Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-09-2022 09:45
Static task
static1
Behavioral task
behavioral1
Sample
b01ddbf0bff46769347ba59495c22c6f.exe
Resource
win7-20220812-en
General
-
Target
b01ddbf0bff46769347ba59495c22c6f.exe
-
Size
3.4MB
-
MD5
b01ddbf0bff46769347ba59495c22c6f
-
SHA1
36bb6a7d67ebffb8dc2c903d20594141436de37e
-
SHA256
6622ecf695d6546c9ce99134a13c485d33691905b4140ca5fbe6d704948cf651
-
SHA512
6f05570e01fcf9511626cd7d85bc20a32ebd7d9fdd49b52de80ee4ec20fb3f34880a07d0758543630c02b93484e501824a4f0df3bebf6c9b30fb24fc87f16f96
-
SSDEEP
98304:Mh0ywRz70/W9+68ZBtKe3oWFGNc+sA5loQwMEp+ou/Xf:nyf/W9+DfFGNv5lnEMosf
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
b01ddbf0bff46769347ba59495c22c6f.exedescription pid process target process PID 1652 created 1256 1652 b01ddbf0bff46769347ba59495c22c6f.exe Explorer.EXE PID 1652 created 1256 1652 b01ddbf0bff46769347ba59495c22c6f.exe Explorer.EXE PID 1652 created 1256 1652 b01ddbf0bff46769347ba59495c22c6f.exe Explorer.EXE -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/332-62-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig behavioral1/memory/332-64-0x0000000140000000-0x00000001407F4000-memory.dmp xmrig -
Processes:
resource yara_rule behavioral1/memory/332-62-0x0000000140000000-0x00000001407F4000-memory.dmp upx behavioral1/memory/332-64-0x0000000140000000-0x00000001407F4000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b01ddbf0bff46769347ba59495c22c6f.exedescription pid process target process PID 1652 set thread context of 332 1652 b01ddbf0bff46769347ba59495c22c6f.exe dwm.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
b01ddbf0bff46769347ba59495c22c6f.exedwm.exepid process 1652 b01ddbf0bff46769347ba59495c22c6f.exe 1652 b01ddbf0bff46769347ba59495c22c6f.exe 1652 b01ddbf0bff46769347ba59495c22c6f.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powercfg.exeWMIC.exepowercfg.exepowercfg.exepowercfg.exedwm.exedescription pid process Token: SeShutdownPrivilege 952 powercfg.exe Token: SeIncreaseQuotaPrivilege 1668 WMIC.exe Token: SeSecurityPrivilege 1668 WMIC.exe Token: SeTakeOwnershipPrivilege 1668 WMIC.exe Token: SeLoadDriverPrivilege 1668 WMIC.exe Token: SeSystemProfilePrivilege 1668 WMIC.exe Token: SeSystemtimePrivilege 1668 WMIC.exe Token: SeProfSingleProcessPrivilege 1668 WMIC.exe Token: SeIncBasePriorityPrivilege 1668 WMIC.exe Token: SeCreatePagefilePrivilege 1668 WMIC.exe Token: SeBackupPrivilege 1668 WMIC.exe Token: SeRestorePrivilege 1668 WMIC.exe Token: SeShutdownPrivilege 1668 WMIC.exe Token: SeDebugPrivilege 1668 WMIC.exe Token: SeSystemEnvironmentPrivilege 1668 WMIC.exe Token: SeRemoteShutdownPrivilege 1668 WMIC.exe Token: SeUndockPrivilege 1668 WMIC.exe Token: SeManageVolumePrivilege 1668 WMIC.exe Token: 33 1668 WMIC.exe Token: 34 1668 WMIC.exe Token: 35 1668 WMIC.exe Token: SeShutdownPrivilege 1584 powercfg.exe Token: SeIncreaseQuotaPrivilege 1668 WMIC.exe Token: SeSecurityPrivilege 1668 WMIC.exe Token: SeTakeOwnershipPrivilege 1668 WMIC.exe Token: SeLoadDriverPrivilege 1668 WMIC.exe Token: SeSystemProfilePrivilege 1668 WMIC.exe Token: SeSystemtimePrivilege 1668 WMIC.exe Token: SeProfSingleProcessPrivilege 1668 WMIC.exe Token: SeIncBasePriorityPrivilege 1668 WMIC.exe Token: SeCreatePagefilePrivilege 1668 WMIC.exe Token: SeBackupPrivilege 1668 WMIC.exe Token: SeRestorePrivilege 1668 WMIC.exe Token: SeShutdownPrivilege 1668 WMIC.exe Token: SeDebugPrivilege 1668 WMIC.exe Token: SeSystemEnvironmentPrivilege 1668 WMIC.exe Token: SeRemoteShutdownPrivilege 1668 WMIC.exe Token: SeUndockPrivilege 1668 WMIC.exe Token: SeManageVolumePrivilege 1668 WMIC.exe Token: 33 1668 WMIC.exe Token: 34 1668 WMIC.exe Token: 35 1668 WMIC.exe Token: SeShutdownPrivilege 1552 powercfg.exe Token: SeShutdownPrivilege 108 powercfg.exe Token: SeLockMemoryPrivilege 332 dwm.exe Token: SeLockMemoryPrivilege 332 dwm.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
Processes:
dwm.exepid process 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe -
Suspicious use of SendNotifyMessage 58 IoCs
Processes:
dwm.exepid process 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe 332 dwm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cmd.execmd.exeb01ddbf0bff46769347ba59495c22c6f.exedescription pid process target process PID 1340 wrote to memory of 952 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 952 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 952 1340 cmd.exe powercfg.exe PID 1224 wrote to memory of 1668 1224 cmd.exe WMIC.exe PID 1224 wrote to memory of 1668 1224 cmd.exe WMIC.exe PID 1224 wrote to memory of 1668 1224 cmd.exe WMIC.exe PID 1340 wrote to memory of 1584 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 1584 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 1584 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 1552 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 1552 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 1552 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 108 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 108 1340 cmd.exe powercfg.exe PID 1340 wrote to memory of 108 1340 cmd.exe powercfg.exe PID 1652 wrote to memory of 332 1652 b01ddbf0bff46769347ba59495c22c6f.exe dwm.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b01ddbf0bff46769347ba59495c22c6f.exe"C:\Users\Admin\AppData\Local\Temp\b01ddbf0bff46769347ba59495c22c6f.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe ilomnyjxaqxbdyoj 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUOWlLosYbrY2pwtQQU1JTuikNmZuGmV+6BbKlyKFD6zdAaaNcQqky2iJHSWRIHnss9X/nab3QoNVM/Ta0kPMjvUxJH02YjP5XrdviLouahJX3Q1zD8omsKRft5FC/3aHRX5nzuLKj6v+l1hD7RDcnRlZOinraqnGRmc1rfZVBSryXdWQXUdRaex46bFg0DdbEVFMZ4l0pshLxALGam+crSqgmoA+SAgVTiLqPU5NWi5uz8p9/Px4ZVwH3rGiyQeauAdOPHdWjMSLjdPXQwzIiHwOAjFFE5CqTkW9rgSKBlevE7bTasEexce14S+TdxAbNPSrsW2DMq8LcazEG7sh428X1gT4o5W2jpf5fY/EMDWCsJla29dmLn/CAr49BWQFG1/pwNMU6xh2tqJf8WnFCSEU3eXDu2G8zQ9IwK7MpQkB1D9krTLyt7WoPvOZQOh0lkfSckQ6jxQVRjaMclifx2Mi/zUH96ZVLzydQh6xfv78=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Google\Libs\g.logFilesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
memory/108-58-0x0000000000000000-mapping.dmp
-
memory/332-60-0x00000001407F2120-mapping.dmp
-
memory/332-61-0x00000000000C0000-0x00000000000E0000-memory.dmpFilesize
128KB
-
memory/332-62-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/332-63-0x0000000000000000-0x0000000001000000-memory.dmpFilesize
16.0MB
-
memory/332-64-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/952-54-0x0000000000000000-mapping.dmp
-
memory/1552-57-0x0000000000000000-mapping.dmp
-
memory/1584-56-0x0000000000000000-mapping.dmp
-
memory/1668-55-0x0000000000000000-mapping.dmp