42a5b1d974f030bc2868a3a2f2cf4dad5443d3e85a18919088429abc1bb9b0ca

General

Target

mins.exe
Size

962KB
MD5

d0fdcafe227693a18f52fecb4db174a6
SHA1

b2087f372e9cc7466d37406ab35bd5f3f83c68d3
SHA256

42a5b1d974f030bc2868a3a2f2cf4dad5443d3e85a18919088429abc1bb9b0ca
SHA512

def0da3fbfcc6674f80a098ad840c8557a6d7f2650f2b1f782f6d330f1b7d84c6410a8048a7c55471890865548339b712c97f219e2ad8d4a5768ee133d772572
SSDEEP

12288:dGGyqIuubhT0IE+n4Oo5RwIAv7J2J1mxR0Zu4TE39vI9geB:duqIuuJdVumIAv7EJIxRjJVI9geB

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	DNDWMYRI.exe

Executes dropped EXE 1 IoCs

pid	Process
1084	DNDWMYRI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1364	1084	WerFault.exe	97

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2016	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4640	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2844	powershell.exe
4856	powershell.exe
2844	powershell.exe
4856	powershell.exe
3628	powershell.exe
3292	powershell.exe
3628	powershell.exe
3292	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	mins.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	1084	DNDWMYRI.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4856	2996	mins.exe	82
PID 2996 wrote to memory of 4856	2996	mins.exe	82
PID 2996 wrote to memory of 2844	2996	mins.exe	83
PID 2996 wrote to memory of 2844	2996	mins.exe	83
PID 2996 wrote to memory of 5096	2996	mins.exe	93
PID 2996 wrote to memory of 5096	2996	mins.exe	93
PID 5096 wrote to memory of 4640	5096	cmd.exe	95
PID 5096 wrote to memory of 4640	5096	cmd.exe	95
PID 5096 wrote to memory of 1084	5096	cmd.exe	97
PID 5096 wrote to memory of 1084	5096	cmd.exe	97
PID 1084 wrote to memory of 3292	1084	DNDWMYRI.exe	99
PID 1084 wrote to memory of 3292	1084	DNDWMYRI.exe	99
PID 1084 wrote to memory of 3628	1084	DNDWMYRI.exe	98
PID 1084 wrote to memory of 3628	1084	DNDWMYRI.exe	98
PID 1084 wrote to memory of 764	1084	DNDWMYRI.exe	102
PID 1084 wrote to memory of 764	1084	DNDWMYRI.exe	102
PID 764 wrote to memory of 2016	764	cmd.exe	104
PID 764 wrote to memory of 2016	764	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\mins.exe
"C:\Users\Admin\AppData\Local\Temp\mins.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5658.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4640
- - C:\ProgramData\Includers\DNDWMYRI.exe
    "C:\ProgramData\Includers\DNDWMYRI.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DNDWMYRI" /tr "C:\ProgramData\Includers\DNDWMYRI.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DNDWMYRI" /tr "C:\ProgramData\Includers\DNDWMYRI.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2016
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1084 -s 2104
      4⤵
      Program crash
      PID:1364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1084 -ip 1084
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Includers\DNDWMYRI.exe

Filesize
737.0MB

MD5
831a50103712ed36fb5ca6a573c4df51

SHA1
4bd6f715885891829b1388ecb02c928416f7db7e

SHA256
c6b2fef9e62a976c3663caadd5da2133b44c8668e726e8f8c259b2893c78fb26

SHA512
0fe4154592d68afa1b0076e2bce89c86994f35957a7281707ae78838cbdea75bc1d5ea94fb4973f2bc612f08ccefad832ae4e9fa5f07b8debba68e689f1a1f31

Download Submit
C:\ProgramData\Includers\DNDWMYRI.exe

Filesize
737.0MB

MD5
831a50103712ed36fb5ca6a573c4df51

SHA1
4bd6f715885891829b1388ecb02c928416f7db7e

SHA256
c6b2fef9e62a976c3663caadd5da2133b44c8668e726e8f8c259b2893c78fb26

SHA512
0fe4154592d68afa1b0076e2bce89c86994f35957a7281707ae78838cbdea75bc1d5ea94fb4973f2bc612f08ccefad832ae4e9fa5f07b8debba68e689f1a1f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
caae66b2d6030f85188e48e4ea3a9fa6

SHA1
108425bd97144fa0f92ff7b2109fec293d14a461

SHA256
a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

SHA512
189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qrlynrmz.nu0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5658.tmp.bat

Filesize
146B

MD5
5d02be3bd00333893df2c852a1c89ca3

SHA1
3c035497f50989595a60c246c5049423f910ef16

SHA256
515c2a7852579449c9706eb0c091bda358179bcbefca36f9a2d37d2fee4c07f3

SHA512
0872080bf0efa8d47c6c3ddffc8030e74c09f6c29c88801a326e899e5c8f7b072c3cbc0933f3af7189326759a73211c268f9a734ef74d81e5bdf1296aa2f299d

Download Submit
memory/1084-86-0x000000001CA10000-0x000000001CA20000-memory.dmp

Filesize
64KB

Download
memory/1084-81-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/1084-88-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/1084-51-0x000000001CA10000-0x000000001CA20000-memory.dmp

Filesize
64KB

Download
memory/1084-50-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/2844-27-0x00000222D6510000-0x00000222D6520000-memory.dmp

Filesize
64KB

Download
memory/2844-8-0x00000222D8320000-0x00000222D8342000-memory.dmp

Filesize
136KB

Download
memory/2844-29-0x00000222D6510000-0x00000222D6520000-memory.dmp

Filesize
64KB

Download
memory/2844-5-0x00000222D6510000-0x00000222D6520000-memory.dmp

Filesize
64KB

Download
memory/2844-4-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/2844-37-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/2844-6-0x00000222D6510000-0x00000222D6520000-memory.dmp

Filesize
64KB

Download
memory/2996-1-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/2996-2-0x000000001C380000-0x000000001C390000-memory.dmp

Filesize
64KB

Download
memory/2996-46-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/2996-39-0x000000001C380000-0x000000001C390000-memory.dmp

Filesize
64KB

Download
memory/2996-38-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/2996-0-0x00000000004D0000-0x00000000005C4000-memory.dmp

Filesize
976KB

Download
memory/3292-82-0x000001E55A900000-0x000001E55A910000-memory.dmp

Filesize
64KB

Download
memory/3292-76-0x000001E55A900000-0x000001E55A910000-memory.dmp

Filesize
64KB

Download
memory/3292-55-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/3292-87-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/3628-66-0x0000024717170000-0x0000024717180000-memory.dmp

Filesize
64KB

Download
memory/3628-54-0x0000024717170000-0x0000024717180000-memory.dmp

Filesize
64KB

Download
memory/3628-79-0x0000024717170000-0x0000024717180000-memory.dmp

Filesize
64KB

Download
memory/3628-52-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/3628-53-0x0000024717170000-0x0000024717180000-memory.dmp

Filesize
64KB

Download
memory/3628-83-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/4856-36-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download
memory/4856-30-0x000002063CF30000-0x000002063CF40000-memory.dmp

Filesize
64KB

Download
memory/4856-28-0x000002063CF30000-0x000002063CF40000-memory.dmp

Filesize
64KB

Download
memory/4856-7-0x00007FFA6EE70000-0x00007FFA6F931000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads