540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4

Analysis

max time kernel
211s
max time network
257s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe
Size

2.4MB
MD5

ca30450486a3074881dd3847ae39048c
SHA1

db7e12aa440b58371b4103f0ef3d6c1ffa136732
SHA256

540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4
SHA512

1f9a28f2e7215702d0a5cb64080a48c1067158afcef8cbb29cfd3c8ebe51df9c30ea402ffb6fb7bcd4013277f02364804143931e3af7b737af207e935f3cc552
SSDEEP

49152:OZzO43KtaISugRed1bVkaTMG1DFf3opuH6LIQntMre/DB2M:jtaDyhf3oHLI2tMi/DB2

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

adgwijgweog.exe

pid process

1344 adgwijgweog.exe

pid	process
1344	adgwijgweog.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
behavioral1/memory/1344-60-0x000000013F490000-0x000000013F855000-memory.dmp	vmprotect
behavioral1/memory/1344-61-0x000000013F490000-0x000000013F855000-memory.dmp	vmprotect
behavioral1/memory/1344-65-0x000000013F490000-0x000000013F855000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe

pid process

1168 540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

adgwijgweog.exe

pid process

1344 adgwijgweog.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

adgwijgweog.exe

description pid process

Token: SeLockMemoryPrivilege 1344 adgwijgweog.exe

pid	process
1168	540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe

pid	process
1344	adgwijgweog.exe

description	pid	process
Token: SeLockMemoryPrivilege	1344	adgwijgweog.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe

description	pid	process	target process
PID 1168 wrote to memory of 1344	1168	540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe	adgwijgweog.exe
PID 1168 wrote to memory of 1344	1168	540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe	adgwijgweog.exe
PID 1168 wrote to memory of 1344	1168	540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe	adgwijgweog.exe

C:\Users\Admin\AppData\Local\Temp\540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe
"C:\Users\Admin\AppData\Local\Temp\540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe -t 1 -o stratum+tcp://xmr-usa.dwarfpool.com:8005 -u 42NCdZTvv3WDjVJTd4ny51SXQiKhUyprE9zrP5BsjqJu9aeWqwunHK7aHFR9ya8gJf2REyYwBMDxMjiAVPMBqsVHQqJe91y -p x
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.5MB

MD5
37e2490d6c9391fe81043eeb7cfa637a

SHA1
6cdbd359838b7213f2958717b914b1ac4157408c

SHA256
18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

SHA512
fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

Download Submit
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.5MB

MD5
37e2490d6c9391fe81043eeb7cfa637a

SHA1
6cdbd359838b7213f2958717b914b1ac4157408c

SHA256
18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

SHA512
fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

Download Submit
C:\Users\Admin\AppData\Roaming\dvigowucpu\pools.txt
Filesize
154B

MD5
4a467c266bf7474bace3615884e8793b

SHA1
efc82124fbfd11d9f7b3a3b0ff1e027465bcd0dc

SHA256
2074cbb2a779b15b0e28dd98cc59dfbfeeb1d5829ef15ccd80a1e36cc5651a2a

SHA512
96a359188cf16d4a850c08393d08189af8d175983ddeca54a1eb1ed45b39798eefff421e132a7f081fa47d812a62dd8c1b2fa872d7bf9fc2fa6af7e7b3feccf5

Download Submit
\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.5MB

MD5
37e2490d6c9391fe81043eeb7cfa637a

SHA1
6cdbd359838b7213f2958717b914b1ac4157408c

SHA256
18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

SHA512
fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

Download Submit
memory/1168-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1168-59-0x000000013F490000-0x000000013F855000-memory.dmp

Filesize
3.8MB

Download
memory/1344-56-0x0000000000000000-mapping.dmp

Download
memory/1344-60-0x000000013F490000-0x000000013F855000-memory.dmp

Filesize
3.8MB

Download
memory/1344-61-0x000000013F490000-0x000000013F855000-memory.dmp

Filesize
3.8MB

Download
memory/1344-65-0x000000013F490000-0x000000013F855000-memory.dmp

Filesize
3.8MB

Download