ba4014d1c5e5d1fc1049eefb7694cf66f739644cd3e9fc91a9f80a0a5e7da677

Analysis

max time kernel
2693s
max time network
2701s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
03-02-2024 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

imm0nv1nhtvM3.0.exe
Size

8.6MB
MD5

7a1f0a1f3429be745b5d4d8d8c4205dc
SHA1

8266d2fd0d3a1845edd3496ad3e9c2b9ec6428ab
SHA256

ba4014d1c5e5d1fc1049eefb7694cf66f739644cd3e9fc91a9f80a0a5e7da677
SHA512

b4064cb4424998dd0ecd11f147b0a32f83c4bcd8580a599701d7bdc6a7981abdaa6cb11a43ee952e82cdd13c349abafe151eac63cb4d68cfcd8ba4a4436cea39
SSDEEP

196608:68R2C0GwoKRWrRNI/Vz3S7UJFIQR516hzpyQgXk6sOYv:v2dnRWr0AaFIE6hz0QgXuv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2500	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
2500	cpuminer-sse2.exe
2500	cpuminer-sse2.exe
2500	cpuminer-sse2.exe
2500	cpuminer-sse2.exe
2500	cpuminer-sse2.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
3556	taskkill.exe
3076	taskkill.exe
3128	taskkill.exe
4064	taskkill.exe
2896	taskkill.exe
4892	taskkill.exe
4812	taskkill.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2440	3164	imm0nv1nhtvM3.0.exe	81
PID 3164 wrote to memory of 2440	3164	imm0nv1nhtvM3.0.exe	81
PID 2440 wrote to memory of 3556	2440	cmd.exe	82
PID 2440 wrote to memory of 3556	2440	cmd.exe	82
PID 2440 wrote to memory of 3076	2440	cmd.exe	84
PID 2440 wrote to memory of 3076	2440	cmd.exe	84
PID 2440 wrote to memory of 3128	2440	cmd.exe	85
PID 2440 wrote to memory of 3128	2440	cmd.exe	85
PID 2440 wrote to memory of 4064	2440	cmd.exe	86
PID 2440 wrote to memory of 4064	2440	cmd.exe	86
PID 2440 wrote to memory of 2896	2440	cmd.exe	87
PID 2440 wrote to memory of 2896	2440	cmd.exe	87
PID 2440 wrote to memory of 4892	2440	cmd.exe	88
PID 2440 wrote to memory of 4892	2440	cmd.exe	88
PID 2440 wrote to memory of 4812	2440	cmd.exe	89
PID 2440 wrote to memory of 4812	2440	cmd.exe	89
PID 2440 wrote to memory of 1720	2440	cmd.exe	90
PID 2440 wrote to memory of 1720	2440	cmd.exe	90
PID 2440 wrote to memory of 2500	2440	cmd.exe	91
PID 2440 wrote to memory of 2500	2440	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\imm0nv1nhtvM3.0.exe
"C:\Users\Admin\AppData\Local\Temp\imm0nv1nhtvM3.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7753.tmp\7754.tmp\7755.bat C:\Users\Admin\AppData\Local\Temp\imm0nv1nhtvM3.0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im os-setup-service.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tvnserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tvnserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ffmpeg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\system32\gpupdate.exe
    gpupdate /force
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
    cpuminer-sse2 -a yespower -o stratum+tcp://yespower.eu.mine.zpool.ca:6234 --userpass=DGCmEYNJetfSEp7REwqhEtukbfCDD2x89d:c=DOGE --threads=4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7753.tmp\7754.tmp\7755.bat

Filesize
554B

MD5
d9cd902d2c712ee60767d3506a911d23

SHA1
f4d53ac13b12e129589ffae0f81247f05e8c615c

SHA256
c34f9a6d0d8351370d23afe87c2afc46be1bb03dfd1bc227050b8672d5ba6164

SHA512
1cff330fd79fa2c8317b008c97954ea390b26804034cef0b0bd618941d6870bea811fa187b562a2582349e82ebd0feb2cc285acaf20421fa13285ffbd1574a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
286KB

MD5
c8dceda768b18752dfa5ae27484bd3a6

SHA1
9cd4aa398df638e7e8052294416a36771c0884b7

SHA256
ff9011e5105b5927bf25f3633cbaba2f666365bccb6a40025375316700b81d94

SHA512
a12948bb16f30a29c4bd08d4bbbbf83f590dd89cac930d15c04843c7457188ba091802a866a9e427d1c418717110d4b0bf06cb6d5010414f4fe30186870af3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
264KB

MD5
19100bf28ecc3dc506458a830db69134

SHA1
8e1539e8b988d5f25d41d5d3a7ede5e52dd84ae7

SHA256
4286cea9cde62b25d3d1d4a0784307d865fd8ca44c8a35a103f4f2e63ae3036d

SHA512
8a167b72c1db08fb8f52024ac0a14d6bb6bff90d7ba1e9fed88712adbac2bbf3a11869aedc8cb37a729882b999e102f8b3dbba11b8f6af93c68b2aeaf54be18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
299KB

