Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-03-2024 10:33
Static task
static1
Behavioral task
behavioral1
Sample
be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe
Resource
win10v2004-20240226-en
General
-
Target
be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe
-
Size
2.5MB
-
MD5
4c38070e0764c127692cff709fbfa99e
-
SHA1
36c85d6658eb285b31d0f20fa60e1e935711cc9f
-
SHA256
be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d
-
SHA512
b55471879efe435a46297bcd6d21006a03896bba7bbdf6fa39ed694e6aae3651a94e473fef60d50b2964effc05bbb87bc1082ca85872842853dccb2a0df93d7e
-
SSDEEP
49152:S0+srvwWgzGqpGODg5QQUgbtJHBfHTe3b2UmZZKfCAb:S02GeDgOQUgb9/T67CA
Malware Config
Signatures
-
XMRig Miner payload 16 IoCs
resource yara_rule behavioral1/memory/2800-18-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2800-19-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2800-28-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2800-29-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2800-31-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2800-32-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2800-34-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1280-38-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1280-39-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1280-40-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1280-41-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2800-42-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1280-43-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2800-44-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1280-46-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1280-47-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 472 Process not Found 2720 hhfnvbwmqfna.exe 2464 hhfnvbwmqfna.exe -
Loads dropped DLL 1 IoCs
pid Process 472 Process not Found -
resource yara_rule behavioral1/memory/2800-12-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-14-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-15-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-16-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-17-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-18-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-19-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-28-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-29-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-31-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-32-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-34-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1280-38-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1280-39-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1280-40-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1280-41-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-42-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1280-43-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2800-44-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1280-46-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1280-47-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2720 set thread context of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 set thread context of 2800 2720 hhfnvbwmqfna.exe 38 PID 2464 set thread context of 1280 2464 hhfnvbwmqfna.exe 40 -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1640 sc.exe 2640 sc.exe 2824 sc.exe 2584 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1488 be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe 1488 be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe 1488 be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe 1488 be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe 2720 hhfnvbwmqfna.exe 2720 hhfnvbwmqfna.exe 2468 conhost.exe 2464 hhfnvbwmqfna.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 1280 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe 2800 svchost.exe 1280 svchost.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 472 Process not Found 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2800 svchost.exe Token: SeLockMemoryPrivilege 1280 svchost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 wrote to memory of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 wrote to memory of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 wrote to memory of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 wrote to memory of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 wrote to memory of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 wrote to memory of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 wrote to memory of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 wrote to memory of 2468 2720 hhfnvbwmqfna.exe 37 PID 2720 wrote to memory of 2800 2720 hhfnvbwmqfna.exe 38 PID 2720 wrote to memory of 2800 2720 hhfnvbwmqfna.exe 38 PID 2720 wrote to memory of 2800 2720 hhfnvbwmqfna.exe 38 PID 2720 wrote to memory of 2800 2720 hhfnvbwmqfna.exe 38 PID 2720 wrote to memory of 2800 2720 hhfnvbwmqfna.exe 38 PID 2464 wrote to memory of 1280 2464 hhfnvbwmqfna.exe 40 PID 2464 wrote to memory of 1280 2464 hhfnvbwmqfna.exe 40 PID 2464 wrote to memory of 1280 2464 hhfnvbwmqfna.exe 40 PID 2464 wrote to memory of 1280 2464 hhfnvbwmqfna.exe 40 PID 2464 wrote to memory of 1280 2464 hhfnvbwmqfna.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe"C:\Users\Admin\AppData\Local\Temp\be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "HKQILALP"2⤵
- Launches sc.exe
PID:1640
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "HKQILALP" binpath= "C:\ProgramData\vrlxsdysequq\hhfnvbwmqfna.exe" start= "auto"2⤵
- Launches sc.exe
PID:2640
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:2824
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "HKQILALP"2⤵
- Launches sc.exe
PID:2584
-
-
C:\ProgramData\vrlxsdysequq\hhfnvbwmqfna.exeC:\ProgramData\vrlxsdysequq\hhfnvbwmqfna.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468 -
C:\ProgramData\vrlxsdysequq\hhfnvbwmqfna.exe"C:\ProgramData\vrlxsdysequq\hhfnvbwmqfna.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\svchost.exesvchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD543c657429047cbb3a3e42563a1e612dd
SHA143043d367c6b0f2c012fc71ff1a81011728e1574
SHA2561200921b5aea66ae2f8e878ad0442ade971a425f7b6b07e6c179b61a995ad153
SHA512918a57ad56914cd7460fa0f1a52a4c99761b44814f80f1493da45c6af83877ca15d5a673f101c050a0fa7da8cc1edc0bf5a2ebd4072f32b32c84f15fb616e6f8
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
Filesize
2.5MB
MD54c38070e0764c127692cff709fbfa99e
SHA136c85d6658eb285b31d0f20fa60e1e935711cc9f
SHA256be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d
SHA512b55471879efe435a46297bcd6d21006a03896bba7bbdf6fa39ed694e6aae3651a94e473fef60d50b2964effc05bbb87bc1082ca85872842853dccb2a0df93d7e