005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4

General

Target

005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe
Size

872KB
MD5

d1aaea7fb88f4bb180607bf35503f1b6
SHA1

e4da9552b4964ca9fbbf7bfd63022a29568c04dd
SHA256

005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4
SHA512

b1f7f89d1bb7c01d55e386ce49ab9bd73888bda43a2f6a117261b5037c8361b1282a450330258b84b1b60c5f4b6176c28232bf4b0a1dd36477a32b996f1a4754
SSDEEP

24576:iWAT8QE+kM7oO2DyDTUV3y89c0LwrHeclcp7C1P+U:iWAI+7v7mc0LwHlcpFU

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SetupMiner.exe

pid process

884 SetupMiner.exe
Loads dropped DLL 1 IoCs

Processes:

005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe

pid process

2012 005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe

pid	process
884	SetupMiner.exe

pid	process
2012	005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SetupMiner.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SetupMiner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Micron = "C:\\Windows\\miner\\run.vbs"	SetupMiner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Micron Toolset = "C:\\Windows\\miner\\wic.bat"	SetupMiner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

Processes:

SetupMiner.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Micron Ltd\Micron\Uninstall.exe	SetupMiner.exe
File created	C:\Program Files (x86)\Micron Ltd\Micron\Uninstall.ini	SetupMiner.exe

Drops file in Windows directory 12 IoCs

Processes:

SetupMiner.exe

description	ioc	process
File opened for modification	C:\Windows\miner\sc.bat	SetupMiner.exe
File opened for modification	C:\Windows\miner\test.bat	SetupMiner.exe
File opened for modification	C:\Windows\miner\usft_ext.dll	SetupMiner.exe
File opened for modification	C:\Windows\miner\Dnsv2.bat	SetupMiner.exe
File opened for modification	C:\Windows\miner\winsvchost.exe	SetupMiner.exe
File opened for modification	C:\Windows\miner\wic.bat	SetupMiner.exe
File opened for modification	C:\Windows\miner\miner.dll	SetupMiner.exe
File opened for modification	C:\Windows\miner\run.bat	SetupMiner.exe
File opened for modification	C:\Windows\miner\run.exe	SetupMiner.exe
File opened for modification	C:\Windows\miner\run.vbs	SetupMiner.exe
File opened for modification	C:\Windows\miner\phatk.cl	SetupMiner.exe
File opened for modification	C:\Windows\miner\phatk.ptx	SetupMiner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe

description	pid	process	target process
PID 2012 wrote to memory of 884	2012	005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe	SetupMiner.exe
PID 2012 wrote to memory of 884	2012	005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe	SetupMiner.exe
PID 2012 wrote to memory of 884	2012	005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe	SetupMiner.exe
PID 2012 wrote to memory of 884	2012	005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe	SetupMiner.exe
PID 2012 wrote to memory of 884	2012	005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe	SetupMiner.exe
PID 2012 wrote to memory of 884	2012	005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe	SetupMiner.exe
PID 2012 wrote to memory of 884	2012	005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe	SetupMiner.exe

C:\Users\Admin\AppData\Local\Temp\005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe
"C:\Users\Admin\AppData\Local\Temp\005bbd1ef3e4d1548ba262f7b75a165d736cc69581d4bfd782197a939c732ea4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\SetupMiner.exe
"C:\Users\Admin\AppData\Local\Temp\SetupMiner.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SetupMiner.exe

Filesize
796KB

MD5
71b730b554413a7103730b050e68a48b

SHA1
756f2ea4056823dd14978efbe48b2f17b0921581

SHA256
2d0611661ba4126bc7d4a71fd3d0eb9c9f79f547590698d39e39c68f03cf0408

SHA512
fe11cd15ef2ba6024a143818c51f3684c23142dbf2668defbc441513722ebd4aa3622db8fe9c9aecd7456c4e9e05a0060e7fca18f00519d9004899769bec2bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupMiner.exe

Filesize
796KB

MD5
71b730b554413a7103730b050e68a48b

SHA1
756f2ea4056823dd14978efbe48b2f17b0921581

SHA256
2d0611661ba4126bc7d4a71fd3d0eb9c9f79f547590698d39e39c68f03cf0408

SHA512
fe11cd15ef2ba6024a143818c51f3684c23142dbf2668defbc441513722ebd4aa3622db8fe9c9aecd7456c4e9e05a0060e7fca18f00519d9004899769bec2bbc

Download Submit
\Users\Admin\AppData\Local\Temp\SetupMiner.exe

Filesize
796KB

MD5
71b730b554413a7103730b050e68a48b

SHA1
756f2ea4056823dd14978efbe48b2f17b0921581

SHA256
2d0611661ba4126bc7d4a71fd3d0eb9c9f79f547590698d39e39c68f03cf0408

SHA512
fe11cd15ef2ba6024a143818c51f3684c23142dbf2668defbc441513722ebd4aa3622db8fe9c9aecd7456c4e9e05a0060e7fca18f00519d9004899769bec2bbc

Download Submit
memory/884-57-0x0000000000000000-mapping.dmp

Download
memory/2012-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-60-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads