader.exedescription pid process Token: SeIncBasePriorityPrivilege 2668 ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exe Token: SeLockMemoryPrivilege 3744 svchost.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe Token: SeDebugPrivilege 3884 loader.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exeloader.execmd.exedescription pid process target process PID 2668 wrote to memory of 2964 2668 ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exe cmd.exe PID 2668 wrote to memory of 2964 2668 ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exe cmd.exe PID 2668 wrote to memory of 2964 2668 ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exe cmd.exe PID 3884 wrote to memory of 3744 3884 loader.exe svchost.exe PID 3884 wrote to memory of 3744 3884 loader.exe svchost.exe PID 3884 wrote to memory of 3744 3884 loader.exe svchost.exe PID 3884 wrote to memory of 3744 3884 loader.exe svchost.exe PID 2964 wrote to memory of 4188 2964 cmd.exe PING.EXE PID 2964 wrote to memory of 4188 2964 cmd.exe PING.EXE PID 2964 wrote to memory of 4188 2964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exe"C:\Users\Admin\AppData\Local\Temp\ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @ping -n 15 127.0.0.1&del C:\Users\Admin\AppData\Local\Temp\DDC80D~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 15 127.0.0.13⤵
- Runs ping.exe
-
C:\ProgramData\WinTcpAutoProxySvc\loader.exeC:\ProgramData\WinTcpAutoProxySvc\loader.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exe"C:\Windows\sysnative\svchost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WinTcpAutoProxySvc\loader.exeFilesize
1.1MB
MD50c218ef7f1dd22804e307ce6b9965e2f
SHA163500daa7edee18a57d6ac649a6743e95591d591
SHA256ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7
SHA5125ee16ee9c3cd397da493bb3f87aead7ee0b9bf3d6274d71ae0be6902d83242a7080821371d44b2a5ac06ec66c1a2037a4763dfc9f1b853a330f3fe2ba9138e4e
-
C:\ProgramData\WinTcpAutoProxySvc\loader.exeFilesize
1.1MB
MD50c218ef7f1dd22804e307ce6b9965e2f
SHA163500daa7edee18a57d6ac649a6743e95591d591
SHA256ddc80d32cf7a231befcc58230707f111a47c6825a98f43dd2fb3edc4d142e0f7
SHA5125ee16ee9c3cd397da493bb3f87aead7ee0b9bf3d6274d71ae0be6902d83242a7080821371d44b2a5ac06ec66c1a2037a4763dfc9f1b853a330f3fe2ba9138e4e
-
memory/2964-132-0x0000000000000000-mapping.dmp
-
memory/3744-133-0x00000269535F0000-0x0000026953600000-memory.dmpFilesize
64KB
-
memory/3744-134-0x0000026952BE0000-0x0000026952D06000-memory.dmpFilesize
1.1MB
-
memory/3744-135-0x0000026953000000-0x0000026953132000-memory.dmpFilesize
1.2MB
-
memory/3744-136-0x0000026953800000-0x0000026953804000-memory.dmpFilesize
16KB
-
memory/3744-137-0x0000026953810000-0x0000026953814000-memory.dmpFilesize
16KB
-
memory/4188-138-0x0000000000000000-mapping.dmp