Overview
overview
10Static
static
10075F9A8B9A...C5.exe
windows7-x64
1075F9A8B9A...C5.exe
windows10-2004-x64
1145F7ABE9A...EA.exe
windows7-x64
10145F7ABE9A...EA.exe
windows10-2004-x64
101A99AC759F...31.exe
windows7-x64
31A99AC759F...31.exe
windows10-2004-x64
31BE33E4291...2D.exe
windows7-x64
101BE33E4291...2D.exe
windows10-2004-x64
102188BAE387...0C.dll
windows7-x64
32188BAE387...0C.dll
windows10-2004-x64
322F524ABC9...92.exe
windows7-x64
1022F524ABC9...92.exe
windows10-2004-x64
1033381793BD...5E.exe
windows7-x64
133381793BD...5E.exe
windows10-2004-x64
161C0810A23...A1.exe
windows7-x64
161C0810A23...A1.exe
windows10-2004-x64
1676A2A0D88...CB.exe
windows7-x64
7676A2A0D88...CB.exe
windows10-2004-x64
773D29DEAC4...09.exe
windows7-x64
173D29DEAC4...09.exe
windows10-2004-x64
181EFD50EB3...29.exe
windows7-x64
781EFD50EB3...29.exe
windows10-2004-x64
78E83C0F656...07.exe
windows7-x64
108E83C0F656...07.exe
windows10-2004-x64
1099CA9F3245...E2.exe
windows7-x64
599CA9F3245...E2.exe
windows10-2004-x64
5B1E12D0216...06.exe
windows7-x64
10B1E12D0216...06.exe
windows10-2004-x64
10C6185A23C5...C8.exe
windows7-x64
10C6185A23C5...C8.exe
windows10-2004-x64
10CDCFEDDB0A...3E.exe
windows7-x64
10CDCFEDDB0A...3E.exe
windows10-2004-x64
10Analysis
-
max time kernel
117s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-01-2024 14:20
Behavioral task
behavioral1
Sample
075F9A8B9A5A3F3C221CFA69BA8B3590CFB873946970B7F3DBD333A580D24AC5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
075F9A8B9A5A3F3C221CFA69BA8B3590CFB873946970B7F3DBD333A580D24AC5.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
145F7ABE9ABFFD0422F1C1F4CF429E89FD9D3BE93E6C3A0DD852DB708992C4EA.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
145F7ABE9ABFFD0422F1C1F4CF429E89FD9D3BE93E6C3A0DD852DB708992C4EA.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
1A99AC759FCD881729B76C2904476B4201E794DF2D0547C954EA37BE7C153131.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
1A99AC759FCD881729B76C2904476B4201E794DF2D0547C954EA37BE7C153131.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
2188BAE387FD2665D807D0B67B916973478CBE417D2042A146C8EADF77AF600C.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
2188BAE387FD2665D807D0B67B916973478CBE417D2042A146C8EADF77AF600C.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
22F524ABC98F958705FEBD3761BEDC85EC1AE859316A653B67C0C01327533092.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
33381793BD156716647F2C2E14047AA5559E940FF584D3FF6110B96EB701115E.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
33381793BD156716647F2C2E14047AA5559E940FF584D3FF6110B96EB701115E.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
61C0810A23580CF492A6BA4F7654566108331E7A4134C968C2D6A05261B2D8A1.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
61C0810A23580CF492A6BA4F7654566108331E7A4134C968C2D6A05261B2D8A1.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
676A2A0D88A79012300A63092DA090F5B0D0BDFC105541732254E0AE1FEB2FCB.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
676A2A0D88A79012300A63092DA090F5B0D0BDFC105541732254E0AE1FEB2FCB.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
73D29DEAC41E022CE77730F74D5EFB0828F56D1F2BEB91FD24ABC867F851FE09.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
73D29DEAC41E022CE77730F74D5EFB0828F56D1F2BEB91FD24ABC867F851FE09.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
81EFD50EB374AD2176E2655AF10276079F733C0592E83E3A044253DCBE06F329.exe
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
81EFD50EB374AD2176E2655AF10276079F733C0592E83E3A044253DCBE06F329.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
8E83C0F6566169AF1CF6C28670DCEE6EDEB15D0913AA24AD3831C9F97EB42307.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
8E83C0F6566169AF1CF6C28670DCEE6EDEB15D0913AA24AD3831C9F97EB42307.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral25
Sample
99CA9F3245265C2F9D395B4B3A8554056E481C6FEE98B839C9C5ADB5B79E0DE2.exe
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
99CA9F3245265C2F9D395B4B3A8554056E481C6FEE98B839C9C5ADB5B79E0DE2.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
B1E12D0216A946329FE549E09BF481D7DF9E8E3BC3F99BC24D9940CBB8F76F06.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
B1E12D0216A946329FE549E09BF481D7DF9E8E3BC3F99BC24D9940CBB8F76F06.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
C6185A23C51B8AC77E6C1BDF2CD4A8D39B02AF8B8027D4162CF9766D19CF87C8.exe
