ba4014d1c5e5d1fc1049eefb7694cf66f739644cd3e9fc91a9f80a0a5e7da677

Analysis

max time kernel
1792s
max time network
1789s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

imm0nv1nhtvM3.0.exe
Size

8.6MB
MD5

7a1f0a1f3429be745b5d4d8d8c4205dc
SHA1

8266d2fd0d3a1845edd3496ad3e9c2b9ec6428ab
SHA256

ba4014d1c5e5d1fc1049eefb7694cf66f739644cd3e9fc91a9f80a0a5e7da677
SHA512

b4064cb4424998dd0ecd11f147b0a32f83c4bcd8580a599701d7bdc6a7981abdaa6cb11a43ee952e82cdd13c349abafe151eac63cb4d68cfcd8ba4a4436cea39
SSDEEP

196608:68R2C0GwoKRWrRNI/Vz3S7UJFIQR516hzpyQgXk6sOYv:v2dnRWr0AaFIE6hz0QgXuv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1744	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
1744	cpuminer-sse2.exe
1744	cpuminer-sse2.exe
1744	cpuminer-sse2.exe
1744	cpuminer-sse2.exe
1744	cpuminer-sse2.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
4760	taskkill.exe
1668	taskkill.exe
2752	taskkill.exe
3480	taskkill.exe
4868	taskkill.exe
396	taskkill.exe
4660	taskkill.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 4692	2400	imm0nv1nhtvM3.0.exe	88
PID 2400 wrote to memory of 4692	2400	imm0nv1nhtvM3.0.exe	88
PID 4692 wrote to memory of 4760	4692	cmd.exe	90
PID 4692 wrote to memory of 4760	4692	cmd.exe	90
PID 4692 wrote to memory of 1668	4692	cmd.exe	92
PID 4692 wrote to memory of 1668	4692	cmd.exe	92
PID 4692 wrote to memory of 2752	4692	cmd.exe	93
PID 4692 wrote to memory of 2752	4692	cmd.exe	93
PID 4692 wrote to memory of 3480	4692	cmd.exe	94
PID 4692 wrote to memory of 3480	4692	cmd.exe	94
PID 4692 wrote to memory of 4868	4692	cmd.exe	95
PID 4692 wrote to memory of 4868	4692	cmd.exe	95
PID 4692 wrote to memory of 396	4692	cmd.exe	96
PID 4692 wrote to memory of 396	4692	cmd.exe	96
PID 4692 wrote to memory of 4660	4692	cmd.exe	97
PID 4692 wrote to memory of 4660	4692	cmd.exe	97
PID 4692 wrote to memory of 1504	4692	cmd.exe	98
PID 4692 wrote to memory of 1504	4692	cmd.exe	98
PID 4692 wrote to memory of 1744	4692	cmd.exe	105
PID 4692 wrote to memory of 1744	4692	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\imm0nv1nhtvM3.0.exe
"C:\Users\Admin\AppData\Local\Temp\imm0nv1nhtvM3.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4035.tmp\4036.tmp\4037.bat C:\Users\Admin\AppData\Local\Temp\imm0nv1nhtvM3.0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im os-setup-service.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3480
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tvnserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tvnserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ffmpeg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- - C:\Windows\system32\gpupdate.exe
    gpupdate /force
    3⤵
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
    cpuminer-sse2 -a yespower -o stratum+tcp://yespower.eu.mine.zpool.ca:6234 --userpass=DGCmEYNJetfSEp7REwqhEtukbfCDD2x89d:c=DOGE --threads=4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4035.tmp\4036.tmp\4037.bat

Filesize
554B

MD5
d9cd902d2c712ee60767d3506a911d23

SHA1
f4d53ac13b12e129589ffae0f81247f05e8c615c

SHA256
c34f9a6d0d8351370d23afe87c2afc46be1bb03dfd1bc227050b8672d5ba6164

SHA512
1cff330fd79fa2c8317b008c97954ea390b26804034cef0b0bd618941d6870bea811fa187b562a2582349e82ebd0feb2cc285acaf20421fa13285ffbd1574a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
320KB

MD5
59d36bdd941feb6c770ec68a37e8c21b

SHA1
1191d1e478164cd720974ea1ad2bc248999a8d45

SHA256
d5227dca74d9be12116b359c9d61265b102c0986eb6196e269cc3e3b895c0293

SHA512
b1620dd0763f2f7c263ae69c71eba7cba29d89f1bb551356abb7073e4e7013347345c43f2bad3c4733300c5b98feecf2fd91db2a363c9e5dcdd87f170edbe406

