Analysis
-
max time kernel
167s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 00:15
Static task
static1
Behavioral task
behavioral1
Sample
31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe
Resource
win10v2004-20220414-en
General
-
Target
31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe
-
Size
2.7MB
-
MD5
5af6f9cfc9e093a49b9120cfa4ad66f3
-
SHA1
75dab6481ac8d41fdb02d1c88bdc0636b68accea
-
SHA256
31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e
-
SHA512
8340c80b61c18b06b3c8ae02b9e96df99ae77a40634679490ee0b7a6a597d73659808c66d64fe63aa3f48de52b9689519684ae27ab2cc668d6a26fbde32b4348
Malware Config
Signatures
-
Detected Stratum cryptominer command 1 IoCs
Looks to be attempting to contact Stratum mining pool.
pid Process 3736 Driver.exe -
LoaderBot executable 1 IoCs
resource yara_rule behavioral2/memory/2632-133-0x00000000008E0000-0x0000000000FFA000-memory.dmp loaderbot -
XMRig Miner Payload 3 IoCs
resource yara_rule behavioral2/memory/3736-138-0x0000000140000000-0x00000001404AB000-memory.dmp xmrig behavioral2/memory/3736-141-0x0000000140000000-0x00000001404AB000-memory.dmp xmrig behavioral2/memory/3736-142-0x0000000000000000-0x0000000000200000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
pid Process 3736 Driver.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe -
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe" 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
pid Process 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe Token: SeLockMemoryPrivilege 3736 Driver.exe Token: SeLockMemoryPrivilege 3736 Driver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2632 wrote to memory of 3736 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 84 PID 2632 wrote to memory of 3736 2632 31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe"C:\Users\Admin\AppData\Local\Temp\31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 12⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5cf36d20a96903fb4d0e92eb4fe873ab8
SHA1c789a22bd215bfc2a698fda1295f295745f34d35
SHA256d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2
SHA512d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535
-
Filesize
3.5MB
MD5cf36d20a96903fb4d0e92eb4fe873ab8
SHA1c789a22bd215bfc2a698fda1295f295745f34d35
SHA256d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2
SHA512d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535