Resubmissions
27-01-2023 19:10
230127-xvglescg25 1027-01-2023 17:57
230127-wjv41adg9z 1027-01-2023 17:47
230127-wcvjwsdg7x 10Analysis
-
max time kernel
211s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2023 17:57
Static task
static1
Behavioral task
behavioral1
Sample
Doge-Miner203.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Doge-Miner203.exe
Resource
win10v2004-20220812-en
General
-
Target
Doge-Miner203.exe
-
Size
6.1MB
-
MD5
d7e6fd264bc937e3646de58e551a29db
-
SHA1
1db4664777b17e004f71cee4002f9ccc430413e4
-
SHA256
463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
-
SHA512
cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837
-
SSDEEP
98304:tGFp32YKbG4vUdQUbSZ/I2jeYXyxd4494Wc9f:tEMbqQ5Z/pjVifXuT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe," reg.exe -
Executes dropped EXE 1 IoCs
Processes:
notepad.exepid process 4852 notepad.exe -
Processes:
resource yara_rule behavioral2/memory/4616-148-0x0000000000400000-0x0000000000A0D000-memory.dmp upx behavioral2/memory/4616-150-0x0000000000400000-0x0000000000A0D000-memory.dmp upx behavioral2/memory/4616-151-0x0000000000400000-0x0000000000A0D000-memory.dmp upx behavioral2/memory/4616-152-0x0000000000400000-0x0000000000A0D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
notepad.exedescription pid process target process PID 4852 set thread context of 4616 4852 notepad.exe AddInProcess32.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2224 PING.EXE 2592 PING.EXE 2392 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
Doge-Miner203.exenotepad.exepid process 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4208 Doge-Miner203.exe 4852 notepad.exe 4852 notepad.exe 4852 notepad.exe 4852 notepad.exe 4852 notepad.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Doge-Miner203.exenotepad.exedescription pid process Token: SeDebugPrivilege 4208 Doge-Miner203.exe Token: SeDebugPrivilege 4852 notepad.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Doge-Miner203.execmd.execmd.exenotepad.exedescription pid process target process PID 4208 wrote to memory of 1768 4208 Doge-Miner203.exe cmd.exe PID 4208 wrote to memory of 1768 4208 Doge-Miner203.exe cmd.exe PID 4208 wrote to memory of 1768 4208 Doge-Miner203.exe cmd.exe PID 1768 wrote to memory of 2592 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 2592 1768 cmd.exe PING.EXE PID 1768 wrote to memory of 2592 1768 cmd.exe PING.EXE PID 4208 wrote to memory of 1464 4208 Doge-Miner203.exe cmd.exe PID 4208 wrote to memory of 1464 4208 Doge-Miner203.exe cmd.exe PID 4208 wrote to memory of 1464 4208 Doge-Miner203.exe cmd.exe PID 1464 wrote to memory of 2392 1464 cmd.exe PING.EXE PID 1464 wrote to memory of 2392 1464 cmd.exe PING.EXE PID 1464 wrote to memory of 2392 1464 cmd.exe PING.EXE PID 1768 wrote to memory of 4780 1768 cmd.exe reg.exe PID 1768 wrote to memory of 4780 1768 cmd.exe reg.exe PID 1768 wrote to memory of 4780 1768 cmd.exe reg.exe PID 1464 wrote to memory of 2224 1464 cmd.exe PING.EXE PID 1464 wrote to memory of 2224 1464 cmd.exe PING.EXE PID 1464 wrote to memory of 2224 1464 cmd.exe PING.EXE PID 1464 wrote to memory of 4852 1464 cmd.exe notepad.exe PID 1464 wrote to memory of 4852 1464 cmd.exe notepad.exe PID 1464 wrote to memory of 4852 1464 cmd.exe notepad.exe PID 4852 wrote to memory of 4616 4852 notepad.exe AddInProcess32.exe PID 4852 wrote to memory of 4616 4852 notepad.exe AddInProcess32.exe PID 4852 wrote to memory of 4616 4852 notepad.exe AddInProcess32.exe PID 4852 wrote to memory of 4616 4852 notepad.exe AddInProcess32.exe PID 4852 wrote to memory of 4616 4852 notepad.exe AddInProcess32.exe PID 4852 wrote to memory of 4616 4852 notepad.exe AddInProcess32.exe PID 4852 wrote to memory of 4616 4852 notepad.