9c86c7609013696f3fe3b17ec8b4486fa157b87ffd66758968df06c9604acd59

Analysis

max time kernel
32s
max time network
16s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mine-imator 1.2.9 installer.exe
Size

12.6MB
MD5

ca8003efbbd269d07523134ceb54ce50
SHA1

5754ba70f80110e217bbedb5e2c576bd333d2cb1
SHA256

9c86c7609013696f3fe3b17ec8b4486fa157b87ffd66758968df06c9604acd59
SHA512

902b3524ec526efb4f515315b2c36bba69227a91364b9d5c6d87e51a68d4e704dd661f311fb1e553b1fb45cad4c53e6de334fd80fd1b2ab40d455337620595b2
SSDEEP

393216:gOIWjzAoZ1wYkGxFy0RpVrRUicynNScON5/l+z4C:gTWjvkGHySpVrqQNSce5d+zD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1640	Mine-imator 1.2.9 installer.tmp
984	Mine-imator.exe

Loads dropped DLL 7 IoCs

pid	Process
2424	Mine-imator 1.2.9 installer.exe
1640	Mine-imator 1.2.9 installer.tmp
1640	Mine-imator 1.2.9 installer.tmp
984	Mine-imator.exe
984	Mine-imator.exe
984	Mine-imator.exe
984	Mine-imator.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1640	Mine-imator 1.2.9 installer.tmp
1640	Mine-imator 1.2.9 installer.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1640	Mine-imator 1.2.9 installer.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
984	Mine-imator.exe
984	Mine-imator.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1640	2424	Mine-imator 1.2.9 installer.exe	28
PID 2424 wrote to memory of 1640	2424	Mine-imator 1.2.9 installer.exe	28
PID 2424 wrote to memory of 1640	2424	Mine-imator 1.2.9 installer.exe	28
PID 2424 wrote to memory of 1640	2424	Mine-imator 1.2.9 installer.exe	28
PID 2424 wrote to memory of 1640	2424	Mine-imator 1.2.9 installer.exe	28
PID 2424 wrote to memory of 1640	2424	Mine-imator 1.2.9 installer.exe	28
PID 2424 wrote to memory of 1640	2424	Mine-imator 1.2.9 installer.exe	28
PID 1640 wrote to memory of 984	1640	Mine-imator 1.2.9 installer.tmp	29
PID 1640 wrote to memory of 984	1640	Mine-imator 1.2.9 installer.tmp	29
PID 1640 wrote to memory of 984	1640	Mine-imator 1.2.9 installer.tmp	29
PID 1640 wrote to memory of 984	1640	Mine-imator 1.2.9 installer.tmp	29

C:\Users\Admin\AppData\Local\Temp\Mine-imator 1.2.9 installer.exe
"C:\Users\Admin\AppData\Local\Temp\Mine-imator 1.2.9 installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\is-85R0F.tmp\Mine-imator 1.2.9 installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-85R0F.tmp\Mine-imator 1.2.9 installer.tmp" /SL5="$30144,12238071,935424,C:\Users\Admin\AppData\Local\Temp\Mine-imator 1.2.9 installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\Mine-imator\Mine-imator.exe
    "C:\Users\Admin\Mine-imator\Mine-imator.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-85R0F.tmp\Mine-imator 1.2.9 installer.tmp

Filesize
3.1MB

MD5
45625e0087bc105fd0879645ec4ecc92

SHA1
d85731f51596e010381c052cb33d26f05a1c1f81

SHA256
3aaf30077f4e8568251371a8db6919f92d9748bd586440e3ca51566079e54eef

SHA512
2ff5abbe169aa9a0c39fcd8f4e30079cb7068b28764b925ec494f4f89da41754b9600657472d88b85a472a7da6fe4a2cc0d055632c97d73cf084a51a34e76c42

Download Submit
C:\Users\Admin\AppData\Roaming\Mine_imator\log.txt

Filesize
493B

MD5
893e636d83c2017fe45a600c31c2f1f1

SHA1
e846a82cc7891ea7a3b551b1d3b3188cd3364584

SHA256
6900cc442fd3e21267aa8121d24f060e5a76ada23bee9e09cc1ca6b594201412

SHA512
ad5d76266b3caa1566b6aa59d6b2c9a7a8c0ba544fbad2089026f48299af64fac18da44708abb98ececd5ab8d9d9cb849392d4961a2708e4eda47c1fdbbc4948

Download Submit
C:\Users\Admin\AppData\Roaming\Mine_imator\log.txt

Filesize
1KB

MD5
781eec35aac50a146e7847fd78774cd2

SHA1
f1cc9e2dc7c49908927a6954718bb95567313b7f

SHA256
45cd99cbd291d5ecb859b99cfaaa4c94156b5fdc6bc4a78e0f851ed1095a0a14

SHA512
4af20999fc0b1ab94dd0879148778694a9061033cb0dd8717f781b76593bf98d46c3084c2649ff1c3ad055e60ed65970c07eedbdbb84f60dec433ce036bb1b9d

Download Submit
C:\Users\Admin\Mine-imator\Data\math.dll

Filesize
86KB

MD5
2c59998a6bed0ce39811cd62d01ddc80

SHA1
2d95db4321b71966adf290eb85b4bf5407c6e556

SHA256
cb2407814efbe07ae8ea17da5eb52af4a3279f1ef34cb951916e415027dddc76

SHA512
a26e7bfcdd9a25002f28a234172b604c0a874e0a8321941269a2075bc766fb61a641afe66dfcb568d62cd947701a201345876df7d55924aa42b9945be1c4d16f

Download Submit
C:\Users\Admin\Mine-imator\Data\movie.dll

Filesize
10.2MB

MD5
f78215725250e2d262ecfbbf07b52828

SHA1
68d2ef6f4e3d1bc4c8dd73e86586cc59ed3f9b0b

SHA256
2d91246d9ec0489c5170711230d13ba6dba29ae6ce0ab058bbd775475e52a0d3

SHA512
b75cfb23f2f48ef03a42cbdc94f2251c01b4fbbf3a7c66ec327becfe6b24b61c84d16cf93c8c690f0aa7b3d71b34789fee759152738fd7df2589c46e22dbb109

Download Submit
C:\Users\Admin\Mine-imator\Data\tmp.png

Filesize
83B

MD5
77f6d36c138430158326474af3ab7b95

SHA1
43038a47db939f06b26ffafe374d623c36ca65ea

SHA256
9423dbf97e033d531f681d5a6856eab97f7a0745438d00bf6c3cda8b4d9a35ac

SHA512
8f3c9fdefecd31ea809b3e7510b5006b43d01d8e9d738eb7c4761523ad0daa2d3afad0606ecaf045dfbdc76d7b11f74b618c9347277e8c05068640e16cce5f78

Download Submit
C:\Users\Admin\Mine-imator\Data\window.dll

Filesize
90KB

MD5
51923d162337616619bc65ff17e5c8c4

SHA1
d34f51ced952b78644af18dc0487cf474b13d727

SHA256
37722849a51724060438439ac2c72f59343e4c11dfd73f1f3026a70bf6829653

SHA512
9983fc0c29bf86d1259dff24b8ad5c22bfa879841a97c1d2d4f0df639afd3185cdd27ac2e2f0328ed539ac60336656d0570a7d7db1ea1943329117e59839a145

Download Submit
C:\Users\Admin\Mine-imator\data.win

Filesize
1.9MB

MD5
838e82841a20f88c03cd3e6a3804b394

SHA1
a4915c3d7d18483aeca082019356511506fc0763

SHA256
f57b1bae2f2db1a943ad83e483879ba7f8d0c654b791a803e67b41cb86251087

SHA512
3ffda798251655f342d614a32e5364499162a513d88c400b25879eca19631422785e389b7f0bb1da152f99d53dfe850292d91d2fcd9fd97e582e3407b06d23cf

Download Submit
C:\Users\Admin\Mine-imator\options.ini

Filesize
157B

MD5
385224c58d4d90166b302d2d8862b6d6

SHA1
10736cf0950c65325e6cfa6a93dbf89f55180130

SHA256
b688fd9a1fd249f4af192c6a510e8a577543886ccbd942acbcedd3fb721a5809

SHA512
c36ffb8835b933fc43eaaf39579a48d4b8aef57b1b8423b771cf47aa75c71c207eb9e0d2995c54a4f8116486b96f2b6b2d5235e3134dad136033153e21e22fcb

Download Submit
\Users\Admin\Mine-imator\Data\file.dll

Filesize
496KB

MD5
991083d790ab27a1301dbe2cf2ced4bc

SHA1
777d52f4ff8b2a0306e4d83c2d2d93761c539896

SHA256
e2b0c77bc5b82ff3192be9394bef3ee97a73b3f778cda5fcc991657ea1d5bb04

SHA512
d460716f4ada591cf975680f8a06ed9d97e0abbe63468798932e3ec94ecc7c416a7fd99d4e85a586d9eed529a5cd6b0df6c95390b4320f6b4b4a56ccc5c3131c

Download Submit
\Users\Admin\Mine-imator\Mine-imator.exe

Filesize
14.1MB

MD5
74cdc717dc3af59ab438b210a4e5456b

SHA1
310cd8a2c3143a59f300999bee33f0b938254b94

SHA256
6212ebea6357774724744b0c6edaa1450641fa53aaa658b5ad7133bae7d99d83

SHA512
d9679b85b090e196c36ff41b55afe84b49356dddff683217b25b66415bd8be8f1dcdd8975af3a52791a13a040aaec13e3be5f2de9f0e2c16f35a2c8bc5fb611a

Download Submit
memory/1640-13-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/1640-11-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/1640-8-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/1640-406-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/2424-0-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2424-10-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2424-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2424-407-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download