Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 05:14
Behavioral task
behavioral1
Sample
a84ceadb0affd7fa9c028b88fa4a3c63.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a84ceadb0affd7fa9c028b88fa4a3c63.exe
Resource
win10v2004-20240226-en
General
-
Target
a84ceadb0affd7fa9c028b88fa4a3c63.exe
-
Size
673KB
-
MD5
a84ceadb0affd7fa9c028b88fa4a3c63
-
SHA1
835f0dad620c7550c87eaa5e49920647c409bda5
-
SHA256
8b87749e2c1ccbcc5c3dbdde373dfb2f655f5b170b519e2b90f7bc8ccf95e9a4
-
SHA512
7e457b7870e818ec8c52c5e3287a37943ff42342fee7d35a5fd5dff699cf8d68455681856f40e4ea7acb177ac865a43a5fe7674bc21f1d722b23f3c34fe3bfb8
-
SSDEEP
12288:9YV39RQ5x8XL0uGHcrgKkmJQR8Zir2AlFzCQB0ok1WYFndzitT2h:9Ytg5aL0zHcxkm+6WY5di12h
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1216-0-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1216-5-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a84ceadb0affd7fa9c028b88fa4a3c63.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\btc = "C:\\Users\\Admin\\AppData\\Roaming\\btc.exe" a84ceadb0affd7fa9c028b88fa4a3c63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1580 taskkill.exe 2620 taskkill.exe 2528 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 2528 taskkill.exe Token: SeDebugPrivilege 2620 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a84ceadb0affd7fa9c028b88fa4a3c63.exepid process 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a84ceadb0affd7fa9c028b88fa4a3c63.exedescription pid process target process PID 1216 wrote to memory of 1580 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 1580 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 1580 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 1580 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 2620 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 2620 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 2620 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 2620 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 2528 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 2528 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 2528 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1216 wrote to memory of 2528 1216 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a84ceadb0affd7fa9c028b88fa4a3c63.exe"C:\Users\Admin\AppData\Local\Temp\a84ceadb0affd7fa9c028b88fa4a3c63.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im bitcoin-miner*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im btc*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im miner*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken