Analysis
-
max time kernel
298s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
17-06-2024 05:10
Behavioral task
behavioral1
Sample
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Resource
win7-20240508-en
General
-
Target
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
-
Size
424KB
-
MD5
13e5872e9b7c47090e035dc228c5589f
-
SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760
-
SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
-
SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
-
SSDEEP
6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz
Malware Config
Signatures
-
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/4496-38-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-45-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-44-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-43-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-42-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-41-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-39-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-48-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-50-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-52-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4496-51-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
Hkbsse.exeblob.exevxfagazdltye.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exepid process 1180 Hkbsse.exe 4620 blob.exe 4604 vxfagazdltye.exe 3668 Hkbsse.exe 932 Hkbsse.exe 1208 Hkbsse.exe 4396 Hkbsse.exe 4368 Hkbsse.exe -
Processes:
resource yara_rule behavioral2/memory/4496-33-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-36-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-34-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-38-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-45-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-44-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-43-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-42-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-41-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-39-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-37-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-35-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-48-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-50-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-52-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4496-51-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Hkbsse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\blob.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\blob.exe" Hkbsse.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vxfagazdltye.exedescription pid process target process PID 4604 set thread context of 4496 4604 vxfagazdltye.exe conhost.exe -
Drops file in Windows directory 1 IoCs
Processes:
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exedescription ioc process File created C:\Windows\Tasks\Hkbsse.job d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 512 sc.exe 4420 sc.exe 4544 sc.exe 4124 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
blob.exevxfagazdltye.exepid process 4620 blob.exe 4620 blob.exe 4620 blob.exe 4620 blob.exe 4620 blob.exe 4620 blob.exe 4620 blob.exe 4620 blob.exe 4604 vxfagazdltye.exe 4604 vxfagazdltye.exe 4604 vxfagazdltye.exe 4604 vxfagazdltye.exe 4604 vxfagazdltye.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeShutdownPrivilege 4588 powercfg.exe Token: SeCreatePagefilePrivilege 4588 powercfg.exe Token: SeShutdownPrivilege 4752 powercfg.exe Token: SeCreatePagefilePrivilege 4752 powercfg.exe Token: SeShutdownPrivilege 864 powercfg.exe Token: SeCreatePagefilePrivilege 864 powercfg.exe Token: SeShutdownPrivilege 4220 powercfg.exe Token: SeCreatePagefilePrivilege 4220 powercfg.exe Token: SeShutdownPrivilege 1440 powercfg.exe Token: SeCreatePagefilePrivilege 1440 powercfg.exe Token: SeLockMemoryPrivilege 4496 conhost.exe Token: SeShutdownPrivilege 2896 powercfg.exe Token: SeCreatePagefilePrivilege 2896 powercfg.exe Token: SeShutdownPrivilege 2848 powercfg.exe Token: SeCreatePagefilePrivilege 2848 powercfg.exe Token: SeShutdownPrivilege 4308 powercfg.exe Token: SeCreatePagefilePrivilege 4308 powercfg.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exeHkbsse.exevxfagazdltye.exedescription pid process target process PID 2752 wrote to memory of 1180 2752 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Hkbsse.exe PID 2752 wrote to memory of 1180 2752 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Hkbsse.exe PID 2752 wrote to memory of 1180 2752 d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe Hkbsse.exe PID 1180 wrote to memory of 4620 1180 Hkbsse.exe blob.exe PID 1180 wrote to memory of 4620 1180 Hkbsse.exe blob.exe PID 4604 wrote to memory of 4496 4604 vxfagazdltye.exe conhost.exe PID 4604 wrote to memory of 4496 4604 vxfagazdltye.exe conhost.exe PID 4604 wrote to memory of 4496 4604 vxfagazdltye.exe conhost.exe PID 4604 wrote to memory of 4496 4604 vxfagazdltye.exe conhost.exe PID 4604 wrote to memory of 4496 4604 vxfagazdltye.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe"C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4620 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "YCSDKNAW"4⤵
- Launches sc.exe
PID:512
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "YCSDKNAW" binpath= "C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe" start= "auto"4⤵
- Launches sc.exe
PID:4420
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:4544
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "YCSDKNAW"4⤵
- Launches sc.exe
PID:4124
-
-
-
-
C:\ProgramData\anoomxjjawjf\vxfagazdltye.exeC:\ProgramData\anoomxjjawjf\vxfagazdltye.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:3668
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:932
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:1208
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:4396
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:4368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5fbfbe4ee13baecac3e7d16bec24cf079
SHA1360caf2bb458bee7e65c316099a868b929839d25
SHA2563d65e5f78fa228a79d279fd903b45e584effe6b680d3a3adcb582985de62d01e
SHA5128f5d849e739430cdc560f9dbda5f2f72a07ed0493054298b0d195cf50c972e9a24effdb71cadeea6ced14663fc1268f4a0f45234f37aac334638ffcd8057b28a
-
Filesize
424KB
MD513e5872e9b7c47090e035dc228c5589f
SHA1c55a9708091f19b5fc5baf7c37beb99d8d3bf760
SHA256d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
SHA512260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
-
Filesize
66KB
MD506c6553ad85d6a071483b0ec74f86e65
SHA1c59416e40c7e98cf7b4478514cf01b4b7774cfbd
SHA2567b0d36f377d53a4275f36f0019ac92517e8f57cf2cf61cfb4c2bcc4fccd95a76
SHA5124eb21dae26829d70a7a9f02a9bfd23575cc75c524d40db58e4866fc0e8464ab8a61ea2de286dd115882c474b015e311bd9263d6ecfd3c7ff6b89ad3770e49edf