MD5
dea5b5467249277e8aeae413dce37d4a

SHA1
e1e37eee03f52457e4a643509abda87be5761553

SHA256
1ed6992b89d07bf19b02c8c83018ae06cf24fb9adbf745a8df07947b24564b9c

SHA512
1a0295a6453c65a85ada808a5b13622506f7fa68a990cb8a3a606c5e761a651e8d0f23d92ca3428951382ce132f3701c3c6da1169f8fd9c5a74479d7b33c468f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
289KB

MD5
8b8d445f1c8dcb8a0e2ff985037554f6

SHA1
49bfbd19c449c4eb0f46c30ace70d6a188473eb7

SHA256
23cbb9c8650755e4b2ba0634f558857374c080424ef17de8b71e9b9eb04e29c6

SHA512
a7c98962aee9ed105ac3ea0649f5b3ba1bfe44eb44989842780169d39a8d55f4543e7d37add5cf8610bfe577d9d6e6abd5d66df292afba7d53db86428113616e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
174KB

MD5
e83e424ae7fbe4602a0430cfa43850e7

SHA1
841297e227accee56fab7bc44c7a7e54c44a5fd1

SHA256
804bd085519b8a5b95f163c864cf84818783127c630fed22906e31cdf458db2f

SHA512
64cb47d4087cbcf66fa72464f2c4593a4df341718f151ba51eee0d58ce69d88d63af79777f3c3ff6b6af458d36c5d900ec82312fb2a5437a6a1d32977a2011a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
250KB

MD5
5beae6b756c748bccc9e169ad72ea69c

SHA1
d4572c00195c0b656d978056d22f3665084024ec

SHA256
818e60b9b899dda7bcce5925a61f34830487a9036c635c584519ec0bf2c7b806

SHA512
a2ea45104753eaac4a123aad6a0a1eec3a1d72f4ffcf5a778c9a53af4cf887aa6c4153142a468cd0b1ce79380c5524ad9076af745d9517b886cc87a0c247d404

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
443KB

MD5
6fa96fe746835b5ea093b1c860ecf296

SHA1
d1901efbb003ed2ed134cfce471a41fd2aaa2146

SHA256
4d8ba0a2497280a84e975c4ad24935a51d90af580d5adba2f81313d1b408e150

SHA512
649fecdfbf60a5323f96995fc9ffd96e55f1b554200f0a4bfdf446f2df7014adbe6a1328ef3a120c61e3959f1c8b9fb35fe417f8e0b7675c907b39c7db81ec39

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
223KB

MD5
01e1e6bf097d956ce741516e27530234

SHA1
7a3ee328ccc95c46d9b7316cd09bfcad9805cb95

SHA256
04180e5f23eb67086f3302c6119c668c708d4fc64e8a59a58b098e1aea5a8940

SHA512
bf4c988a0902383b5e836c46fea9577d0d826503806f27fc09957b73bebbbf00e0b5c9f47496d3ef00bb74883d1f64719399613dd22b765c207f3dcd52e20658

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
212KB

MD5
d15c478f6036d6da1373e34f9939af6c

SHA1
ec83e5d36b3045a5382d19505da981cfd7dbd2bc

SHA256
fc09f7b3782d0e838597cf78bd1e4d0854084ca4afb81afbc0c659bc6b589972

SHA512
d0404b4a7b448cb5ac8b3d5476dc5ffbf767121275b76535896d3de8026df80afb28781c20ed970f5f856d5480573261c526d693e6d5c2d2433465390a3b1cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
212KB

MD5
bea0cea149fe20a12334df63ac0736b9

SHA1
13484628624b503c4a570f1e5989e1e3a118e116

SHA256
75c15854cdd8763663beab66b8715878a67f248b2f6f6f275671926a21e2c02c

SHA512
00083703375b8931d2948478a37f299a0aec1291682ea4add5ef79030b24f92c63ba35b5383c1edb3c76cd69652d78427236aca3f6d4828ef1a6e195edfc35f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
133KB

MD5
72d579a1847a3726b8d058ee7ed1cd06

SHA1
b3eba89c7591702f6ea298768836be9cd5883bce

SHA256
bc6fe29da690033b6088398be14a820cac36e82a0819e240b0d38d2a06d044e9

SHA512
5b2bc64042a5a314fb607fab5273c61fe80e25ca99f5adb059adbe561dafcb7ca33b0b4ed03a93c9c66303e686be07f33e5ebd9b55b813be9c638a832c15d0fe

Download Submit
memory/2500-24-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-25-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/2500-26-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/2500-27-0x0000000066480000-0x0000000066518000-memory.dmp

Filesize
608KB

Download
memory/2500-28-0x0000000000FC0000-0x0000000002875000-memory.dmp

Filesize
24.7MB

Download
memory/2500-29-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-39-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/2500-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download