Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2022 11:04
Static task
static1
Behavioral task
behavioral1
Sample
cb940cf74606d64260e36e8ef1e4f585.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cb940cf74606d64260e36e8ef1e4f585.exe
Resource
win10v2004-20220812-en
General
-
Target
cb940cf74606d64260e36e8ef1e4f585.exe
-
Size
602KB
-
MD5
cb940cf74606d64260e36e8ef1e4f585
-
SHA1
0c77a9b9c592ee4d9e2757e5774d6621a77b0c0d
-
SHA256
adbee90a8f97d2afdc7829c01bc78af630b7f567270bcc5a5ff56e0469033b9f
-
SHA512
7701f4295101d197dc7b6529d0d772596a93ee2a1d4e063bc3793856114e13cf0ea30c8527739e88e6b4de2f4891b7e2a4f4e3ee8cec5003290100abac33cfbf
-
SSDEEP
12288:FThQ8oNPBa/AqpCeBXTy1t2r4BRnExdaqA:I8oNQXpCCB
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Detectes Phoenix Miner Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe miner_phoenix C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe miner_phoenix -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
conhost.execonhost.exemsedge.exesvchost.exepid process 4848 conhost.exe 4748 conhost.exe 4328 msedge.exe 3976 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cb940cf74606d64260e36e8ef1e4f585.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run cb940cf74606d64260e36e8ef1e4f585.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSEdge = "C:\\Users\\Admin\\AppData\\Roaming\\MSEdge\\msedge.exe" cb940cf74606d64260e36e8ef1e4f585.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
svchost.exepid process 3976 svchost.exe 3976 svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
conhost.execb940cf74606d64260e36e8ef1e4f585.execb940cf74606d64260e36e8ef1e4f585.exedescription pid process target process PID 4848 set thread context of 4748 4848 conhost.exe conhost.exe PID 4832 set thread context of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 set thread context of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
cb940cf74606d64260e36e8ef1e4f585.execonhost.execb940cf74606d64260e36e8ef1e4f585.execb940cf74606d64260e36e8ef1e4f585.execb940cf74606d64260e36e8ef1e4f585.execmd.exemsedge.exedescription pid process target process PID 2764 wrote to memory of 4848 2764 cb940cf74606d64260e36e8ef1e4f585.exe conhost.exe PID 2764 wrote to memory of 4848 2764 cb940cf74606d64260e36e8ef1e4f585.exe conhost.exe PID 2764 wrote to memory of 4848 2764 cb940cf74606d64260e36e8ef1e4f585.exe conhost.exe PID 4848 wrote to memory of 4748 4848 conhost.exe conhost.exe PID 4848 wrote to memory of 4748 4848 conhost.exe conhost.exe PID 4848 wrote to memory of 4748 4848 conhost.exe conhost.exe PID 2764 wrote to memory of 4832 2764 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 2764 wrote to memory of 4832 2764 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 2764 wrote to memory of 4832 2764 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4848 wrote to memory of 4748 4848 conhost.exe conhost.exe PID 4848 wrote to memory of 4748 4848 conhost.exe conhost.exe PID 4848 wrote to memory of 4748 4848 conhost.exe conhost.exe PID 4848 wrote to memory of 4748 4848 conhost.exe conhost.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 4832 wrote to memory of 1800 4832 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 wrote to memory of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 wrote to memory of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 wrote to memory of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 wrote to memory of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 wrote to memory of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 wrote to memory of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 wrote to memory of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 wrote to memory of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1800 wrote to memory of 1432 1800 cb940cf74606d64260e36e8ef1e4f585.exe cb940cf74606d64260e36e8ef1e4f585.exe PID 1432 wrote to memory of 1976 1432 cb940cf74606d64260e36e8ef1e4f585.exe cmd.exe PID 1432 wrote to memory of 1976 1432 cb940cf74606d64260e36e8ef1e4f585.exe cmd.exe PID 1432 wrote to memory of 1976 1432 cb940cf74606d64260e36e8ef1e4f585.exe cmd.exe PID 1976 wrote to memory of 4328 1976 cmd.exe msedge.exe PID 1976 wrote to memory of 4328 1976 cmd.exe msedge.exe PID 4328 wrote to memory of 3976 4328 msedge.exe svchost.exe PID 4328 wrote to memory of 3976 4328 msedge.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\conhost.exe"C:\ProgramData\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\conhost.exe"C:\ProgramData\conhost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"C:\Users\Admin\AppData\Local\Temp\cb940cf74606d64260e36e8ef1e4f585.exe"4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exeC:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe-pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\conhost.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\ProgramData\conhost.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\ProgramData\conhost.exeFilesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exeFilesize
16KB
MD5e8ac4929d4ef413e3c45abe2531cae95
SHA19ccd6320f053402699c802425e395010ef915740
SHA2567245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588
SHA512be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7
-
C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exeFilesize
16KB
MD5e8ac4929d4ef413e3c45abe2531cae95
SHA19ccd6320f053402699c802425e395010ef915740
SHA2567245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588
SHA512be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7
-
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exeFilesize
8.1MB
MD551ff42d909a879d42eb5f0e643aab806
SHA1affce62499d0f923f115228643a87ba5daece4e5
SHA256c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3
SHA512bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf
-
C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exeFilesize
8.1MB
MD551ff42d909a879d42eb5f0e643aab806
SHA1affce62499d0f923f115228643a87ba5daece4e5
SHA256c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3
SHA512bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf
-
memory/1432-148-0x0000000000000000-mapping.dmp
-
memory/1432-157-0x0000000001020000-0x0000000001056000-memory.dmpFilesize
216KB
-
memory/1432-154-0x0000000001020000-0x0000000001056000-memory.dmpFilesize
216KB
-
memory/1432-149-0x0000000001020000-0x0000000001056000-memory.dmpFilesize
216KB
-
memory/1800-144-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1800-145-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1800-143-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1800-142-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1800-151-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1800-141-0x0000000000000000-mapping.dmp
-
memory/1976-159-0x0000000000000000-mapping.dmp
-
memory/2764-133-0x00000000013F5000-0x0000000001408000-memory.dmpFilesize
76KB
-
memory/3976-163-0x0000000000000000-mapping.dmp
-
memory/4328-160-0x0000000000000000-mapping.dmp
-
memory/4748-158-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4748-138-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4748-136-0x0000000000000000-mapping.dmp
-
memory/4832-140-0x0000000000AB8000-0x0000000000ACB000-memory.dmpFilesize
76KB
-
memory/4832-137-0x0000000000000000-mapping.dmp
-
memory/4848-132-0x0000000000000000-mapping.dmp