Analysis
-
max time kernel
29s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23-03-2024 02:14
General
-
Target
4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002.exe
-
Size
5.3MB
-
MD5
b59631e064541c8651576128708e50f9
-
SHA1
7aae996d4990f37a48288fa5f15a7889c3ff49b3
-
SHA256
4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002
-
SHA512
571a06f0ec88fe3697388195dd0a7f7e8d63945748855d928fb5005b51fd2c2baea1a63bd871ed0cfade5eabb879f577b7b04f9cd4d1222de52da641feee1f92
-
SSDEEP
98304:69w8PMOW9ZI6aO7sd/mzt5mAiN1vw+/YR8ov/bkMJmJZNOnTdjyip:ndIV0G/mzsN1vl/YRV4MY9OnTdjy
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
-
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exeC:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe2⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
-
-
C:\Windows\system32\dialer.exedialer.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002.exe"C:\Users\Admin\AppData\Local\Temp\4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Miner.exe"C:\Users\Admin\AppData\Roaming\Miner.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "RYVSUJUA"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "RYVSUJUA"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\Shortcutter.exe"C:\Users\Admin\AppData\Roaming\Shortcutter.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5d52fe806ce18b930f9ac416d6c5eaa19
SHA1eeea4e3f788cfab53ddc5c7cd8f60e3b74a2097e
SHA256c6ebd194bf1f9e3e2494ec69f9c136b34352d13231f51630d5eb08f29e8ac2d2
SHA5124b7a86d7479130957721f6daed9ccf7edc08c86a67c71977e539404979ffb74783c0d7635c87e3552addca70a222d03ee96ee18366532c7de2d68dadb31b5837
-
Filesize
2.9MB
MD519c3163b1129e112ebe0003bb688eff7
SHA134f4ef0193fb3bc316222a6ab9bdf24e2a57b5f5
SHA256427ef5ce7aca28135fbe2baa0cb18613f24c112e604df27c5385a558d909b1db
SHA512524001744f911a58f4a7f8e779761c89f9f76d19982dd2e9bb89217b8ebb18198fc19d26e070e54051399ef40b3cdf8bb37b6e0ee056f9abd76dc46549136b16
-
Filesize
7KB
MD5a9b6258f34d43281b2d8f92763aa9a6d
SHA1134026d19b562c0f248c0310669ed6d4184aebdb
SHA256bb36a9785e2b59c61e87dfd44d5c72bbfb1279112e6595dd4d35bcfd129948ba
SHA512625f2f42efc641d8a8eadbd117f8eaf228c81d81b28e9f7f2e0ff395bbf73ff35552433980e4379d15aa7e9b92ef3412c6103ab0fb2e68a5329b4982b5171f2b
-
Filesize
145KB
MD519c7052de3b7281b4c1c6bfbb543c5dc
SHA1d2e12081a14c1069c89f2cee7357a559c27786e7
SHA25614ed6cb3198e80964cbc687a60aed24fb68d1bbd7588f983dc1fc6ae63514b4a
SHA512289ca791909882c857014bd24e777fa84b533896508b562051b529d4c27e0d98bc41c801c6384b382f5dc0fa584dc8f713939c636543b0a5cf5ea2b396300f83
-
Filesize
154KB
MD5f0ecfbfa3e3e59fd02197018f7e9cb84
SHA1961e9367a4ef3a189466c0a0a186faf8958bdbc4
SHA256cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324
SHA512116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294
-
Filesize
145KB
MD5ce233fa5dc5adcb87a5185617a0ff6ac
SHA12e2747284b1204d3ab08733a29fdbabdf8dc55b9
SHA25668d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31
SHA5121e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2
-
Filesize
142KB
MD5d73172c6cb697755f87cd047c474cf91
SHA1abc5c7194abe32885a170ca666b7cce8251ac1d6
SHA2569de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57
SHA5127c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6
-
Filesize
114KB
MD51f998386566e5f9b7f11cc79254d1820
SHA1e1da5fe1f305099b94de565d06bc6f36c6794481
SHA2561665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea
SHA512a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f
-
Filesize
680KB
MD5b69ab3aeddb720d6ef8c05ff88c23b38
SHA1d830c2155159656ed1806c7c66cae2a54a2441fa
SHA25624c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625
SHA5124c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d
-
Filesize
646KB
MD5aecab86cc5c705d7a036cba758c1d7b0
SHA1e88cf81fd282d91c7fc0efae13c13c55f4857b5e
SHA2569bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066
SHA512e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8
-
Filesize
727KB
MD57d0bac4e796872daa3f6dc82c57f4ca8
SHA1b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a
SHA256ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879
SHA512145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e
-
Filesize
727KB
MD55f684ce126de17a7d4433ed2494c5ca9
SHA1ce1a30a477daa1bac2ec358ce58731429eafe911
SHA2562e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c
SHA5124d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b
-
Filesize
722KB
MD54623482c106cf6cc1bac198f31787b65
SHA15abb0decf7b42ef5daf7db012a742311932f6dad
SHA256eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f
-
Filesize
64KB
MD526e4953631f7b9901398b30f902d3407
SHA108955b33a4ae549d5ef9f21f403be02f688947ab
SHA256327aae30c66dbcba4c634ceed665436808b2acbd4f557e2c5650c2e28b36b497
SHA51290ab63dc9c181aed35eb3269cb84eb49442b7964910753a256d06b5df946b6cc938f6f5ce8843328234dc6f69e3898b46d7c61e769f8a972077715789a857bc9
-
Filesize
3KB
MD5b133a676d139032a27de3d9619e70091
SHA11248aa89938a13640252a79113930ede2f26f1fa
SHA256ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5
-
Filesize
27KB
MD546d08e3a55f007c523ac64dce6dcf478
SHA162edf88697e98d43f32090a2197bead7e7244245
SHA2565b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42
-
Filesize
2KB
MD5710d55f3d3ca732fc39af6ffc68981ed
SHA1f5795ab6843bf05d8b845b854a7fcf566a8a6b41
SHA256651618095b62236fcd605652b4ee1e92886ffc38d72660149030b25f2ace3306
SHA5121b8f40d21a3674ec23b67501fb4305d1bdd8cb7c3837d43014585a185e1aa9c3f9405c8429f85f4f76df80ecfc071ad6ac4a85d8581481bd88fd0f8c7e188e54
-
Filesize
4.1MB
MD513b651a596445fe9ab6813d7bf313b22
SHA1d88beb660c5f0c603b65067d9eb65adf080eba66
SHA2566695e1351278abe5b5d2b7cc2fef561f8af66c5cb60427c8a5024ecd93476a14
SHA512324395fdd6a32d13058290341139c084c7e22d5752e02fba4ad2700bc630be7d243b4f0e9d6cc4aece9419dc67e0235b1815cfdbbc94173ca88c999c8c4989cb
-
Filesize
5.3MB
MD599201be105bf0a4b25d9c5113da723fb
SHA1443e6e285063f67cb46676b3951733592d569a7c
SHA256e4eda2de1dab7a3891b0ed6eff0ccd905ff4b275150004c6eb5f1d6582eea9a2
SHA512b57ae7282f2798cbf231f8ca6081b5fab10068566a49f0ad735e8408ccd73d77efb5c26a48b7591e20711f0adbd9e619b40078b9c51d31b7a9768104529e7808
-
Filesize
50KB
MD54ce8fc5016e97f84dadaf983cca845f2
SHA10d6fb5a16442cf393d5658a9f40d2501d8fd725c
SHA256f4da7f22e8eb28cfd8ecb0c3fdc8923b2ba5c5e96b917cbcf53b6bbed1c22551
SHA5124adeb4774ca136a085bc92cf6f02aa340f927ae12e1db90e8a2be69ef045611d333904ef5714c876ab03f8bcc52ee0140e724bd1659b9cf9eacf0a7d6a7bdd46
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
1.7MB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
1.1MB
-
Filesize
1.7MB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
1.7MB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
172KB
-
Filesize
512KB
-
Filesize
1.7MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
72KB