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
417KB

MD5
eda47951ab8376e6eb6341f7ee6fcd8e

SHA1
bacd4f315068ad00bd3e3b04dad8181bef0293be

SHA256
a1d3137e6508c17924b5409c80a8cfc92ea60d2efbd190b0ec9350bb214aafbc

SHA512
6b40f48a8c6373a4ed91b7040f0568ebdb4e652144894f64c7afb2f0b61a6128d0ae816a4d5915d8a771d19a9efd4ba7ceed2115b4a2c191ca1e23a27358c7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
760KB

MD5
dc30a5fca57fd880571c776799ed426b

SHA1
977fa4bc23fadecc2638c34417a7d3a92e425cbf

SHA256
fdfff9832b36555affb26b537755de11b0ec28df6e2be767e362fa91b696b52b

SHA512
68ac477f588a7c68ee898b654509af02051b2b90002f60bcaea971ff57ce3cc9798e33820995304ef28bdccc750374d6e253675c60387fdb49481ef1c9fa5c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
480KB

MD5
9c8ab55f83de9feb7c1554b25443778c

SHA1
845107ac371082f01eec86894f781343b0ff8926

SHA256
69e317b4735925ebfd5a0ba3ad3d5d30487828405ff7e5b6af5091f68228ecea

SHA512
1466bb62cabb6a4a4456a91573a795270060415b64c6f97f66d6c393ee9f75943c8f5493ecf2f52fdec58a0e49cf59b235ad7eafe3b9acefa94ad840d5bd1525

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.0MB

MD5
8b159a4c86063d19b71dc00c39565c3f

SHA1
9c97876b25c5601980a0a44824d9ad99e7518b90

SHA256
a9580912f8e21b9313b83de7c3029b5f50212a48a80164115cefd89c2f0bae93

SHA512
8002ffa5e8c298b120203e6940821f90045b5d90e60792b3bee238ec7edc10bcdcbdbc570d98f28c9e6ffa67f00e2cb47da8e763c937be94b5439ff4a3e48c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
576KB

MD5
13746f79a51eb8ce3107de99ffc6b56a

SHA1
64a00c99a805f8775f08cda4e4d06e1150195347

SHA256
2c04d5960f13e859d49c78a8858bdcb0c53914306eba52746105a76d98f5d205

SHA512
d0e69c6cf0078c858e8258a4038098e644d611b544b6588b2b1c9d2d2937ade0472edc96257545f5935514bfa18970f5762eb393def612c5a7027727397ca8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
372KB

MD5
f0d54f91a8c3098fe4ac73c55536f198

SHA1
0b3da0bfdd1dad2e89e3bf4433ffe72c69319ca1

SHA256
0d47669bcf8a4d97c2503b538a2ca3a1d6f4b0a09a6d69c1bd8dbc90750dc338

SHA512
ca29b74152d050990e14fa802df41ce009130fc905e0e2044c7b4c78d838af8e25dd49d7b93c8cdc326b7545cd569c38455613bb5d69c47dd08fe3a2ed1741c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
466KB

MD5
7204635ee2dcfe4ecb91a18e7378028b

SHA1
891e9e49194748f70bbc326084d4e9437313f785

SHA256
65db87379a4e5d0e5aa4eaa8626ce02da9d8e88b1d42e3df07cef562614ea8d6

SHA512
340a226a0703a57010be131a619d20173bfcf8389c28ddf6c63f1b1cffac14ec17d313750b01df568e086623cf1b3fdc61df63732ded95ef8cc2b8fe4c85a8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
440KB

MD5
c88249066e0ad6bd2203e7400e338fd7

SHA1
57e5ef6b1b42bf796158ef038036dcefa6a5071e

SHA256
31c039249496ba4eb1e47879b4c0bb93c2899fdbed9014ad978bc0ae12d721dd

SHA512
e35b7da8b7193d3126c041fc25be8f74986e453f166afd449adb3d8666c2f807308b48ae1d2f9dbe943385bad64733df1f43bbf8a8a097f654e26ab91dd00b56

Download Submit
memory/1744-26-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/1744-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-24-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-27-0x00000000779D0000-0x0000000077A68000-memory.dmp

Filesize
608KB

Download
memory/1744-28-0x0000000000F40000-0x00000000027F5000-memory.dmp

Filesize
24.7MB

Download
memory/1744-34-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-39-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-25-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/1744-49-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-64-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-79-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1744-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download