Overview
overview
7Static
static
38fe893c04c...ba.exe
windows7-x64
78fe893c04c...ba.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3$TEMP/~nsi...ad.dll
windows7-x64
1$TEMP/~nsi...ad.dll
windows10-2004-x64
1$WINDIR/Sy...vc.exe
windows7-x64
1$WINDIR/Sy...vc.exe
windows10-2004-x64
1mineep.dll
windows7-x64
6mineep.dll
windows10-2004-x64
6mineepnad.dll
windows7-x64
1mineepnad.dll
windows10-2004-x64
1mineepsvc.exe
windows7-x64
1mineepsvc.exe
windows10-2004-x64
1minerun.exe
windows7-x64
1minerun.exe
windows10-2004-x64
1Analysis
-
max time kernel
130s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
8fe893c04c504d9757cc28a75eddeeba.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8fe893c04c504d9757cc28a75eddeeba.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
$TEMP/~nsis/c3a019/mineepnad.dll
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$TEMP/~nsis/c3a019/mineepnad.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
$WINDIR/System32/midiasvc.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
$WINDIR/System32/midiasvc.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
mineep.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
mineep.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral17
Sample
mineepnad.dll
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
mineepnad.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
mineepsvc.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
mineepsvc.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
minerun.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
minerun.exe
Resource
win10v2004-20231215-en
General
-
Target
8fe893c04c504d9757cc28a75eddeeba.exe
-
Size
777KB
-
MD5
8fe893c04c504d9757cc28a75eddeeba
-
SHA1
f0d86c7018ed0c69b2757a20d53ab40d93cd2a81
-
SHA256
7ecf992f19dffdd28863aeb32309570b3ae896dd151f4fea1986f79853cf38be
-
SHA512
7dc6b357b33ec52e06274bb2a5b64ab733ac22e5885c729c20b14998a568444e7f8a6fa06ee48c20d145b4b9ea1f2cbbba3f97795d5094f817eb873ba41c9384
-
SSDEEP
12288:ljDDPEiTWMDCgbyxm9wNqBn/lpOcCM+D980EUkD8XbzxmG32vSNc7:l/Ds82gbyh8B/lpO8E98KkoXbzp2Ku7
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2492 mineepsvc.exe 2720 mineepsvc.exe 2468 mineepsvc.exe 2760 midiasvc.exe 2236 midiasvc.exe 1752 midiasvc.exe -
Loads dropped DLL 26 IoCs
pid Process 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2492 mineepsvc.exe 2492 mineepsvc.exe 2492 mineepsvc.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2720 mineepsvc.exe 2720 mineepsvc.exe 2720 mineepsvc.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2760 midiasvc.exe 2760 midiasvc.exe 2760 midiasvc.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2236 midiasvc.exe 2236 midiasvc.exe 2236 midiasvc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilterc3a019APIClass Helper" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} 8fe893c04c504d9757cc28a75eddeeba.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\midiasvc.exe 8fe893c04c504d9757cc28a75eddeeba.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mineepsvc.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MineFilter\Log\minefilter_up_20240204.txt mineepsvc.exe File created C:\Program Files (x86)\MineFilter\mine_uins.dat 8fe893c04c504d9757cc28a75eddeeba.exe File created C:\Program Files (x86)\MineFilter\mineep.dl_ 8fe893c04c504d9757cc28a75eddeeba.exe File created C:\Program Files (x86)\MineFilter\mineepnad.dl_ 8fe893c04c504d9757cc28a75eddeeba.exe File created C:\Program Files (x86)\MineFilter\minerun.ex_ 8fe893c04c504d9757cc28a75eddeeba.exe File opened for modification C:\Program Files (x86)\MineFilter\homepage.url 8fe893c04c504d9757cc28a75eddeeba.exe File created C:\Program Files (x86)\MineFilter\mineepsvc.ex_ 8fe893c04c504d9757cc28a75eddeeba.exe File opened for modification C:\Program Files (x86)\MineFilter\intro.url 8fe893c04c504d9757cc28a75eddeeba.exe File created C:\Program Files (x86)\MineFilter\uninst.exe 8fe893c04c504d9757cc28a75eddeeba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\SOFTWARE\Microsoft\Internet Explorer\Main 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 8fe893c04c504d9757cc28a75eddeeba.exe -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mineepsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mineepsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mineepsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecision = "0" mineepsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mineepsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadNetworkName = "Network 3" mineepsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecisionTime = 0060e0859c57da01 mineepsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mineepsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E} mineepsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\f6-98-7a-0a-d3-d8 mineepsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecisionTime = 0060e0859c57da01 mineepsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mineepsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mineepsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mineepsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mineepsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mineepsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecisionReason = "1" mineepsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecision = "0" mineepsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mineepsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDetectedUrl mineepsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mineepsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{562DB735-397E-4EE9-9C53-451483F11F8E}\WpadDecisionTime = 80060d609c57da01 mineepsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mineepsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecisionReason = "1" mineepsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8\WpadDecisionTime = 80060d609c57da01 mineepsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mineepsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-98-7a-0a-d3-d8 mineepsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mineepsvc.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\ = "MineFilterc3a019APIClass Class" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC} 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID\ = "{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MineFilter\\" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS\ = "0" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\Version = "1.0" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass.1" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0\win32\ = "C:\\Program Files (x86)\\MineFilter\\mineep.dll" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ThreadingModel = "Apartment" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\ = "MineFilterc3a019APIClass 1.0 Type Library" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib\ = "{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\tst_key = "test_ok" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\CLSID 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CurVer 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "MineFilter" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\VersionIndependentProgID\ = "MineFilterc3a019BHO.MineFilterc3a019APIClass" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\TypeLib 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass.1\ = "MineFilterc3a019APIClass