fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
Size

7.8MB
MD5

49db7b3e827ab7d47b9106f924cf0d08
SHA1

0c8d26a2e408bb4efbe6c64d38c21cf85cafdf24
SHA256

fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18
SHA512

a42ce8949b1e69a3131ec0e6ef12e7fb5f918a716fe7f91539c05a11a5cc78ea408e9e32afa7468d4d440630c4ef870b2758014b42cbf0932048d71ef5dc92fc
SSDEEP

98304:ceidhlFrjrskTaHuZXVoYWJKxNOJmrOw4/M1mfxjXem5t:8nFrjaHKLCmrOMofxjfH

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2836	ZMining.exe
1136	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
2836	ZMining.exe
1136	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe
2836	ZMining.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	ZMining.exe
Token: 0	2836	ZMining.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
2836	ZMining.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2836	1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe	28
PID 1784 wrote to memory of 2836	1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe	28
PID 1784 wrote to memory of 2836	1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe	28
PID 1784 wrote to memory of 2836	1784	fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe	28

C:\Users\Admin\AppData\Local\Temp\fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe
"C:\Users\Admin\AppData\Local\Temp\fe6157ea3ff94f6c4f84da31a56ea05038dba490cc441bac0086999456170d18.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\ZMining.exe
  "C:\Users\Admin\AppData\Local\Temp\ZMining.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZMining.exe

Filesize
9.5MB

MD5
f1ed077fe7d42843c7e12566b5a158da

SHA1
066ee48a3c4a84c9cd61053452bcb36d6fd1ae47

SHA256
196b383eefd0f038d3de385740d42fbd60b816881ff7ae6f135d36cf194e3aa1

SHA512
f30d5f07c030a337b0b33f55d0c5f3f76b4d5e013cf50eaf141392bef8973d58686e8f7f4ed2298a5ad486be4811ca6bb9b88c591f56f7477d54cd3f801f50c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMining.exe

Filesize
7.2MB

MD5
14ae8e6f4d2baeed501f2103d102b150

SHA1
09ce324095444ec5f4a45e2663a686788859178e

SHA256
c341828227d9acc97b53c52dd7ca0453028b0e2f466571da1440cf655304ac4b

SHA512
c9bd583f70940dd872e73e1275928fb22f92b7b3139e94ee9f1eda6e0d215557ac8950c707ea1273fffdcd9d87698ae142730eb86deb2c5a07d42d7c7a947a31

Download Submit
\Users\Admin\AppData\Local\Temp\ZMining.exe

Filesize
9.3MB

MD5
57da1837bf2d806f0f162a23a52d4af1

SHA1
97a5d1218b3fa0008bb7c6f1e3a5a166a49d82eb

SHA256
44ae74d84246d40c95a6c271eddac4953ee67e18c3912e437fc6488835c232db

SHA512
d8a51fe5a47c0c842d1d6cbf00e4fd1a23a1bf7d243f4ccd9aaef59c5d34916f9a17e418414792c52c19f1982d51eeb63c88ee0b6809a4a56f12c19ce238ef3d

Download Submit
\Users\Admin\AppData\Local\Temp\ZMining.exe

Filesize
1.9MB

MD5
392b35a6efcef4e0bdd2ce57ba819ce4

SHA1
b7f4a1ceafbebab2d160befe2e66f2cb19a7fd5f

SHA256
4147b6c2be7b02778db4dd4808688436fcf079e8ce910ff3d291b3b409563e75

SHA512
83e7a6f8a09c46b9d9f6416da9dec9cdfc7468f7fd7c1e309107463baeba6ffc8a1ec5cf13922536e1d411521a9690f1969df86f50397c9617b4d9fd8da2de89

Download Submit
\Users\Admin\AppData\Local\Temp\ZMining.exe

Filesize
1.8MB

MD5
c2da7c21e17685ba09120d9e8d44953b

SHA1
7e60a24b58bf7a23869ed37501ea6793ab29b330

SHA256
004cd5f4d6e21b88a300af71a8f8ca96e565cb26786ff0d41c566d0186526436

SHA512
72511101af2a010cf1e6bbfca7ad9255a156ad8a620cfc4568842a91406f9146768448c0a8ae7800b1d79ebf54a7580bc96f3095fb57a6280c6bfbee09bf33d4

Download Submit
\Users\Admin\AppData\Local\Temp\nvml.dll

Filesize
597KB

MD5
ba5b566449f3e4429aa10d9374fff22a

SHA1
67d882218b32bb34ff346ce250f1881cacedda32

SHA256
2d2f7e096925f8534f050118b9e3e78e505d41d96a1a2a8c3527dffe8d1cb50f

SHA512
6dec2530bbadc3d34b4b7779769a3ada244314f610a53bddbeed3e2265e18acdfb96546183fbb840b4017a9e88ff284cd5802930b05fc76e5cbcfb2e825588ac

Download Submit
memory/1784-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1784-1-0x0000000000400000-0x0000000000BE5000-memory.dmp

Filesize
7.9MB

Download
memory/1784-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1784-12-0x0000000000400000-0x0000000000BE5000-memory.dmp

Filesize
7.9MB

Download
memory/1784-17-0x0000000000400000-0x0000000000BE5000-memory.dmp

Filesize
7.9MB

Download
memory/2836-22-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2836-28-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download
memory/2836-23-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2836-24-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download
memory/2836-25-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download
memory/2836-26-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download
memory/2836-27-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download
memory/2836-21-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download
memory/2836-29-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download
memory/2836-32-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download
memory/2836-20-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download
memory/2836-19-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2836-18-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2836-46-0x0000000000400000-0x0000000001420000-memory.dmp

Filesize
16.1MB

Download