8b39f5c3e8d6a40e7ac61b75a3ff9a23e14c6075d7a906635723a51bcf405788

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-03-2024 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0f8548b0b062faae09c74004e1155d6.exe
Size

356KB
MD5

d0f8548b0b062faae09c74004e1155d6
SHA1

dab7b56c182663899370f767cac266cb48ec19b3
SHA256

8b39f5c3e8d6a40e7ac61b75a3ff9a23e14c6075d7a906635723a51bcf405788
SHA512

e371ed23552bd26799483a1158dba047f7039f6f5ffdf7694da7f8a41acc0be732ce127b6c5022c7beb1b8e158b799b0b376eafbd54e219dd08ee052115efa67
SSDEEP

6144:o9VnIoCin4yVsaBQyP8PdrKF4OBl39qDJbRdTA/HgUGjUWnLFK:erlTVTiyP8PdrKF4OBdADtTx9jUqk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d0f8548b0b062faae09c74004e1155d6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d0f8548b0b062faae09c74004e1155d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Windows Task Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0f8548b0b062faae09c74004e1155d6.exe"	d0f8548b0b062faae09c74004e1155d6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d0f8548b0b062faae09c74004e1155d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Windows Task Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0f8548b0b062faae09c74004e1155d6.exe"	d0f8548b0b062faae09c74004e1155d6.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d0f8548b0b062faae09c74004e1155d6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d0f8548b0b062faae09c74004e1155d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Task Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0f8548b0b062faae09c74004e1155d6.exe"	d0f8548b0b062faae09c74004e1155d6.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d0f8548b0b062faae09c74004e1155d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Task Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0f8548b0b062faae09c74004e1155d6.exe"	d0f8548b0b062faae09c74004e1155d6.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d0f8548b0b062faae09c74004e1155d6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Task Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0f8548b0b062faae09c74004e1155d6.exe"	d0f8548b0b062faae09c74004e1155d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Task Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0f8548b0b062faae09c74004e1155d6.exe"	d0f8548b0b062faae09c74004e1155d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0f8548b0b062faae09c74004e1155d6.exe"	d0f8548b0b062faae09c74004e1155d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Windows Task Services = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0f8548b0b062faae09c74004e1155d6.exe"	d0f8548b0b062faae09c74004e1155d6.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d0f8548b0b062faae09c74004e1155d6.exed0f8548b0b062faae09c74004e1155d6.exe

description	pid	process	target process
PID 2740 set thread context of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 1624 set thread context of 2424	1624	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

d0f8548b0b062faae09c74004e1155d6.exed0f8548b0b062faae09c74004e1155d6.exe

C:\Users\Admin\AppData\Local\Temp\d0f8548b0b062faae09c74004e1155d6.exe
"C:\Users\Admin\AppData\Local\Temp\d0f8548b0b062faae09c74004e1155d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\d0f8548b0b062faae09c74004e1155d6.exe
  "C:\Users\Admin\AppData\Local\Temp\d0f8548b0b062faae09c74004e1155d6.exe"
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\d0f8548b0b062faae09c74004e1155d6.exe
    miner.exe -a 60 -g yes -o http://ze.pusikuracbre.com:8332/ -u redem_check -p magicguildd
    3⤵
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-42-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-2-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-4-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-6-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-57-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-53-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-51-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-49-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-44-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2424-38-0x0000000000930000-0x0000000000932000-memory.dmp

Filesize
8KB

Download
memory/2424-50-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-34-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-32-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-36-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-39-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/2424-40-0x00000000006D0000-0x000000000071B000-memory.dmp

Filesize
300KB

Download
memory/2424-66-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-41-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2424-31-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-43-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-45-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-47-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-48-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-33-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-28-0x00000000004FD000-0x0000000000537000-memory.dmp

Filesize
232KB

Download
memory/2424-52-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-27-0x00000000004FD000-0x0000000000537000-memory.dmp

Filesize
232KB

Download
memory/2424-54-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-26-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-56-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-58-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-60-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-18-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-62-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2424-20-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2424-64-0x0000000000400000-0x00000000005368DA-memory.dmp

Filesize
1.2MB

Download
memory/2740-1-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2740-0-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

description	pid	process	target process
PID 2740 wrote to memory of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 2740 wrote to memory of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 2740 wrote to memory of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 2740 wrote to memory of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 2740 wrote to memory of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 2740 wrote to memory of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 2740 wrote to memory of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 2740 wrote to memory of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 2740 wrote to memory of 1624	2740	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 1624 wrote to memory of 2424	1624	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 1624 wrote to memory of 2424	1624	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 1624 wrote to memory of 2424	1624	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 1624 wrote to memory of 2424	1624	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 1624 wrote to memory of 2424	1624	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 1624 wrote to memory of 2424	1624	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 1624 wrote to memory of 2424	1624	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe
PID 1624 wrote to memory of 2424	1624	d0f8548b0b062faae09c74004e1155d6.exe	d0f8548b0b062faae09c74004e1155d6.exe