Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-06-2024 00:10
Behavioral task
behavioral1
Sample
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Resource
win10v2004-20240611-en
General
-
Target
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
-
Size
424KB
-
MD5
13e5872e9b7c47090e035dc228c5589f
-
SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760
-
SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
-
SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
-
SSDEEP
6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz
Malware Config
Signatures
-
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1764-45-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-44-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-50-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-51-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-48-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-49-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-47-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-52-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-55-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-56-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/1764-57-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
Hkbsse.exeblob.exevxfagazdltye.exeHkbsse.exeHkbsse.exeHkbsse.exepid process 4840 Hkbsse.exe 4980 blob.exe 3992 vxfagazdltye.exe 3812 Hkbsse.exe 5076 Hkbsse.exe 4080 Hkbsse.exe -
Processes:
resource yara_rule behavioral2/memory/1764-39-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-42-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-40-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-41-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-45-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-44-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-43-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-50-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-51-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-48-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-49-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-47-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-52-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-55-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-56-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/1764-57-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Hkbsse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\blob.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\blob.exe" Hkbsse.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vxfagazdltye.exedescription pid process target process PID 3992 set thread context of 1764 3992 vxfagazdltye.exe conhost.exe -
Drops file in Windows directory 1 IoCs
Processes:
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exedescription ioc process File created C:\Windows\Tasks\Hkbsse.job d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 652 sc.exe 3292 sc.exe 3100 sc.exe 428 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
blob.exevxfagazdltye.exepid process 4980 blob.exe 4980 blob.exe 4980 blob.exe 4980 blob.exe 4980 blob.exe 4980 blob.exe 4980 blob.exe 4980 blob.exe 3992 vxfagazdltye.exe 3992 vxfagazdltye.exe 3992 vxfagazdltye.exe 3992 vxfagazdltye.exe 3992 vxfagazdltye.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeShutdownPrivilege 2664 powercfg.exe Token: SeCreatePagefilePrivilege 2664 powercfg.exe Token: SeShutdownPrivilege 2412 powercfg.exe Token: SeCreatePagefilePrivilege 2412 powercfg.exe Token: SeShutdownPrivilege 5092 powercfg.exe Token: SeCreatePagefilePrivilege 5092 powercfg.exe Token: SeShutdownPrivilege 1232 powercfg.exe Token: SeCreatePagefilePrivilege 1232 powercfg.exe Token: SeLockMemoryPrivilege 1764 conhost.exe Token: SeShutdownPrivilege 1412 powercfg.exe Token: SeCreatePagefilePrivilege 1412 powercfg.exe Token: SeShutdownPrivilege 1780 powercfg.exe Token: SeCreatePagefilePrivilege 1780 powercfg.exe Token: SeShutdownPrivilege 4340 powercfg.exe Token: SeCreatePagefilePrivilege 4340 powercfg.exe Token: SeShutdownPrivilege 4068 powercfg.exe Token: SeCreatePagefilePrivilege 4068 powercfg.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exeHkbsse.exevxfagazdltye.exedescription pid process target process PID 4864 wrote to memory of 4840 4864 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Hkbsse.exe PID 4864 wrote to memory of 4840 4864 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Hkbsse.exe PID 4864 wrote to memory of 4840 4864 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Hkbsse.exe PID 4840 wrote to memory of 4980 4840 Hkbsse.exe blob.exe PID 4840 wrote to memory of 4980 4840 Hkbsse.exe blob.exe PID 3992 wrote to memory of 1764 3992 vxfagazdltye.exe conhost.exe PID 3992 wrote to memory of 1764 3992 vxfagazdltye.exe conhost.exe PID 3992 wrote to memory of 1764 3992 vxfagazdltye.exe conhost.exe PID 3992 wrote to memory of 1764 3992 vxfagazdltye.exe conhost.exe PID 3992 wrote to memory of 1764 3992 vxfagazdltye.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe"C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4980 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "YCSDKNAW"4⤵
- Launches sc.exe
PID:652 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "YCSDKNAW" binpath= "C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe" start= "auto"4⤵
- Launches sc.exe
PID:3292 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:3100 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "YCSDKNAW"4⤵
- Launches sc.exe
PID:428
-
C:\ProgramData\anoomxjjawjf\vxfagazdltye.exeC:\ProgramData\anoomxjjawjf\vxfagazdltye.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4068 -
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:3812
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:5076
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:4080
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5fbfbe4ee13baecac3e7d16bec24cf079
SHA1360caf2bb458bee7e65c316099a868b929839d25
SHA2563d65e5f78fa228a79d279fd903b45e584effe6b680d3a3adcb582985de62d01e
SHA5128f5d849e739430cdc560f9dbda5f2f72a07ed0493054298b0d195cf50c972e9a24effdb71cadeea6ced14663fc1268f4a0f45234f37aac334638ffcd8057b28a
-
Filesize
80KB
MD5a8fdfdf26dcad60f886aec9595dcfd46
SHA12dbe7159488d60ae981dd7fec3aa28927bcca8ae
SHA256f6d893ead163813295d7ad9f7dfedf20e2fcf9d6a6e9b63d598df857a8d13fcf
SHA512887bd9c3b64bbec30b1fa1b13e117ca7d28da9e8673ef42c80fa8560fb7d0964975edc05229b9af85f23db22e3881b85a5e7cfe1009fd1b698faf48c4023f49d
-
Filesize
424KB
MD513e5872e9b7c47090e035dc228c5589f
SHA1c55a9708091f19b5fc5baf7c37beb99d8d3bf760
SHA256d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
SHA512260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e