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
C6185A23C51B8AC77E6C1BDF2CD4A8D39B02AF8B8027D4162CF9766D19CF87C8.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
CDCFEDDB0ACA42E65E6A4822C1F23DF7C4AE92775EBCC0B45D4160B732B0983E.exe
Resource
win7-20231215-en
General
-
Target
1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
-
Size
1.8MB
-
MD5
7b7f4f390ecafc124ac298f5f58f46ae
-
SHA1
ed19d12269c86117897865ebc3e6e79d11d485a6
-
SHA256
1be33e42910515d58685e4cee83c4c9b7de4e6a155a6fd936922682a9922d42d
-
SHA512
fc37474112152bc9ea1d3671b445fc59995e868bac2203147854824ea94e5d171a5b1e29474403377b504ac778f04b3290628383758ec428f6838e0271eb7545
-
SSDEEP
49152:VEVUcg1LD3L+nIrBQfLdKiDRB1X8wcWynn:VE3g1RkAiDrmwchnn
Malware Config
Signatures
-
XMRig Miner payload 1 IoCs
resource yara_rule behavioral7/memory/2696-25-0x0000000000400000-0x000000000070F000-memory.dmp xmrig -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2928 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 3004 Chrome.exe -
Loads dropped DLL 2 IoCs
pid Process 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe -
resource yara_rule behavioral7/memory/1696-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral7/memory/1696-7-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral7/memory/2696-18-0x0000000000400000-0x000000000070F000-memory.dmp upx behavioral7/memory/2696-20-0x0000000000400000-0x000000000070F000-memory.dmp upx behavioral7/memory/2696-21-0x0000000000400000-0x000000000070F000-memory.dmp upx behavioral7/memory/2696-23-0x0000000000400000-0x000000000070F000-memory.dmp upx behavioral7/memory/2696-24-0x0000000000400000-0x000000000070F000-memory.dmp upx behavioral7/memory/2696-25-0x0000000000400000-0x000000000070F000-memory.dmp upx behavioral7/memory/1696-28-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\C:\Google\Chrome\Update\Chrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe\"" 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\C:\Google\Chrome\Update\Chrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe\"" 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral7/memory/1696-7-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral7/memory/1696-28-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3004 set thread context of 2696 3004 Chrome.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3004 Chrome.exe Token: SeLockMemoryPrivilege 2696 notepad.exe Token: SeLockMemoryPrivilege 2696 notepad.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1696 wrote to memory of 3004 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 28 PID 1696 wrote to memory of 3004 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 28 PID 1696 wrote to memory of 3004 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 28 PID 1696 wrote to memory of 3004 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 28 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29 PID 1696 wrote to memory of 2928 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 30 PID 1696 wrote to memory of 2928 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 30 PID 1696 wrote to memory of 2928 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 30 PID 1696 wrote to memory of 2928 1696 1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe 30 PID 3004 wrote to memory of 2696 3004 Chrome.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe"C:\Users\Admin\AppData\Local\Temp\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Google\Chrome\Update\Chrome.exeC:\Google\Chrome\Update\Chrome.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\ExxprQSiUG\cfgi"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe" "Chrome.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2928
-
Network
-
Remote address:8.8.8.8:53Requestchromeupdate.linkpc.netIN AResponsechromeupdate.linkpc.netIN A178.238.184.127
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD594f3e40ceba94f6d85d5731c2a5d380d
SHA1a378f737bfea085b152744c2761e16e9be2007eb
SHA2565159fa4d7cce05595f252d37924546906020526e0d4509768f71c0f3f778235b
SHA5123f1151b17290b53bdf1024fc5059fe8f95b5afa06576b389587f9abe85ab69c02f88d2b45dc736ff6b7dcd6a383453b7a0d3673b23704774da8a485c806c1154
-
Filesize
1KB
MD5ad944040de134ef4ef9bbd7b59eec818
SHA1541be6a2f3001bd98898d1d9b23c625f6b1d338b
SHA256e54f48a66e6124b152b37d8092a9505039bb49a6e984d52dd75a4139603dbbfb
SHA5120e73ee9489d18e0d4fbdfb29e2b0555f8b8c9ca919d268873b307ade7b7b2353e850b4725303ecbd066bb892050ebd69994f1c623f56f938756e1fce4bedd30b