94b851aa3a5ee81b587ba69106c0151e082ab1bbbb922a23afe226443178e59b

Analysis

max time kernel
296s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 20:26

Target

ore-miner.zip
Size

74.9MB
MD5

5310f04ba1924ad859a5bd354f2de20e
SHA1

4f39a4a2191217221e3f98f38a13fe4c9c97d76f
SHA256

94b851aa3a5ee81b587ba69106c0151e082ab1bbbb922a23afe226443178e59b
SHA512

233f719ca8a4633e9e6013d65704192f8b5cef4d578b9c24896ea0323ee2071e0b00d9d13ee5e73f0b6d183a3c667db673853eed66acc1f1eacdb54fe28d8e7b
SSDEEP

1572864:0V6m55CbiAqZvCdSvNm5Tpx+Gyqi3Rao1offARQNgpo69uPVqVRr90ZOLg:XBq8INSTdi3RafwmgO6q490ZO8

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1208	PowerShell.exe
1208	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	PowerShell.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3808	4896	OpenWith.exe	100
PID 4896 wrote to memory of 3808	4896	OpenWith.exe	100
PID 1208 wrote to memory of 4952	1208	PowerShell.exe	104
PID 1208 wrote to memory of 4952	1208	PowerShell.exe	104
PID 1208 wrote to memory of 4464	1208	PowerShell.exe	105
PID 1208 wrote to memory of 4464	1208	PowerShell.exe	105
PID 1208 wrote to memory of 4468	1208	PowerShell.exe	106
PID 1208 wrote to memory of 4468	1208	PowerShell.exe	106
PID 1208 wrote to memory of 4972	1208	PowerShell.exe	107
PID 1208 wrote to memory of 4972	1208	PowerShell.exe	107

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ore-miner.zip
1⤵
PID:3360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2212

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ore-miner\rpcs.txt
1⤵
PID:3180

C:\Users\Admin\Desktop\ore-miner\ore-miner.exe
"C:\Users\Admin\Desktop\ore-miner\ore-miner.exe"
1⤵
PID:4292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ore-miner\settings.json
  2⤵
  PID:3808

C:\Users\Admin\Desktop\ore-miner\ore-miner.exe
"C:\Users\Admin\Desktop\ore-miner\ore-miner.exe"
1⤵
PID:2840

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop\ore-miner'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\Desktop\ore-miner\ore-miner.exe
  "C:\Users\Admin\Desktop\ore-miner\ore-miner.exe"
  2⤵
  PID:4952
- C:\Users\Admin\Desktop\ore-miner\ore-miner.exe
  "C:\Users\Admin\Desktop\ore-miner\ore-miner.exe" -
  2⤵
  PID:4464
- C:\Users\Admin\Desktop\ore-miner\ore-miner.exe
  "C:\Users\Admin\Desktop\ore-miner\ore-miner.exe" --help
  2⤵
  PID:4468
- C:\Users\Admin\Desktop\ore-miner\ore-miner.exe
  "C:\Users\Admin\Desktop\ore-miner\ore-miner.exe" /?
  2⤵
  PID:4972

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13csok1q.gwd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1208-2-0x000002CE89850000-0x000002CE89872000-memory.dmp

Filesize
136KB

Download
memory/1208-12-0x00007FFC497C0000-0x00007FFC4A281000-memory.dmp

Filesize
10.8MB

Download
memory/1208-13-0x000002CEA1EB0000-0x000002CEA1EC0000-memory.dmp

Filesize
64KB

Download
memory/1208-14-0x000002CEA1EB0000-0x000002CEA1EC0000-memory.dmp

Filesize
64KB

Download
memory/1208-15-0x000002CEA1EB0000-0x000002CEA1EC0000-memory.dmp

Filesize
64KB

Download
memory/1208-16-0x000002CEA2B20000-0x000002CEA2B64000-memory.dmp

Filesize
272KB

Download
memory/1208-17-0x000002CEA2BF0000-0x000002CEA2C66000-memory.dmp

Filesize
472KB

Download
memory/1208-18-0x000002CEA2B70000-0x000002CEA2B8E000-memory.dmp

Filesize
120KB

Download
memory/1208-21-0x00007FFC497C0000-0x00007FFC4A281000-memory.dmp

Filesize
10.8MB

Download
memory/1208-22-0x000002CEA1EB0000-0x000002CEA1EC0000-memory.dmp

Filesize
64KB

Download