eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3

General

Target

eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Size

396KB
MD5

a0c882ff03eae31876a393b4ac3c0f01
SHA1

246d7ff14b440fecf81b04a3ff78e6dd20cd6bea
SHA256

eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3
SHA512

a817cdb80d8f7d0a9b14f93c5d39a9a0498c84adb5877a012d69396921f16da8e7d4ac238e80bd1e0e590e07d68a011e4a9f125cc87a41886b0a8957664f7b08
SSDEEP

6144:BWxe0qY/+Xf/BTj6fLntAnDJgQ47nw9OpNW8rABQ:EQ0qY2Xf/Bgt2DXIngOq

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SterupService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe"	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SterupService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe"	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\SterupService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe"	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SterupService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe"	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\SterupService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe"	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SterupService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe"	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 1812	2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	80
PID 1812 set thread context of 4060	1812	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	86

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1812	2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	80
PID 2960 wrote to memory of 1812	2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	80
PID 2960 wrote to memory of 1812	2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	80
PID 2960 wrote to memory of 1812	2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	80
PID 2960 wrote to memory of 1812	2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	80
PID 2960 wrote to memory of 1812	2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	80
PID 2960 wrote to memory of 1812	2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	80
PID 2960 wrote to memory of 1812	2960	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	80
PID 1812 wrote to memory of 4060	1812	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	86
PID 1812 wrote to memory of 4060	1812	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	86
PID 1812 wrote to memory of 4060	1812	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	86
PID 1812 wrote to memory of 4060	1812	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	86
PID 1812 wrote to memory of 4060	1812	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	86
PID 1812 wrote to memory of 4060	1812	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	86
PID 1812 wrote to memory of 4060	1812	eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe	86

C:\Users\Admin\AppData\Local\Temp\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
"C:\Users\Admin\AppData\Local\Temp\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
  "C:\Users\Admin\AppData\Local\Temp\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe"
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\eea5e9b290232b76c08bf3695960c986e442a036c15283734f46d19ad673aeb3.exe
    miner.exe -a 60 -g yes -o http://xxxvideos.sso9523.com:8332/ -u p0rnstar_worker -p ornelia
    3⤵
    PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1812-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1812-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1812-138-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4060-140-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4060-142-0x00000000004FD000-0x0000000000537000-memory.dmp

Filesize
232KB

Download
memory/4060-141-0x00000000004FD000-0x0000000000537000-memory.dmp

Filesize
232KB

Download
memory/4060-143-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4060-144-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/4060-145-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/4060-147-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/4060-146-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/4060-149-0x0000000002400000-0x0000000002405000-memory.dmp

Filesize
20KB

Download
memory/4060-150-0x0000000002360000-0x00000000023AB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads