Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 05:14
Behavioral task
behavioral1
Sample
a84ceadb0affd7fa9c028b88fa4a3c63.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a84ceadb0affd7fa9c028b88fa4a3c63.exe
Resource
win10v2004-20240226-en
General
-
Target
a84ceadb0affd7fa9c028b88fa4a3c63.exe
-
Size
673KB
-
MD5
a84ceadb0affd7fa9c028b88fa4a3c63
-
SHA1
835f0dad620c7550c87eaa5e49920647c409bda5
-
SHA256
8b87749e2c1ccbcc5c3dbdde373dfb2f655f5b170b519e2b90f7bc8ccf95e9a4
-
SHA512
7e457b7870e818ec8c52c5e3287a37943ff42342fee7d35a5fd5dff699cf8d68455681856f40e4ea7acb177ac865a43a5fe7674bc21f1d722b23f3c34fe3bfb8
-
SSDEEP
12288:9YV39RQ5x8XL0uGHcrgKkmJQR8Zir2AlFzCQB0ok1WYFndzitT2h:9Ytg5aL0zHcxkm+6WY5di12h
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1980-0-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1980-5-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a84ceadb0affd7fa9c028b88fa4a3c63.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\btc = "C:\\Users\\Admin\\AppData\\Roaming\\btc.exe" a84ceadb0affd7fa9c028b88fa4a3c63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 5084 taskkill.exe 3684 taskkill.exe 2028 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3684 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeDebugPrivilege 5084 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a84ceadb0affd7fa9c028b88fa4a3c63.exepid process 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a84ceadb0affd7fa9c028b88fa4a3c63.exedescription pid process target process PID 1980 wrote to memory of 5084 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1980 wrote to memory of 5084 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1980 wrote to memory of 5084 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1980 wrote to memory of 2028 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1980 wrote to memory of 2028 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1980 wrote to memory of 2028 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1980 wrote to memory of 3684 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1980 wrote to memory of 3684 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe PID 1980 wrote to memory of 3684 1980 a84ceadb0affd7fa9c028b88fa4a3c63.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a84ceadb0affd7fa9c028b88fa4a3c63.exe"C:\Users\Admin\AppData\Local\Temp\a84ceadb0affd7fa9c028b88fa4a3c63.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im bitcoin-miner*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5084 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im miner*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im btc*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028