Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 10:17
Static task
static1
Behavioral task
behavioral1
Sample
325cfaf6a3942af25d654ca13cc9f795.exe
Resource
win7-20231215-en
General
-
Target
325cfaf6a3942af25d654ca13cc9f795.exe
-
Size
20.9MB
-
MD5
325cfaf6a3942af25d654ca13cc9f795
-
SHA1
22e35e72c0e4d671f0a08ca8ed81bed6f45e645f
-
SHA256
cc145daee28e88dfb6b51e77a5d9f29152d4da1f5789b2b3a4d8fcb736543e3b
-
SHA512
9ad4cfd83818d679dffa4deca0c7b4600330aad6173e60e3d92643763331bcf4602924b8690769c5a078803e9d5e01c9f89b926e43f31497749482f3e7292ccb
-
SSDEEP
393216:VDWY3GXUqmXRacn2zs/1o2I4/Y0ZZ5cBnK5BPg6azZrPa6bIxPa9XvO:VDWaGXEXRacn2k1oetrco5BPg6azZm6H
Malware Config
Signatures
-
Detectes Phoenix Miner Payload 1 IoCs
resource yara_rule behavioral1/files/0x0031000000016fb9-27.dat miner_phoenix -
Deletes itself 1 IoCs
pid Process 2616 cmd.exe -
resource yara_rule behavioral1/files/0x00300000000170b7-45.dat vmprotect -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2124-16-0x0000000140000000-0x0000000142A34000-memory.dmp autoit_exe behavioral1/memory/2124-55-0x0000000140000000-0x0000000142A34000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2124 325cfaf6a3942af25d654ca13cc9f795.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2580 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2124 325cfaf6a3942af25d654ca13cc9f795.exe 2124 325cfaf6a3942af25d654ca13cc9f795.exe 2124 325cfaf6a3942af25d654ca13cc9f795.exe 2124 325cfaf6a3942af25d654ca13cc9f795.exe 2124 325cfaf6a3942af25d654ca13cc9f795.exe 2124 325cfaf6a3942af25d654ca13cc9f795.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2616 2124 325cfaf6a3942af25d654ca13cc9f795.exe 28 PID 2124 wrote to memory of 2616 2124 325cfaf6a3942af25d654ca13cc9f795.exe 28 PID 2124 wrote to memory of 2616 2124 325cfaf6a3942af25d654ca13cc9f795.exe 28 PID 2616 wrote to memory of 2580 2616 cmd.exe 30 PID 2616 wrote to memory of 2580 2616 cmd.exe 30 PID 2616 wrote to memory of 2580 2616 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\scratch.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\PING.EXEping -n 10 127.0.0.13⤵
- Runs ping.exe
PID:2580
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD58c8782f67bc6d4823d996cef5d65e5a5
SHA1b1c7659248601845685a89c09575f033c9526f63
SHA25685668bf14ce3846a8b8610306e595e7efd7066d67fdeb75987db44bca21b0817
SHA512011996b197b3e4cd30c705ca934237bc2851e41cb2a68e38ffa71b264084129e91267e19133336c05667e1eee86a868d45af5d480e14d1380517c8efdcd8b1fb
-
Filesize
10.9MB
MD5acc4d5da6dc251691567d6833b1b56b9
SHA1885b1864ab51cdddec6257087396db2e5e5204a1
SHA2569458075d710c58ac2ff0a14811758c8d91279b3940a71846b0ddedaa580d0042
SHA51281bda2d2e94ea7afdd30329145ef4b67537a639a0d657b838606106a6938f29adf7e21dbc3de5058255d2da3b1efd8e0b3ab1818cc0056a4a905e87b37379638
-
Filesize
5.2MB
MD530ab5838cc15d70fd39faad81f64f712
SHA11cd9ccc075da933c34acccf7a24445a4ece7dd64
SHA256295b1ea128454f1c9224113d7e074795f545d85a6133bb77aa10fd12f538cb2f
SHA512a7f1b313db71d009afc4444ce458dc5537dc0f544c2138d9ca210a2ac63fa1dc47f6bbb0529c66c1622e1821dfbdec89349320a42100e7ddd484df1c19458378