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 383⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"3⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 48 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe" && ping 127.0.0.1 -n 48 > nul && "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 483⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 483⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"5⤵
-
C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"5⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exeFilesize
6.1MB
MD5d7e6fd264bc937e3646de58e551a29db
SHA11db4664777b17e004f71cee4002f9ccc430413e4
SHA256463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
SHA512cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exeFilesize
6.1MB
MD5d7e6fd264bc937e3646de58e551a29db
SHA11db4664777b17e004f71cee4002f9ccc430413e4
SHA256463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
SHA512cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837
-
C:\Users\Admin\AppData\Local\Temp\CPUMON.EXEFilesize
192KB
MD50d965d2e1b40b30d0eb821fc05aee8b6
SHA108bc8f842d39da2e0c72e376296d213afbbe6f16
SHA25690693d7242fb9f853d759a2ec7b247a81adf808dd81dcd631b7dbfafff80b605
SHA5125780394828a5f7b67406fd50c010f5e92752517bfc7e957a589a18ffeb5cdc2a7f7c78b0c4a6f822dc348699bfde9c0f4931356e92d8882f74de98b1c6a7a605
-
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXEFilesize
85KB
MD56ca3516e1b7a3b7a5e0e3866684eb554
SHA1bea5ff040a735327cdc9e4d5a3d753861a81fd07
SHA256b6df37dcbbd5d9ed73fcb6fe59f89ff1b075440e12674d76a76f5cea9ef992e8
SHA5121cb3b7984ac338ba43a688ab41c9bbdd5a6e4bd7dbeb7b04c67673cdf882d099a7033223d9e0091e96292ce2ff1f228c6e9ce54a1eba32580c7f4dba0a2da288
-
C:\Users\Admin\AppData\Local\Temp\MSCALC.EXEFilesize
85KB
MD56ca3516e1b7a3b7a5e0e3866684eb554
SHA1bea5ff040a735327cdc9e4d5a3d753861a81fd07
SHA256b6df37dcbbd5d9ed73fcb6fe59f89ff1b075440e12674d76a76f5cea9ef992e8
SHA5121cb3b7984ac338ba43a688ab41c9bbdd5a6e4bd7dbeb7b04c67673cdf882d099a7033223d9e0091e96292ce2ff1f228c6e9ce54a1eba32580c7f4dba0a2da288
-
memory/1464-139-0x0000000000000000-mapping.dmp
-
memory/1768-137-0x0000000000000000-mapping.dmp
-
memory/2224-142-0x0000000000000000-mapping.dmp
-
memory/2392-140-0x0000000000000000-mapping.dmp
-
memory/2592-138-0x0000000000000000-mapping.dmp
-
memory/4208-133-0x0000000005CD0000-0x0000000006274000-memory.dmpFilesize
5.6MB
-
memory/4208-132-0x0000000000050000-0x000000000066A000-memory.dmpFilesize
6.1MB
-
memory/4208-136-0x00000000051B0000-0x00000000051BA000-memory.dmpFilesize
40KB
-
memory/4208-134-0x0000000005720000-0x00000000057B2000-memory.dmpFilesize
584KB
-
memory/4208-135-0x00000000057C0000-0x000000000585C000-memory.dmpFilesize
624KB
-
memory/4616-147-0x0000000000000000-mapping.dmp
-
memory/4616-148-0x0000000000400000-0x0000000000A0D000-memory.dmpFilesize
6.1MB
-
memory/4616-150-0x0000000000400000-0x0000000000A0D000-memory.dmpFilesize
6.1MB
-
memory/4616-151-0x0000000000400000-0x0000000000A0D000-memory.dmpFilesize
6.1MB
-
memory/4616-152-0x0000000000400000-0x0000000000A0D000-memory.dmpFilesize
6.1MB
-
memory/4780-141-0x0000000000000000-mapping.dmp
-
memory/4852-143-0x0000000000000000-mapping.dmp
-
memory/4852-146-0x0000000000440000-0x0000000000A5A000-memory.dmpFilesize
6.1MB