Analysis

  • max time kernel
    130s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 18:58

General

  • Target

    8fe893c04c504d9757cc28a75eddeeba.exe

  • Size

    777KB

  • MD5

    8fe893c04c504d9757cc28a75eddeeba

  • SHA1

    f0d86c7018ed0c69b2757a20d53ab40d93cd2a81

  • SHA256

    7ecf992f19dffdd28863aeb32309570b3ae896dd151f4fea1986f79853cf38be

  • SHA512

    7dc6b357b33ec52e06274bb2a5b64ab733ac22e5885c729c20b14998a568444e7f8a6fa06ee48c20d145b4b9ea1f2cbbba3f97795d5094f817eb873ba41c9384

  • SSDEEP

    12288:ljDDPEiTWMDCgbyxm9wNqBn/lpOcCM+D980EUkD8XbzxmG32vSNc7:l/Ds82gbyh8B/lpO8E98KkoXbzp2Ku7

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 26 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Modifies registry class 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe
    "C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Program Files (x86)\MineFilter\mineepsvc.exe
      "C:\Program Files (x86)\MineFilter\mineepsvc.exe" /i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:2492
    • C:\Program Files (x86)\MineFilter\mineepsvc.exe
      "C:\Program Files (x86)\MineFilter\mineepsvc.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2720
    • C:\Windows\SysWOW64\midiasvc.exe
      "C:\Windows\System32\midiasvc.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2236
    • C:\Windows\SysWOW64\midiasvc.exe
      "C:\Windows\System32\midiasvc.exe" /i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2760
  • C:\Program Files (x86)\MineFilter\mineepsvc.exe
    "C:\Program Files (x86)\MineFilter\mineepsvc.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2468
  • C:\Windows\SysWOW64\midiasvc.exe
    C:\Windows\SysWOW64\midiasvc.exe
    1⤵
    • Executes dropped EXE
    PID:1752

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\MineFilter\mineepnad.dl_

          Filesize

          245KB

          MD5

          3b7094c6d626e29c8511675edd536780

          SHA1

          74533a0ce89e6f26c882b30ac640182f0779335c

          SHA256

          058087c518c79d4c4946cc7ee5db5b9ba094cfd3284cbc76d3eee6d27ccab7d0

          SHA512

          a41d9f1de18dae4c4625497b6c8dcaec88ebe025bb0d07e28cec3e2fdf26866da901aa625c672fc3a138ccb6dd97969f307edf12daa2e5a977077728c4e787dc

        • C:\Program Files (x86)\MineFilter\mineepnad.dll

          Filesize

          568KB

          MD5

          dd81543f3851a9a6730bed215af99813

          SHA1

          5794d7d463f6137ca36e3c02d0c10c33f690c30d

          SHA256

          3958fee4d0b129f70cc808240d4e80c42f3f93654d27bf82bf3a5c4546f02642

          SHA512

          68bd526ca20d09f09c0bf7535e07054d51b7890eb5aa6784d7908bded88dbf8b2389cdbfb6a8d814c90368ffaf9f82b3224cf7e6c2366fd77caf9cf3b73f83c6

        • C:\Program Files (x86)\MineFilter\minerun.exe

          Filesize

          129KB

          MD5

          9481d2fe24557e040e5b01f886cc5747

          SHA1

          f7bd29e9b85718a88955a611c4d01e1b3a904916

          SHA256

          e2e998a497933c47f654f66bf36d26e34e01ab8f6275ca59ef467e71ecb97ca5

          SHA512

          25c8debb220a21f62513080026439fbbaedf9d3300bd4bdad2fe6f7167d896a83c2a806f28fd6abe9cddcd0f70cfda3eddd55b8104280cd010a3d96792349dfe

