30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745

Analysis

max time kernel
93s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
26-06-2022 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mine2.exe
Size

810KB
MD5

be75e9e51767b5a59536afbbf9ffafbc
SHA1

78be65d86a6918643092e8e90fd72ad3b9ab997f
SHA256

30a4788b9d7eb3c50403737f4af3882b79ba75b8201d53aefb359336f5763745
SHA512

4e9f7198dd12adeb21669f74e1cdebe16ac7ccae8e1f29b537438239d1a240a8f1ab890afebe8c1f8603909a1c72b8ce7e7c981f2147fa53dccc6c43b6a3d9e6

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3932	test.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	mine2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGRAyZk0Y950ZeEUrPGcT36so = "C:\\ProgramData\\test\\test.exe"	mine2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2636	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2272	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe
2064	mine2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	mine2.exe
Token: SeDebugPrivilege	2064	mine2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2636	2064	mine2.exe	86
PID 2064 wrote to memory of 2636	2064	mine2.exe	86
PID 2064 wrote to memory of 3932	2064	mine2.exe	90
PID 2064 wrote to memory of 3932	2064	mine2.exe	90
PID 2064 wrote to memory of 3224	2064	mine2.exe	92
PID 2064 wrote to memory of 3224	2064	mine2.exe	92
PID 3224 wrote to memory of 2272	3224	cmd.exe	93
PID 3224 wrote to memory of 2272	3224	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\mine2.exe
"C:\Users\Admin\AppData\Local\Temp\mine2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /tn HGRAyZk0Y950ZeEUrPGcT36so /tr "C:\ProgramData\test\test.exe" /st 05:57 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:2636
- C:\ProgramData\test\test.exe
  "C:\ProgramData\test\test.exe"
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A2F.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\test\test.exe

Filesize
645.3MB

MD5
a24a3d9ed4b39572c595280b81feb58e

SHA1
a9f2dc2545305f3412227b103805af1b7c86878b

SHA256
c3f0410dfe24dac46c5ec69073b9bdfccdfd68104203ca0f0ff800b8c59d1db1

SHA512
13aebb40de593dfff360ad980cc4a9d3f88667a33606092d6e8556d8350099ac9ee2d74941293c3c294c41c6ddc2d4305071156c5b92218c6f8ba240618e7130

Download Submit
C:\ProgramData\test\test.exe

Filesize
645.3MB

MD5
a24a3d9ed4b39572c595280b81feb58e

SHA1
a9f2dc2545305f3412227b103805af1b7c86878b

SHA256
c3f0410dfe24dac46c5ec69073b9bdfccdfd68104203ca0f0ff800b8c59d1db1

SHA512
13aebb40de593dfff360ad980cc4a9d3f88667a33606092d6e8556d8350099ac9ee2d74941293c3c294c41c6ddc2d4305071156c5b92218c6f8ba240618e7130

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A2F.tmp.bat

Filesize
157B

MD5
2cc724f3855ddae3bd6b8a001c99386e

SHA1
6abf1c5b1b229600e38c452a56182dc543cd9930

SHA256
33587fd36e51d8a9fa700e5e8ac6f598204c91feb13d24390544c3d394227edf

SHA512
d3b4970242c469fa7b3b2328f001addbe418cc09214202654728fd525c385427a4566947e3ddff1a0c51b8380c4448fa213a10e2e21a267d354c0387d24c982d

Download Submit
memory/2064-133-0x00007FFB7CEF0000-0x00007FFB7D9B1000-memory.dmp

Filesize
10.8MB

Download
memory/2064-130-0x0000000000A30000-0x0000000000AFE000-memory.dmp

Filesize
824KB

Download
memory/2064-131-0x00007FFB7CEF0000-0x00007FFB7D9B1000-memory.dmp

Filesize
10.8MB

Download
memory/2064-141-0x00007FFB7CEF0000-0x00007FFB7D9B1000-memory.dmp

Filesize
10.8MB

Download
memory/3932-138-0x00007FFB7CEF0000-0x00007FFB7D9B1000-memory.dmp

Filesize
10.8MB

Download
memory/3932-142-0x00007FFB7CEF0000-0x00007FFB7D9B1000-memory.dmp

Filesize
10.8MB

Download