30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745

Analysis

max time kernel
170s
max time network
192s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-05-2022 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mine2.exe
Size

810KB
MD5

be75e9e51767b5a59536afbbf9ffafbc
SHA1

78be65d86a6918643092e8e90fd72ad3b9ab997f
SHA256

30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745
SHA512

4e9f7198dd12adeb21669f74e1cdebe16ac7ccae8e1f29b537438239d1a240a8f1ab890afebe8c1f8603909a1c72b8ce7e7c981f2147fa53dccc6c43b6a3d9e6

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 1 IoCs

pid	Process
1640	test.exe

Deletes itself 1 IoCs

pid	Process
1828	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	mine2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGRAyZk0Y950ZeEUrPGcT36so = "C:\\ProgramData\\test\\test.exe"	mine2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
364	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
468	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1640	test.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe
2008	mine2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	mine2.exe
Token: SeDebugPrivilege	2008	mine2.exe
Token: SeDebugPrivilege	1640	test.exe
Token: SeDebugPrivilege	1640	test.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 364	2008	mine2.exe	28
PID 2008 wrote to memory of 364	2008	mine2.exe	28
PID 2008 wrote to memory of 364	2008	mine2.exe	28
PID 2008 wrote to memory of 1640	2008	mine2.exe	30
PID 2008 wrote to memory of 1640	2008	mine2.exe	30
PID 2008 wrote to memory of 1640	2008	mine2.exe	30
PID 2008 wrote to memory of 1828	2008	mine2.exe	31
PID 2008 wrote to memory of 1828	2008	mine2.exe	31
PID 2008 wrote to memory of 1828	2008	mine2.exe	31
PID 1828 wrote to memory of 468	1828	cmd.exe	33
PID 1828 wrote to memory of 468	1828	cmd.exe	33
PID 1828 wrote to memory of 468	1828	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\mine2.exe
"C:\Users\Admin\AppData\Local\Temp\mine2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /create /tn HGRAyZk0Y950ZeEUrPGcT36so /tr "C:\ProgramData\test\test.exe" /st 07:49 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:364
- C:\ProgramData\test\test.exe
  "C:\ProgramData\test\test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4683.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\test\test.exe

Filesize
392.3MB

MD5
1c12c8029fef7dd26aa443e584372065

SHA1
939a46772c8692b530d213e1f29c1926228c3f4e

SHA256
07011eb80ce4ba092a6231378d72d12625e83bbc35fe6e98b4733b75b971c6de

SHA512
685308da19e82e3c13528143f4c0d5b013299acee0efba3312a14cef49805cff97820fe5d78e45b333b32601f9f1dda23a7ffd1437d3a7495d75a2b24bee9b6d

Download Submit
C:\ProgramData\test\test.exe

Filesize
380.0MB

MD5
a6d3220d77f7762164226392881835c4

SHA1
8d3ae8e66c167fbae6574bf17831948612299d3d

SHA256
6953d3c3376dbd650522a1a91470349d2890fc85e9099497d8540d5828355924

SHA512
4d31969c32d564101aeb07e09ac7d436f2e81a5066c7dc205cc152c6312de47f3a9de34e1b15f1889d5722641d94a19dba0aec958f9b0748662fb79d2c5041e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4683.tmp.bat

Filesize
157B

MD5
862f63501190f5bd47c34081629e4228

SHA1
cc6d2fe151a857d0178e319dba2099370670c2ed

SHA256
48dd72786889aec00635e701c1512c35b458410a0b04a40ca380a6810e389a02

SHA512
e1e80309854250c17834321391d05e69fe3efdd4f174b9164019b97d7eee80a22f836fd5f14fc8495ca54a47697332d51e8d8157f7182e6a2f4e917f65d3f37c

Download Submit
\ProgramData\test\test.exe

Filesize
401.5MB

MD5
c5787f0037bc957d216dd8b5da801f22

SHA1
1c6077e31cf55b6077aa9f3fc14232d3ae19489b

SHA256
97463f0942f958cb788b6a78d7c013e9ebad3e0cc527ac6addd9d9d496975fd7

SHA512
8c5f34800ae85b8ec956f546f578636857d3b67ac1f910a7ecb8fd27fd13473888e9bebffe59244b8e3b873cd467b7587735743bf7ea3b138ab6cc6b9f08ee39

Download Submit
memory/1640-63-0x000000013F330000-0x000000013F3FE000-memory.dmp

Filesize
824KB

Download
memory/1640-67-0x000000001B406000-0x000000001B425000-memory.dmp

Filesize
124KB

Download
memory/2008-58-0x000000001B876000-0x000000001B895000-memory.dmp

Filesize
124KB

Download
memory/2008-54-0x000000013FC10000-0x000000013FCDE000-memory.dmp

Filesize
824KB

Download
memory/2008-56-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/2008-55-0x000000001BD20000-0x000000001BDF6000-memory.dmp

Filesize
856KB

Download