30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745

Analysis

max time kernel
150s
max time network
64s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-06-2022 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mine2.exe
Size

810KB
MD5

be75e9e51767b5a59536afbbf9ffafbc
SHA1

78be65d86a6918643092e8e90fd72ad3b9ab997f
SHA256

30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745
SHA512

4e9f7198dd12adeb21669f74e1cdebe16ac7ccae8e1f29b537438239d1a240a8f1ab890afebe8c1f8603909a1c72b8ce7e7c981f2147fa53dccc6c43b6a3d9e6

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1636	test.exe

Deletes itself 1 IoCs

pid	Process
1648	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1808	mine2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGRAyZk0Y950ZeEUrPGcT36so = "C:\\ProgramData\\test\\test.exe"	mine2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1952	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1300	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1636	test.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe
1808	mine2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	mine2.exe
Token: SeDebugPrivilege	1808	mine2.exe
Token: SeDebugPrivilege	1636	test.exe
Token: SeDebugPrivilege	1636	test.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1952	1808	mine2.exe	29
PID 1808 wrote to memory of 1952	1808	mine2.exe	29
PID 1808 wrote to memory of 1952	1808	mine2.exe	29
PID 1808 wrote to memory of 1636	1808	mine2.exe	31
PID 1808 wrote to memory of 1636	1808	mine2.exe	31
PID 1808 wrote to memory of 1636	1808	mine2.exe	31
PID 1808 wrote to memory of 1648	1808	mine2.exe	32
PID 1808 wrote to memory of 1648	1808	mine2.exe	32
PID 1808 wrote to memory of 1648	1808	mine2.exe	32
PID 1648 wrote to memory of 1300	1648	cmd.exe	34
PID 1648 wrote to memory of 1300	1648	cmd.exe	34
PID 1648 wrote to memory of 1300	1648	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\mine2.exe
"C:\Users\Admin\AppData\Local\Temp\mine2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /create /tn HGRAyZk0Y950ZeEUrPGcT36so /tr "C:\ProgramData\test\test.exe" /st 07:57 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:1952
- C:\ProgramData\test\test.exe
  "C:\ProgramData\test\test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\test\test.exe

Filesize
337.6MB

MD5
63ae965c970da33b85ea4066f92615e6

SHA1
5daa0f8f0e741ca5d4b0810fe466b9818b310d7b

SHA256
fc5c54ba79daf17e88c521a977a3d365e7775ac39d6e0299354c10ea247f02a2

SHA512
a7e39e8aca9581d763b498283fb221795ff9011176b7cc96afebfef17e31610de949289b9fea3af04f1cac02ab8436306cd6d368f90148d493406ad96e147439

Download Submit
C:\ProgramData\test\test.exe

Filesize
340.2MB

MD5
928189c3c3fb79e682f14523007b6062

SHA1
4b33532a9b1bc85d2b0740aa4093a4169774d4ca

SHA256
12ee6984ee792191b85c0399a49af7af10903cf4e1a28ea6a7387a17d89d2f15

SHA512
6f1b43b4181248fad654c8cb141a9622b38b27be485cd049b4ed120ce203638be22f649f7c94c5955d08771638ad854b730f34a8316db985de96d70cac96f804

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.bat

Filesize
157B

MD5
027c7e09bbad348d089ab9a459de33e4

SHA1
b4a500ca92a8856aba1c4bb04278772c18fc7287

SHA256
5ae5ea2ebc5793c3e54ca025329bfa77db4d34169486831098a726a840a1ef65

SHA512
93637c0a966f720234d54ffb45263c94d660840b21d4869f65a79e044a9004595bfdf9260ca3dac715e0d26584a319a692e2240c9ece2e7b029916710fde414b

Download Submit
\ProgramData\test\test.exe

Filesize
323.2MB

MD5
3600858e48c033959ab11417a63ad459

SHA1
24a46023c14ce7236069b7e59581aa925f7efc68

SHA256
e64e211333262dddc3eecb9e9074dfa11b1e35ac2304fae14fa709fdef633d11

SHA512
3aba5914fb90fabbc64f45ab94d90a158b81ce8f649b0ab727bbd994d2976b35d0dac9c0414f442e8212df00c8d3ca9aa94655cb9ba9b52729048a401b231644

Download Submit
memory/1636-69-0x000000001BA36000-0x000000001BA55000-memory.dmp

Filesize
124KB

Download
memory/1636-68-0x000000001BA36000-0x000000001BA55000-memory.dmp

Filesize
124KB

Download
memory/1636-65-0x000000013F0E0000-0x000000013F1AE000-memory.dmp

Filesize
824KB

Download
memory/1808-55-0x000000001B420000-0x000000001B4F6000-memory.dmp

Filesize
856KB

Download
memory/1808-57-0x000000001BD36000-0x000000001BD55000-memory.dmp

Filesize
124KB

Download
memory/1808-54-0x000000013FFB0000-0x000000014007E000-memory.dmp

Filesize
824KB

Download
memory/1808-56-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/1808-59-0x000000001BD36000-0x000000001BD55000-memory.dmp

Filesize
124KB

Download