Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2024 05:14

General

  • Target

    a84ceadb0affd7fa9c028b88fa4a3c63.exe

  • Size

    673KB

  • MD5

    a84ceadb0affd7fa9c028b88fa4a3c63

  • SHA1

    835f0dad620c7550c87eaa5e49920647c409bda5

  • SHA256

    8b87749e2c1ccbcc5c3dbdde373dfb2f655f5b170b519e2b90f7bc8ccf95e9a4

  • SHA512

    7e457b7870e818ec8c52c5e3287a37943ff42342fee7d35a5fd5dff699cf8d68455681856f40e4ea7acb177ac865a43a5fe7674bc21f1d722b23f3c34fe3bfb8

  • SSDEEP

    12288:9YV39RQ5x8XL0uGHcrgKkmJQR8Zir2AlFzCQB0ok1WYFndzitT2h:9Ytg5aL0zHcxkm+6WY5di12h

Score
7/10

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a84ceadb0affd7fa9c028b88fa4a3c63.exe
    "C:\Users\Admin\AppData\Local\Temp\a84ceadb0affd7fa9c028b88fa4a3c63.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im bitcoin-miner*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1580
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im btc*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im miner*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1216-0-0x0000000000400000-0x00000000004C7000-memory.dmp
    Filesize

    796KB

  • memory/1216-5-0x0000000000400000-0x00000000004C7000-memory.dmp
    Filesize

    796KB