Class" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC} 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ = "IMineFilterc3a019API" 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\InprocServer32\ = "C:\\Program Files (x86)\\MineFilter\\mineep.dll" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\FLAGS 8fe893c04c504d9757cc28a75eddeeba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MineFilterc3a019BHO.MineFilterc3a019APIClass\CLSID 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\Programmable 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FA125C7-023C-4280-B7F6-63ABE4F52ABC}\1.0\0 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC} 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProxyStubClsid32 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 8fe893c04c504d9757cc28a75eddeeba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FA125C7-023C-4280-B7F6-63ABE4F52ABC}\ProgID 8fe893c04c504d9757cc28a75eddeeba.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe 2536 8fe893c04c504d9757cc28a75eddeeba.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2536 8fe893c04c504d9757cc28a75eddeeba.exe Token: SeBackupPrivilege 2536 8fe893c04c504d9757cc28a75eddeeba.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2492 2536 8fe893c04c504d9757cc28a75eddeeba.exe 29 PID 2536 wrote to memory of 2492 2536 8fe893c04c504d9757cc28a75eddeeba.exe 29 PID 2536 wrote to memory of 2492 2536 8fe893c04c504d9757cc28a75eddeeba.exe 29 PID 2536 wrote to memory of 2492 2536 8fe893c04c504d9757cc28a75eddeeba.exe 29 PID 2536 wrote to memory of 2492 2536 8fe893c04c504d9757cc28a75eddeeba.exe 29 PID 2536 wrote to memory of 2492 2536 8fe893c04c504d9757cc28a75eddeeba.exe 29 PID 2536 wrote to memory of 2492 2536 8fe893c04c504d9757cc28a75eddeeba.exe 29 PID 2536 wrote to memory of 2720 2536 8fe893c04c504d9757cc28a75eddeeba.exe 30 PID 2536 wrote to memory of 2720 2536 8fe893c04c504d9757cc28a75eddeeba.exe 30 PID 2536 wrote to memory of 2720 2536 8fe893c04c504d9757cc28a75eddeeba.exe 30 PID 2536 wrote to memory of 2720 2536 8fe893c04c504d9757cc28a75eddeeba.exe 30 PID 2536 wrote to memory of 2720 2536 8fe893c04c504d9757cc28a75eddeeba.exe 30 PID 2536 wrote to memory of 2720 2536 8fe893c04c504d9757cc28a75eddeeba.exe 30 PID 2536 wrote to memory of 2720 2536 8fe893c04c504d9757cc28a75eddeeba.exe 30 PID 2536 wrote to memory of 2760 2536 8fe893c04c504d9757cc28a75eddeeba.exe 34 PID 2536 wrote to memory of 2760 2536 8fe893c04c504d9757cc28a75eddeeba.exe 34 PID 2536 wrote to memory of 2760 2536 8fe893c04c504d9757cc28a75eddeeba.exe 34 PID 2536 wrote to memory of 2760 2536 8fe893c04c504d9757cc28a75eddeeba.exe 34 PID 2536 wrote to memory of 2760 2536 8fe893c04c504d9757cc28a75eddeeba.exe 34 PID 2536 wrote to memory of 2760 2536 8fe893c04c504d9757cc28a75eddeeba.exe 34 PID 2536 wrote to memory of 2760 2536 8fe893c04c504d9757cc28a75eddeeba.exe 34 PID 2536 wrote to memory of 2236 2536 8fe893c04c504d9757cc28a75eddeeba.exe 33 PID 2536 wrote to memory of 2236 2536 8fe893c04c504d9757cc28a75eddeeba.exe 33 PID 2536 wrote to memory of 2236 2536 8fe893c04c504d9757cc28a75eddeeba.exe 33 PID 2536 wrote to memory of 2236 2536 8fe893c04c504d9757cc28a75eddeeba.exe 33 PID 2536 wrote to memory of 2236 2536 8fe893c04c504d9757cc28a75eddeeba.exe 33 PID 2536 wrote to memory of 2236 2536 8fe893c04c504d9757cc28a75eddeeba.exe 33 PID 2536 wrote to memory of 2236 2536 8fe893c04c504d9757cc28a75eddeeba.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe"C:\Users\Admin\AppData\Local\Temp\8fe893c04c504d9757cc28a75eddeeba.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Program Files (x86)\MineFilter\mineepsvc.exe"C:\Program Files (x86)\MineFilter\mineepsvc.exe" /i2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2492
-
-
C:\Program Files (x86)\MineFilter\mineepsvc.exe"C:\Program Files (x86)\MineFilter\mineepsvc.exe" /start2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720
-
-
C:\Windows\SysWOW64\midiasvc.exe"C:\Windows\System32\midiasvc.exe" /start2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236
-
-
C:\Windows\SysWOW64\midiasvc.exe"C:\Windows\System32\midiasvc.exe" /i2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760
-
-
C:\Program Files (x86)\MineFilter\mineepsvc.exe"C:\Program Files (x86)\MineFilter\mineepsvc.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2468
-
C:\Windows\SysWOW64\midiasvc.exeC:\Windows\SysWOW64\midiasvc.exe1⤵
- Executes dropped EXE
PID:1752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD53b7094c6d626e29c8511675edd536780
SHA174533a0ce89e6f26c882b30ac640182f0779335c
SHA256058087c518c79d4c4946cc7ee5db5b9ba094cfd3284cbc76d3eee6d27ccab7d0
SHA512a41d9f1de18dae4c4625497b6c8dcaec88ebe025bb0d07e28cec3e2fdf26866da901aa625c672fc3a138ccb6dd97969f307edf12daa2e5a977077728c4e787dc
-
Filesize
568KB
MD5dd81543f3851a9a6730bed215af99813
SHA15794d7d463f6137ca36e3c02d0c10c33f690c30d
SHA2563958fee4d0b129f70cc808240d4e80c42f3f93654d27bf82bf3a5c4546f02642
SHA51268bd526ca20d09f09c0bf7535e07054d51b7890eb5aa6784d7908bded88dbf8b2389cdbfb6a8d814c90368ffaf9f82b3224cf7e6c2366fd77caf9cf3b73f83c6
-
Filesize
129KB
MD59481d2fe24557e040e5b01f886cc5747
SHA1f7bd29e9b85718a88955a611c4d01e1b3a904916
SHA256e2e998a497933c47f654f66bf36d26e34e01ab8f6275ca59ef467e71ecb97ca5
SHA51225c8debb220a21f62513080026439fbbaedf9d3300bd4bdad2fe6f7167d896a83c2a806f28fd6abe9cddcd0f70cfda3eddd55b8104280cd010a3d96792349dfe
-
Filesize
1KB
MD5c1f096e1cc6e6901830d9b1351908dce
SHA1d11a8c447c1c10e09e5026dd3e88980002230d14
SHA256fa4a34ad3dcf012444378ea67628a098a9ce9d4097dcbf00a12beb9a83640937
SHA5129a02250fa4d2eff5db1a99bf95c6c3579fbef7b15f0ae456839b4824ded686f3a920f5af16009ed12f5c9bcb71465c4f55a64ff7c048404fb97beabe2c48dd8b
-
Filesize
121KB
MD5e9c8cf0b8809bd059bfe95967d7dd25d
SHA17071de057fee221be15e9723635978e2d355f867
SHA256875238a8ddef3d83220d277f4d897852821805ea1c985ff620cde47e567789e6
SHA512d8ebd9770787fc8f4e2cbb8361412251978150bd0d7d624a32c59cac04594f7cb27644e9a09fab5790663273c0c91222d17701805a20652c5d7743b17bacd0aa
-
Filesize
105KB
MD57447b67843066dbc18c1b79bc7ac1570
SHA1db46fff5a3ba16fbb027ddc508a48fd5ab19a4b2
SHA2563d74fe08f3dea2fd98a9bb9db42c7a65c012fe902a368ded9eee44403e7165e8
SHA512d422613b734635f34f8ffef2aafd3be00d0690d7338ffb60793d303247143b69ff3706e7081246705221487ff07459a60de887e343e66222fe0c5908eb2bc55c
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
4KB
MD58f4ac52cb2f7143f29f114add12452ad
SHA129dc25f5d69bf129d608b83821c8ec8ab8c8edb3
SHA256b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04
SHA5122f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c
-
Filesize
581KB
MD584e4af439cfa4e555eb2e84f36fcb1fe
SHA111f495bc7b6941ffdd881c7d135ddf674667bd6b
SHA2569f3c348b2967a2582f3276f426343cce69a13fccf58a7413d64fa2deb156fa03
SHA51210549db9c5cd20b2f3b3431e75aff38ed002572b7dced4808636e66c768291d8b9739f0b9d056955accc623b146939a1e1406ec656eb85021dec1e286feede95
-
Filesize
536KB
MD5d368e7623ea3d3f16d1c6a5a3b9f98ad
SHA1217e8d0f57e56c0e20b37df1cdc0914c4913a576
SHA256806e93e7e29fa96dccd577dbc141d8ecb035bca539213e317a9c877843eb022a
SHA51221c2d097a9bf11ec0e2a0dde7cd8f0ec385f7deb97bb6221d661ba3e7b8f753cffd0b8e5cd2a5b106dd59e9dca8dda29c394d2f770f97275ec1e889165a9270e
-
Filesize
85KB
MD574160ab8496cdef8cc370ad532eeec51
SHA1f23fa0023c5fa46464c1f07094213f2c7afc8244
SHA256ce3acffae736fc55104b64e666b9cacc0adbd1fe85d465d977e5b639506cab6c
SHA512bf13c7187356a8c643b638b3c772565c6afdcb78952a83058e836b004e8745ae6114d344597bcc9c5fb0947f092d8dd18f26c71bbe9e9526078555c447f2f137