Analysis
-
max time kernel
120s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
31/08/2023, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
mins.exe
Resource
win10-20230703-en
Behavioral task
behavioral2
Sample
mins.exe
Resource
win10v2004-20230703-en
General
-
Target
mins.exe
-
Size
962KB
-
MD5
d0fdcafe227693a18f52fecb4db174a6
-
SHA1
b2087f372e9cc7466d37406ab35bd5f3f83c68d3
-
SHA256
42a5b1d974f030bc2868a3a2f2cf4dad5443d3e85a18919088429abc1bb9b0ca
-
SHA512
def0da3fbfcc6674f80a098ad840c8557a6d7f2650f2b1f782f6d330f1b7d84c6410a8048a7c55471890865548339b712c97f219e2ad8d4a5768ee133d772572
-
SSDEEP
12288:dGGyqIuubhT0IE+n4Oo5RwIAv7J2J1mxR0Zu4TE39vI9geB:duqIuuJdVumIAv7EJIxRjJVI9geB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation DNDWMYRI.exe -
Executes dropped EXE 1 IoCs
pid Process 1084 DNDWMYRI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1364 1084 WerFault.exe 97 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2016 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4640 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2844 powershell.exe 4856 powershell.exe 2844 powershell.exe 4856 powershell.exe 3628 powershell.exe 3292 powershell.exe 3628 powershell.exe 3292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2996 mins.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 1084 DNDWMYRI.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 3292 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2996 wrote to memory of 4856 2996 mins.exe 82 PID 2996 wrote to memory of 4856 2996 mins.exe 82 PID 2996 wrote to memory of 2844 2996 mins.exe 83 PID 2996 wrote to memory of 2844 2996 mins.exe 83 PID 2996 wrote to memory of 5096 2996 mins.exe 93 PID 2996 wrote to memory of 5096 2996 mins.exe 93 PID 5096 wrote to memory of 4640 5096 cmd.exe 95 PID 5096 wrote to memory of 4640 5096 cmd.exe 95 PID 5096 wrote to memory of 1084 5096 cmd.exe 97 PID 5096 wrote to memory of 1084 5096 cmd.exe 97 PID 1084 wrote to memory of 3292 1084 DNDWMYRI.exe 99 PID 1084 wrote to memory of 3292 1084 DNDWMYRI.exe 99 PID 1084 wrote to memory of 3628 1084 DNDWMYRI.exe 98 PID 1084 wrote to memory of 3628 1084 DNDWMYRI.exe 98 PID 1084 wrote to memory of 764 1084 DNDWMYRI.exe 102 PID 1084 wrote to memory of 764 1084 DNDWMYRI.exe 102 PID 764 wrote to memory of 2016 764 cmd.exe 104 PID 764 wrote to memory of 2016 764 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\mins.exe"C:\Users\Admin\AppData\Local\Temp\mins.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5658.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4640
-
-
C:\ProgramData\Includers\DNDWMYRI.exe"C:\ProgramData\Includers\DNDWMYRI.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DNDWMYRI" /tr "C:\ProgramData\Includers\DNDWMYRI.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DNDWMYRI" /tr "C:\ProgramData\Includers\DNDWMYRI.exe"5⤵
- Creates scheduled task(s)
PID:2016
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1084 -s 21044⤵
- Program crash
PID:1364
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 1084 -ip 10841⤵PID:4988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737.0MB
MD5831a50103712ed36fb5ca6a573c4df51
SHA14bd6f715885891829b1388ecb02c928416f7db7e
SHA256c6b2fef9e62a976c3663caadd5da2133b44c8668e726e8f8c259b2893c78fb26
SHA5120fe4154592d68afa1b0076e2bce89c86994f35957a7281707ae78838cbdea75bc1d5ea94fb4973f2bc612f08ccefad832ae4e9fa5f07b8debba68e689f1a1f31
-
Filesize
737.0MB
MD5831a50103712ed36fb5ca6a573c4df51
SHA14bd6f715885891829b1388ecb02c928416f7db7e
SHA256c6b2fef9e62a976c3663caadd5da2133b44c8668e726e8f8c259b2893c78fb26
SHA5120fe4154592d68afa1b0076e2bce89c86994f35957a7281707ae78838cbdea75bc1d5ea94fb4973f2bc612f08ccefad832ae4e9fa5f07b8debba68e689f1a1f31
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5caae66b2d6030f85188e48e4ea3a9fa6
SHA1108425bd97144fa0f92ff7b2109fec293d14a461
SHA256a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d
SHA512189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
146B
MD55d02be3bd00333893df2c852a1c89ca3
SHA13c035497f50989595a60c246c5049423f910ef16
SHA256515c2a7852579449c9706eb0c091bda358179bcbefca36f9a2d37d2fee4c07f3
SHA5120872080bf0efa8d47c6c3ddffc8030e74c09f6c29c88801a326e899e5c8f7b072c3cbc0933f3af7189326759a73211c268f9a734ef74d81e5bdf1296aa2f299d