Analysis
-
max time kernel
141s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 10:17
Static task
static1
Behavioral task
behavioral1
Sample
325cfaf6a3942af25d654ca13cc9f795.exe
Resource
win7-20231215-en
General
-
Target
325cfaf6a3942af25d654ca13cc9f795.exe
-
Size
20.9MB
-
MD5
325cfaf6a3942af25d654ca13cc9f795
-
SHA1
22e35e72c0e4d671f0a08ca8ed81bed6f45e645f
-
SHA256
cc145daee28e88dfb6b51e77a5d9f29152d4da1f5789b2b3a4d8fcb736543e3b
-
SHA512
9ad4cfd83818d679dffa4deca0c7b4600330aad6173e60e3d92643763331bcf4602924b8690769c5a078803e9d5e01c9f89b926e43f31497749482f3e7292ccb
-
SSDEEP
393216:VDWY3GXUqmXRacn2zs/1o2I4/Y0ZZ5cBnK5BPg6azZrPa6bIxPa9XvO:VDWaGXEXRacn2k1oetrco5BPg6azZm6H
Malware Config
Signatures
-
Detectes Phoenix Miner Payload 1 IoCs
resource yara_rule behavioral2/files/0x00020000000228c7-10.dat miner_phoenix -
resource yara_rule behavioral2/files/0x000a000000023136-18.dat vmprotect -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3548-3-0x0000000140000000-0x0000000142A34000-memory.dmp autoit_exe behavioral2/memory/3548-36-0x0000000140000000-0x0000000142A34000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3548 325cfaf6a3942af25d654ca13cc9f795.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5036 PING.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe 3548 325cfaf6a3942af25d654ca13cc9f795.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3548 wrote to memory of 2464 3548 325cfaf6a3942af25d654ca13cc9f795.exe 102 PID 3548 wrote to memory of 2464 3548 325cfaf6a3942af25d654ca13cc9f795.exe 102 PID 2464 wrote to memory of 5036 2464 cmd.exe 100 PID 2464 wrote to memory of 5036 2464 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"C:\Users\Admin\AppData\Local\Temp\325cfaf6a3942af25d654ca13cc9f795.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\scratch.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2464
-
-
C:\Windows\system32\PING.EXEping -n 10 127.0.0.11⤵
- Runs ping.exe
PID:5036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5da8b9858de517c82565b4db05480e12e
SHA1316c95ff894ec51c90f3a51f8b9cfd5d1dee0c00
SHA25611bc5103504955a39a4b054e3e61d812cca75b5cb05b5bb31a582e941c9a6d9d
SHA5121302bc641bb8b8c9e2b54101f22f2035a66ee7278ac4da662117c6af42513e16f69a0c8c50151ade544ac324c6f8c9f1c923ba2cf69e1b3b4456eb336694f0c1
-
Filesize
212B
MD58c8782f67bc6d4823d996cef5d65e5a5
SHA1b1c7659248601845685a89c09575f033c9526f63
SHA25685668bf14ce3846a8b8610306e595e7efd7066d67fdeb75987db44bca21b0817
SHA512011996b197b3e4cd30c705ca934237bc2851e41cb2a68e38ffa71b264084129e91267e19133336c05667e1eee86a868d45af5d480e14d1380517c8efdcd8b1fb