540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4

General

Target

540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe
Size

2.4MB
MD5

ca30450486a3074881dd3847ae39048c
SHA1

db7e12aa440b58371b4103f0ef3d6c1ffa136732
SHA256

540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4
SHA512

1f9a28f2e7215702d0a5cb64080a48c1067158afcef8cbb29cfd3c8ebe51df9c30ea402ffb6fb7bcd4013277f02364804143931e3af7b737af207e935f3cc552
SSDEEP

49152:OZzO43KtaISugRed1bVkaTMG1DFf3opuH6LIQntMre/DB2M:jtaDyhf3oHLI2tMi/DB2

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

adgwijgweog.exeadgwijgweog.exeadgwijgweog.exe

pid process

4584 adgwijgweog.exe
436 adgwijgweog.exe
1368 adgwijgweog.exe

pid	process
4584	adgwijgweog.exe
436	adgwijgweog.exe
1368	adgwijgweog.exe

VMProtect packed file 14 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
behavioral2/memory/4584-135-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect
behavioral2/memory/4584-139-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
behavioral2/memory/436-142-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect
behavioral2/memory/436-145-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect
behavioral2/memory/436-146-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe	vmprotect
behavioral2/memory/1368-149-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect
behavioral2/memory/1368-152-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect
behavioral2/memory/4584-153-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect
behavioral2/memory/436-154-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect
behavioral2/memory/1368-155-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

adgwijgweog.exeadgwijgweog.exeadgwijgweog.exe

pid process

4584 adgwijgweog.exe
436 adgwijgweog.exe
1368 adgwijgweog.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4568 4584 WerFault.exe adgwijgweog.exe

pid	process
4584	adgwijgweog.exe
436	adgwijgweog.exe
1368	adgwijgweog.exe

pid	pid_target	process	target process
4568	4584	WerFault.exe	adgwijgweog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

adgwijgweog.exeadgwijgweog.exeadgwijgweog.exe

description	pid	process
Token: SeLockMemoryPrivilege	4584	adgwijgweog.exe
Token: SeLockMemoryPrivilege	436	adgwijgweog.exe
Token: SeLockMemoryPrivilege	1368	adgwijgweog.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exeadgwijgweog.exeadgwijgweog.exe

description	pid	process	target process
PID 4004 wrote to memory of 4584	4004	540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe	adgwijgweog.exe
PID 4004 wrote to memory of 4584	4004	540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe	adgwijgweog.exe
PID 4584 wrote to memory of 436	4584	adgwijgweog.exe	adgwijgweog.exe
PID 4584 wrote to memory of 436	4584	adgwijgweog.exe	adgwijgweog.exe
PID 436 wrote to memory of 1368	436	adgwijgweog.exe	adgwijgweog.exe
PID 436 wrote to memory of 1368	436	adgwijgweog.exe	adgwijgweog.exe

C:\Users\Admin\AppData\Local\Temp\540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe
"C:\Users\Admin\AppData\Local\Temp\540aab246a5815d4ed533722b23fa1f69077f23eeaea122896c2f29c220164c4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe -t 1 -o stratum+tcp://xmr-usa.dwarfpool.com:8005 -u 42NCdZTvv3WDjVJTd4ny51SXQiKhUyprE9zrP5BsjqJu9aeWqwunHK7aHFR9ya8gJf2REyYwBMDxMjiAVPMBqsVHQqJe91y -p x
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe -t 1 -o stratum+tcp://xmr-usa.dwarfpool.com:8005 -u 42NCdZTvv3WDjVJTd4ny51SXQiKhUyprE9zrP5BsjqJu9aeWqwunHK7aHFR9ya8gJf2REyYwBMDxMjiAVPMBqsVHQqJe91y -p x
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe -t 1 -o stratum+tcp://xmr-usa.dwarfpool.com:8005 -u 42NCdZTvv3WDjVJTd4ny51SXQiKhUyprE9zrP5BsjqJu9aeWqwunHK7aHFR9ya8gJf2REyYwBMDxMjiAVPMBqsVHQqJe91y -p x
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4584 -s 660
3⤵
- Program crash
PID:4568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4584 -ip 4584
1⤵
PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.5MB

MD5
37e2490d6c9391fe81043eeb7cfa637a

SHA1
6cdbd359838b7213f2958717b914b1ac4157408c

SHA256
18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

SHA512
fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

Download Submit
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.5MB

MD5
37e2490d6c9391fe81043eeb7cfa637a

SHA1
6cdbd359838b7213f2958717b914b1ac4157408c

SHA256
18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

SHA512
fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

Download Submit
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.5MB

MD5
37e2490d6c9391fe81043eeb7cfa637a

SHA1
6cdbd359838b7213f2958717b914b1ac4157408c

SHA256
18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

SHA512
fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

Download Submit
C:\Users\Admin\AppData\Roaming\dvigowucpu\adgwijgweog.exe
Filesize
1.5MB

MD5
37e2490d6c9391fe81043eeb7cfa637a

SHA1
6cdbd359838b7213f2958717b914b1ac4157408c

SHA256
18a2f191db62cc45601981180e6263c46657f537e0842cbc350a47efaa775178

SHA512
fa76cdc67dbd8b2dab4d4aa835aa721f091c48b1ee0701102da9dd7fd8ae906da088f93d3626ce6a77a06cec4706e0eeb8eef60c3984d6b2c31b6bc670818e9d

Download Submit
C:\Users\Admin\AppData\Roaming\dvigowucpu\pools.txt
Filesize
154B

MD5
4a467c266bf7474bace3615884e8793b

SHA1
efc82124fbfd11d9f7b3a3b0ff1e027465bcd0dc

SHA256
2074cbb2a779b15b0e28dd98cc59dfbfeeb1d5829ef15ccd80a1e36cc5651a2a

SHA512
96a359188cf16d4a850c08393d08189af8d175983ddeca54a1eb1ed45b39798eefff421e132a7f081fa47d812a62dd8c1b2fa872d7bf9fc2fa6af7e7b3feccf5

Download Submit
memory/436-146-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/436-140-0x0000000000000000-mapping.dmp

Download
memory/436-154-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/436-142-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/436-145-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/1368-147-0x0000000000000000-mapping.dmp

Download
memory/1368-149-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/1368-152-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/1368-155-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/4584-139-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/4584-135-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/4584-153-0x00007FF6B5D60000-0x00007FF6B6125000-memory.dmp

Filesize
3.8MB

Download
memory/4584-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads