42a5b1d974f030bc2868a3a2f2cf4dad5443d3e85a18919088429abc1bb9b0ca

Resubmissions

31/08/2023, 11:17

230831-nd2qlaed2w 4

31/08/2023, 10:59

230831-m3s93sef78 7

Analysis

max time kernel
315s
max time network
321s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
31/08/2023, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mins.exe
Size

962KB
MD5

d0fdcafe227693a18f52fecb4db174a6
SHA1

b2087f372e9cc7466d37406ab35bd5f3f83c68d3
SHA256

42a5b1d974f030bc2868a3a2f2cf4dad5443d3e85a18919088429abc1bb9b0ca
SHA512

def0da3fbfcc6674f80a098ad840c8557a6d7f2650f2b1f782f6d330f1b7d84c6410a8048a7c55471890865548339b712c97f219e2ad8d4a5768ee133d772572
SSDEEP

12288:dGGyqIuubhT0IE+n4Oo5RwIAv7J2J1mxR0Zu4TE39vI9geB:duqIuuJdVumIAv7EJIxRjJVI9geB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
776	DNDWMYRI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4276	776	WerFault.exe	78

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
452	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2236	timeout.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4824	powershell.exe
4684	powershell.exe
4824	powershell.exe
4684	powershell.exe
4824	powershell.exe
4684	powershell.exe
2708	powershell.exe
4760	powershell.exe
2708	powershell.exe
4760	powershell.exe
2708	powershell.exe
4760	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	mins.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeIncreaseQuotaPrivilege	4824	powershell.exe
Token: SeSecurityPrivilege	4824	powershell.exe
Token: SeTakeOwnershipPrivilege	4824	powershell.exe
Token: SeLoadDriverPrivilege	4824	powershell.exe
Token: SeSystemProfilePrivilege	4824	powershell.exe
Token: SeSystemtimePrivilege	4824	powershell.exe
Token: SeProfSingleProcessPrivilege	4824	powershell.exe
Token: SeIncBasePriorityPrivilege	4824	powershell.exe
Token: SeCreatePagefilePrivilege	4824	powershell.exe
Token: SeBackupPrivilege	4824	powershell.exe
Token: SeRestorePrivilege	4824	powershell.exe
Token: SeShutdownPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeSystemEnvironmentPrivilege	4824	powershell.exe
Token: SeRemoteShutdownPrivilege	4824	powershell.exe
Token: SeUndockPrivilege	4824	powershell.exe
Token: SeManageVolumePrivilege	4824	powershell.exe
Token: 33	4824	powershell.exe
Token: 34	4824	powershell.exe
Token: 35	4824	powershell.exe
Token: 36	4824	powershell.exe
Token: SeIncreaseQuotaPrivilege	4684	powershell.exe
Token: SeSecurityPrivilege	4684	powershell.exe
Token: SeTakeOwnershipPrivilege	4684	powershell.exe
Token: SeLoadDriverPrivilege	4684	powershell.exe
Token: SeSystemProfilePrivilege	4684	powershell.exe
Token: SeSystemtimePrivilege	4684	powershell.exe
Token: SeProfSingleProcessPrivilege	4684	powershell.exe
Token: SeIncBasePriorityPrivilege	4684	powershell.exe
Token: SeCreatePagefilePrivilege	4684	powershell.exe
Token: SeBackupPrivilege	4684	powershell.exe
Token: SeRestorePrivilege	4684	powershell.exe
Token: SeShutdownPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeSystemEnvironmentPrivilege	4684	powershell.exe
Token: SeRemoteShutdownPrivilege	4684	powershell.exe
Token: SeUndockPrivilege	4684	powershell.exe
Token: SeManageVolumePrivilege	4684	powershell.exe
Token: 33	4684	powershell.exe
Token: 34	4684	powershell.exe
Token: 35	4684	powershell.exe
Token: 36	4684	powershell.exe
Token: SeDebugPrivilege	776	DNDWMYRI.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeIncreaseQuotaPrivilege	2708	powershell.exe
Token: SeSecurityPrivilege	2708	powershell.exe
Token: SeTakeOwnershipPrivilege	2708	powershell.exe
Token: SeLoadDriverPrivilege	2708	powershell.exe
Token: SeSystemProfilePrivilege	2708	powershell.exe
Token: SeSystemtimePrivilege	2708	powershell.exe
Token: SeProfSingleProcessPrivilege	2708	powershell.exe
Token: SeIncBasePriorityPrivilege	2708	powershell.exe
Token: SeCreatePagefilePrivilege	2708	powershell.exe
Token: SeBackupPrivilege	2708	powershell.exe
Token: SeRestorePrivilege	2708	powershell.exe
Token: SeShutdownPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeSystemEnvironmentPrivilege	2708	powershell.exe
Token: SeRemoteShutdownPrivilege	2708	powershell.exe
Token: SeUndockPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4824	4848	mins.exe	70
PID 4848 wrote to memory of 4824	4848	mins.exe	70
PID 4848 wrote to memory of 4684	4848	mins.exe	73
PID 4848 wrote to memory of 4684	4848	mins.exe	73
PID 4848 wrote to memory of 4484	4848	mins.exe	75
PID 4848 wrote to memory of 4484	4848	mins.exe	75
PID 4484 wrote to memory of 2236	4484	cmd.exe	77
PID 4484 wrote to memory of 2236	4484	cmd.exe	77
PID 4484 wrote to memory of 776	4484	cmd.exe	78
PID 4484 wrote to memory of 776	4484	cmd.exe	78
PID 776 wrote to memory of 4760	776	DNDWMYRI.exe	82
PID 776 wrote to memory of 4760	776	DNDWMYRI.exe	82
PID 776 wrote to memory of 2708	776	DNDWMYRI.exe	81
PID 776 wrote to memory of 2708	776	DNDWMYRI.exe	81
PID 776 wrote to memory of 3480	776	DNDWMYRI.exe	83
PID 776 wrote to memory of 3480	776	DNDWMYRI.exe	83
PID 3480 wrote to memory of 452	3480	cmd.exe	85
PID 3480 wrote to memory of 452	3480	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\mins.exe
"C:\Users\Admin\AppData\Local\Temp\mins.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5176.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2236
- - C:\ProgramData\Includers\DNDWMYRI.exe
    "C:\ProgramData\Includers\DNDWMYRI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DNDWMYRI" /tr "C:\ProgramData\Includers\DNDWMYRI.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DNDWMYRI" /tr "C:\ProgramData\Includers\DNDWMYRI.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:452
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 776 -s 2036
      4⤵
      Program crash
      PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Includers\DNDWMYRI.exe

Filesize
703.0MB

MD5
62ec89f5b638692dd5245b7c732fa3b3

SHA1
e90c3537039e0f4337e7224cbbeac008edc86d77

SHA256
a0ec753caf3b7382832d05d7e655695139e2a3f1efe84ccf24cb1d85a19c7fa8

SHA512
4629271fe32b38a95494ae208a2e46198257ba73eaf9bd60c529efef2fdbe834a4ad4f718e1a75f93c706dcb9cf46d351f774b69fe839dc8c9aea5aa3e2b06d1

Download Submit
C:\ProgramData\Includers\DNDWMYRI.exe

Filesize
703.0MB

MD5
62ec89f5b638692dd5245b7c732fa3b3

SHA1
e90c3537039e0f4337e7224cbbeac008edc86d77

SHA256
a0ec753caf3b7382832d05d7e655695139e2a3f1efe84ccf24cb1d85a19c7fa8

SHA512
4629271fe32b38a95494ae208a2e46198257ba73eaf9bd60c529efef2fdbe834a4ad4f718e1a75f93c706dcb9cf46d351f774b69fe839dc8c9aea5aa3e2b06d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1665dcb79bc475005fcbd25d97cb10d

SHA1
98e050e87cb0032e7b392b4ad8d74d6e5d090b58

SHA256
22313915618a278f171cbba67291540e9361f706a4f2c4d449f853d9a8a3894e

SHA512
246e70d843dee3337a62869b55f9a6e6b189f4fc866898f40d5d0f8e7873ae19014a3e908ed41b9f0401b0c4251341088abf67fabbaf5324f133ca8ab7ee3d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1665dcb79bc475005fcbd25d97cb10d

SHA1
98e050e87cb0032e7b392b4ad8d74d6e5d090b58

SHA256
22313915618a278f171cbba67291540e9361f706a4f2c4d449f853d9a8a3894e

SHA512
246e70d843dee3337a62869b55f9a6e6b189f4fc866898f40d5d0f8e7873ae19014a3e908ed41b9f0401b0c4251341088abf67fabbaf5324f133ca8ab7ee3d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
788a2ccd5b34778ded24cd0ab709c796

SHA1
3705b727a9490cd9b652005bf51e1257ed2b6a46

SHA256
3e6606bacdc2d23b1ea04fbaf02cdf8e781138cb9f83356def3db80607a424d2

SHA512
8114ac4196b65e8b6a9d64ae4f6cd6218213c04872a1460988cf5d2c6f9457bf24c86e3b616c900028d5d2f0f6b51adb7ca3440d1032b4a50148d41781e96d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4uxng5y.z3x.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5176.tmp.bat

Filesize
146B

MD5
5a8af685cca196668ae50c204c4d5aec

SHA1
c6ec9d9c02c267e712269ca8ce93b58efa1a817a

SHA256
2bb8efbb824bc5adb2ff7555339245fac25b34dd29adb50d515841c3ff90c44f

SHA512
4970094ab9ddff2decba306170d3be3733eabef1e78bce5f655c97dac0fb89fa48730e11431642d6b445e4cf72eb4d858e84b3e795b6e44f56b04c036b9dd995

Download Submit
memory/776-117-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/776-219-0x0000000001BD0000-0x0000000001BE0000-memory.dmp

Filesize
64KB

Download
memory/776-218-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/776-118-0x0000000001BD0000-0x0000000001BE0000-memory.dmp

Filesize
64KB

Download
memory/2708-163-0x000002464BB50000-0x000002464BB60000-memory.dmp

Filesize
64KB

Download
memory/2708-125-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-214-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-210-0x000002464BB50000-0x000002464BB60000-memory.dmp

Filesize
64KB

Download
memory/2708-134-0x000002464BB50000-0x000002464BB60000-memory.dmp

Filesize
64KB

Download
memory/2708-131-0x000002464BB50000-0x000002464BB60000-memory.dmp

Filesize
64KB

Download
memory/4684-16-0x000001D26F640000-0x000001D26F650000-memory.dmp

Filesize
64KB

Download
memory/4684-105-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4684-95-0x000001D26F640000-0x000001D26F650000-memory.dmp

Filesize
64KB

Download
memory/4684-14-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4684-17-0x000001D26F640000-0x000001D26F650000-memory.dmp

Filesize
64KB

Download
memory/4684-59-0x000001D26F640000-0x000001D26F650000-memory.dmp

Filesize
64KB

Download
memory/4760-132-0x000001ED7D610000-0x000001ED7D620000-memory.dmp

Filesize
64KB

Download
memory/4760-217-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4760-213-0x000001ED7D610000-0x000001ED7D620000-memory.dmp

Filesize
64KB

Download
memory/4760-171-0x000001ED7D610000-0x000001ED7D620000-memory.dmp

Filesize
64KB

Download
memory/4760-133-0x000001ED7D610000-0x000001ED7D620000-memory.dmp

Filesize
64KB

Download
memory/4760-130-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4824-8-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4824-94-0x0000023BB8AA0000-0x0000023BB8AB0000-memory.dmp

Filesize
64KB

Download
memory/4824-15-0x0000023BB8AA0000-0x0000023BB8AB0000-memory.dmp

Filesize
64KB

Download
memory/4824-18-0x0000023BB8FD0000-0x0000023BB8FF2000-memory.dmp

Filesize
136KB

Download
memory/4824-21-0x0000023BD1290000-0x0000023BD1306000-memory.dmp

Filesize
472KB

Download
memory/4824-44-0x0000023BB8AA0000-0x0000023BB8AB0000-memory.dmp

Filesize
64KB

Download
memory/4824-10-0x0000023BB8AA0000-0x0000023BB8AB0000-memory.dmp

Filesize
64KB

Download
memory/4824-100-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-113-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-0-0x0000000000900000-0x00000000009F4000-memory.dmp

Filesize
976KB

Download
memory/4848-1-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download
memory/4848-106-0x00000000017C0000-0x00000000017D0000-memory.dmp

Filesize
64KB

Download
memory/4848-2-0x00000000017C0000-0x00000000017D0000-memory.dmp

Filesize
64KB

Download
memory/4848-96-0x00007FFDC7250000-0x00007FFDC7C3C000-memory.dmp

Filesize
9.9MB

Download