        • C:\Windows\SysWOW64\midiasvc.exe

          Filesize

          1KB

          MD5

          c1f096e1cc6e6901830d9b1351908dce

          SHA1

          d11a8c447c1c10e09e5026dd3e88980002230d14

          SHA256

          fa4a34ad3dcf012444378ea67628a098a9ce9d4097dcbf00a12beb9a83640937

          SHA512

          9a02250fa4d2eff5db1a99bf95c6c3579fbef7b15f0ae456839b4824ded686f3a920f5af16009ed12f5c9bcb71465c4f55a64ff7c048404fb97beabe2c48dd8b

        • \Program Files (x86)\MineFilter\mineep.dll

          Filesize

          121KB

          MD5

          e9c8cf0b8809bd059bfe95967d7dd25d

          SHA1

          7071de057fee221be15e9723635978e2d355f867

          SHA256

          875238a8ddef3d83220d277f4d897852821805ea1c985ff620cde47e567789e6

          SHA512

          d8ebd9770787fc8f4e2cbb8361412251978150bd0d7d624a32c59cac04594f7cb27644e9a09fab5790663273c0c91222d17701805a20652c5d7743b17bacd0aa

        • \Program Files (x86)\MineFilter\mineepsvc.exe

          Filesize

          105KB

          MD5

          7447b67843066dbc18c1b79bc7ac1570

          SHA1

          db46fff5a3ba16fbb027ddc508a48fd5ab19a4b2

          SHA256

          3d74fe08f3dea2fd98a9bb9db42c7a65c012fe902a368ded9eee44403e7165e8

          SHA512

          d422613b734635f34f8ffef2aafd3be00d0690d7338ffb60793d303247143b69ff3706e7081246705221487ff07459a60de887e343e66222fe0c5908eb2bc55c

        • \Users\Admin\AppData\Local\Temp\nsd6F4.tmp\System.dll

          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        • \Users\Admin\AppData\Local\Temp\nsd6F4.tmp\nsProcess.dll

          Filesize

          4KB

          MD5

          8f4ac52cb2f7143f29f114add12452ad

          SHA1

          29dc25f5d69bf129d608b83821c8ec8ab8c8edb3

          SHA256

          b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04

          SHA512

          2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

        • \Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll

          Filesize

          581KB

          MD5

          84e4af439cfa4e555eb2e84f36fcb1fe

          SHA1

          11f495bc7b6941ffdd881c7d135ddf674667bd6b

          SHA256

          9f3c348b2967a2582f3276f426343cce69a13fccf58a7413d64fa2deb156fa03

          SHA512

          10549db9c5cd20b2f3b3431e75aff38ed002572b7dced4808636e66c768291d8b9739f0b9d056955accc623b146939a1e1406ec656eb85021dec1e286feede95

        • \Users\Admin\AppData\Local\Temp\~nsis\c3a019\mineepnad.dll

          Filesize

          536KB

          MD5

          d368e7623ea3d3f16d1c6a5a3b9f98ad

          SHA1

          217e8d0f57e56c0e20b37df1cdc0914c4913a576

          SHA256

          806e93e7e29fa96dccd577dbc141d8ecb035bca539213e317a9c877843eb022a

          SHA512

          21c2d097a9bf11ec0e2a0dde7cd8f0ec385f7deb97bb6221d661ba3e7b8f753cffd0b8e5cd2a5b106dd59e9dca8dda29c394d2f770f97275ec1e889165a9270e

        • \Windows\SysWOW64\midiasvc.exe

          Filesize

          85KB

          MD5

          74160ab8496cdef8cc370ad532eeec51

          SHA1

          f23fa0023c5fa46464c1f07094213f2c7afc8244

          SHA256

          ce3acffae736fc55104b64e666b9cacc0adbd1fe85d465d977e5b639506cab6c

          SHA512

          bf13c7187356a8c643b638b3c772565c6afdcb78952a83058e836b004e8745ae6114d344597bcc9c5fb0947f092d8dd18f26c71bbe9e9526078555c447f2f137

        • memory/2536-31-0x0000000003150000-0x000000000316F000-memory.dmp

          Filesize

          124KB

        • memory/2536-12-0x0000000000A50000-0x0000000000AE5000-memory.dmp

          Filesize

          596KB