ea3d4332c1e8900fcbe8a41f5a28cbce9c42130ce8edd6e249b98561ba996331

General

Target

17292638.exe
Size

8.6MB
MD5

5f1009f9902a7ed2a9a3d5bf73c7e842
SHA1

2d5afd88246324cd974aba59ee99a625da643180
SHA256

ea3d4332c1e8900fcbe8a41f5a28cbce9c42130ce8edd6e249b98561ba996331
SHA512

62634ed61df0027046c16d779c73b9c41894afb39e9b9d7c97413b5c38ceb149dd9acb673f65793c5fb876b34bdcc99193f866f70eb224d1b65c111fe045021a
SSDEEP

196608:k1QQR67H5V7Gtn1mN6A0XudLoxCG1ZmJBZx5o2Bb3ngLnMo6rJ:kqeUsM6A0Xu1ox11ZwBZ/Nh3ngQoYJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3120	cpuminer-sse2.exe

Loads dropped DLL 5 IoCs

pid	Process
3120	cpuminer-sse2.exe
3120	cpuminer-sse2.exe
3120	cpuminer-sse2.exe
3120	cpuminer-sse2.exe
3120	cpuminer-sse2.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
1432	taskkill.exe
1736	taskkill.exe
5092	taskkill.exe
4476	taskkill.exe
3520	taskkill.exe
4812	taskkill.exe
2288	taskkill.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4412	1948	17292638.exe	85
PID 1948 wrote to memory of 4412	1948	17292638.exe	85
PID 4412 wrote to memory of 2288	4412	cmd.exe	86
PID 4412 wrote to memory of 2288	4412	cmd.exe	86
PID 4412 wrote to memory of 1432	4412	cmd.exe	88
PID 4412 wrote to memory of 1432	4412	cmd.exe	88
PID 4412 wrote to memory of 1736	4412	cmd.exe	89
PID 4412 wrote to memory of 1736	4412	cmd.exe	89
PID 4412 wrote to memory of 5092	4412	cmd.exe	90
PID 4412 wrote to memory of 5092	4412	cmd.exe	90
PID 4412 wrote to memory of 4476	4412	cmd.exe	91
PID 4412 wrote to memory of 4476	4412	cmd.exe	91
PID 4412 wrote to memory of 3520	4412	cmd.exe	92
PID 4412 wrote to memory of 3520	4412	cmd.exe	92
PID 4412 wrote to memory of 4812	4412	cmd.exe	93
PID 4412 wrote to memory of 4812	4412	cmd.exe	93
PID 4412 wrote to memory of 4928	4412	cmd.exe	94
PID 4412 wrote to memory of 4928	4412	cmd.exe	94
PID 4412 wrote to memory of 3120	4412	cmd.exe	95
PID 4412 wrote to memory of 3120	4412	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\17292638.exe
"C:\Users\Admin\AppData\Local\Temp\17292638.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B873.tmp\B874.tmp\B875.bat C:\Users\Admin\AppData\Local\Temp\17292638.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im python.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im os-setup-service.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tvnserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im tvnserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ffmpeg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\system32\gpupdate.exe
    gpupdate /force
    3⤵
    PID:4928
- - C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe
    cpuminer-sse2 -a yespower -o stratum+tcp://yespower.eu.mine.zpool.ca:6234 --userpass=D9toHxZJFG1gttnZVeuNADd7Gvv7fHyqkk:c=DOGE --threads=4
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B873.tmp\B874.tmp\B875.bat

Filesize
554B

MD5
31815ed8416dc09aa1a78c4d398b6f1d

SHA1
689744a2624c8c925b6c5c454f3ebfaa2b148675

SHA256
e840766960b40d6848e78eadcdd99616060151da360db8361f8c0c22c8cd9d6d

SHA512
f245be02a85759724bd8ec6862c7af36bab88f15e768146d9399659cfc890fb0afaf3edb088011fa2b379f6f0d964461b42ce55f7d7575a485844e3548aa43d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpuminer-sse2.exe

Filesize
2.3MB

MD5
4c04147c386ba8792ac6a03069572a8a

SHA1
dda67789fc1d0f2469ca95f01a5c81034853ca6a

SHA256
c7739a1e940a282703d06eccda7110426d306f390e97fdbbd9df18472fd132cd

SHA512
a8b5a0b878a9a7d30cb38feff814e1f4dce24d000158edc10a43ee9a89920bedf7adc92eb7e3913098b6aab7fbd0531f56fc09f508b5c2769992a94e55d153db

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Filesize
836KB

MD5
aeab40ed9a8e627ea7cefc1f5cf9bf7a

SHA1
5e2e8ca2881b9bf9edfa3c4fdcec6da1efa102d8

SHA256
218cfc4073bab4eddf0de0804f96b204687311e20a9e97994bff54c9b0e01ee9

SHA512
c0a67616fa01fdc351015212a718faf70da6612fbb3ec13da28dd7af9a507c56882fb7c3eea6fbc37d4d63b970157199d16d0756dbe3cb3bc2223e215cb104d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgcc_s_seh-1.dll

Filesize
1.2MB

MD5
7cf672bee2afba2dcd0c031ff985958e

SHA1
6b82a205db080ffdcb4a4470fce85a14413f3217

SHA256
c82f84171b9246d1cac261100b2199789c96c37b03b375f33b2c72afab060b05

SHA512
3e90d1c1efe0200cb3cc7b51d04783a3cce8391faa6ce554cff8b23dac60be9f8e4f980a8ac005fd9dff8ea4bdcb02311f7649c5be28eb32dcc26417fc4090e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\libstdc++-6.dll

Filesize
27.2MB

MD5
19fcc327c7f9eaf6a1fae47c9864fda7

SHA1
90a9ca4f4eb5bc76424b6bec0acd3df0a53b8f8c

SHA256
baef1f4cabebdadc52213761b4c8e2bf381976a67bd7c490f952c38f6831b036

SHA512
76d129db3006de88b851100f559fac00796f150fd6290d8f1df9f01df5bc733ebf4f4b087580d3ec81c901002d155e522954a9c1a9919cc9ca87198974a77a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libwinpthread-1.dll

Filesize
606KB

MD5
585efec1bc1d4d916a4402c9875dff75

SHA1
d209613666ccac9d0ddab29a3bc59aa00a0968fa

SHA256
2f9984c591a5654434c53e8b4d0c5c187f1fd0bab95247d5c9bc1c0bd60e6232

SHA512
b93163cba4601ed999a7a7d1887113792e846c36850c6d84f2d505727dc06524bb959469f9df12928769f4535dc6074a6b3599b788a4844353e466742ce1e770

Download Submit
memory/3120-28-0x00000000010A0000-0x0000000002955000-memory.dmp

Filesize
24.7MB

Download
memory/3120-39-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-27-0x0000000069380000-0x0000000069418000-memory.dmp

Filesize
608KB

Download
memory/3120-26-0x0000000061440000-0x000000006156B000-memory.dmp

Filesize
1.2MB

Download
memory/3120-24-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-29-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-34-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-25-0x0000000070800000-0x00000000708BC000-memory.dmp

Filesize
752KB

Download
memory/3120-44-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-54-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-59-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-69-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-74-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/3120-84-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing