Analysis Overview
SHA256
463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
Threat Level: Known bad
The file Doge-Miner203.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Executes dropped EXE
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-27 17:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-27 17:47
Reported
2023-01-27 17:49
Platform
win7-20221111-en
Max time kernel
149s
Max time network
30s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\notepad.exe," | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe
"C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 40
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 40
Network
Files
memory/1364-54-0x0000000000050000-0x000000000066A000-memory.dmp
memory/1364-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
memory/1364-56-0x0000000000DC0000-0x0000000000DF0000-memory.dmp
memory/1364-57-0x0000000000D60000-0x0000000000D78000-memory.dmp
memory/1908-58-0x0000000000000000-mapping.dmp
memory/1736-59-0x0000000000000000-mapping.dmp
memory/1488-60-0x0000000000000000-mapping.dmp
memory/1532-61-0x0000000000000000-mapping.dmp
memory/1092-62-0x0000000000000000-mapping.dmp
memory/392-63-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-27 17:47
Reported
2023-01-27 17:49
Platform
win10v2004-20220812-en
Max time kernel
121s
Max time network
138s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe," | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe
"C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 36
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 41
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 41
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 13.69.239.73:443 | tcp |
Files
memory/2116-132-0x0000000000900000-0x0000000000F1A000-memory.dmp
memory/2116-133-0x0000000005EA0000-0x0000000006444000-memory.dmp
memory/2116-134-0x00000000058F0000-0x0000000005982000-memory.dmp
memory/2116-135-0x0000000005990000-0x0000000005A2C000-memory.dmp
memory/2116-136-0x000000000C3F0000-0x000000000C3FA000-memory.dmp
memory/4200-137-0x0000000000000000-mapping.dmp
memory/3976-138-0x0000000000000000-mapping.dmp
memory/1856-139-0x0000000000000000-mapping.dmp
memory/3540-140-0x0000000000000000-mapping.dmp
memory/1992-141-0x0000000000000000-mapping.dmp
memory/3156-142-0x0000000000000000-mapping.dmp
memory/4548-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe
| MD5 | d7e6fd264bc937e3646de58e551a29db |
| SHA1 | 1db4664777b17e004f71cee4002f9ccc430413e4 |
| SHA256 | 463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24 |
| SHA512 | cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe
| MD5 | d7e6fd264bc937e3646de58e551a29db |
| SHA1 | 1db4664777b17e004f71cee4002f9ccc430413e4 |
| SHA256 | 463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24 |
| SHA512 | cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837 |
memory/4548-146-0x00000000009A0000-0x0000000000FBA000-memory.dmp