c665de3ac5a746c75886ab30c02efffb131c00a6e6a1d01fb2157f6cb36ba582

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 10:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup #2.exe
Size

2.5MB
MD5

bf9ff8f3e10de7300f779480f66a2310
SHA1

dba1090de51520da92033cf09cfa6ec2a1c24771
SHA256

fb89ed12ad13f130c2c2d7621eef0977d2310b89406de76ca0d493d1fda80433
SHA512

481ed4ab6af8b62b203355c84568a0c1852c9f03e6e29971b82c90284be5e7abd72e9400955ffcf9434d854f82c51c832a063872590173b6396ebbedcb4f283c
SSDEEP

49152:et/rfiUXmW2EDjYxt7ajwJopN4V9IuIIO4VKTKsFvc55UNQrZR:qZXj8t73JopybfIeWKssdZR

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
1844	Client.exe

Loads dropped DLL 7 IoCs

pid	Process
2732	setup #2.exe
2732	setup #2.exe
2732	setup #2.exe
2732	setup #2.exe
2732	setup #2.exe
2732	setup #2.exe
2732	setup #2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\parameters.ini	setup #2.exe
File created	C:\Windows\Client.exe	setup #2.exe
File created	C:\Windows\7zip.exe	Client.exe
File opened for modification	C:\Windows\parameters.ini	Client.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2728	sc.exe
2608	sc.exe
1500	sc.exe
536	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup #2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2732	setup #2.exe
2732	setup #2.exe
2732	setup #2.exe
1844	Client.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1844	Client.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 3028	2732	setup #2.exe	30
PID 2732 wrote to memory of 3028	2732	setup #2.exe	30
PID 2732 wrote to memory of 3028	2732	setup #2.exe	30
PID 2732 wrote to memory of 3028	2732	setup #2.exe	30
PID 3028 wrote to memory of 2096	3028	cmd.exe	32
PID 3028 wrote to memory of 2096	3028	cmd.exe	32
PID 3028 wrote to memory of 2096	3028	cmd.exe	32
PID 3028 wrote to memory of 2096	3028	cmd.exe	32
PID 2096 wrote to memory of 2880	2096	net.exe	33
PID 2096 wrote to memory of 2880	2096	net.exe	33
PID 2096 wrote to memory of 2880	2096	net.exe	33
PID 2096 wrote to memory of 2880	2096	net.exe	33
PID 2732 wrote to memory of 2908	2732	setup #2.exe	34
PID 2732 wrote to memory of 2908	2732	setup #2.exe	34
PID 2732 wrote to memory of 2908	2732	setup #2.exe	34
PID 2732 wrote to memory of 2908	2732	setup #2.exe	34
PID 2908 wrote to memory of 2728	2908	cmd.exe	36
PID 2908 wrote to memory of 2728	2908	cmd.exe	36
PID 2908 wrote to memory of 2728	2908	cmd.exe	36
PID 2908 wrote to memory of 2728	2908	cmd.exe	36
PID 2732 wrote to memory of 2764	2732	setup #2.exe	37
PID 2732 wrote to memory of 2764	2732	setup #2.exe	37
PID 2732 wrote to memory of 2764	2732	setup #2.exe	37
PID 2732 wrote to memory of 2764	2732	setup #2.exe	37
PID 2764 wrote to memory of 2608	2764	cmd.exe	39
PID 2764 wrote to memory of 2608	2764	cmd.exe	39
PID 2764 wrote to memory of 2608	2764	cmd.exe	39
PID 2764 wrote to memory of 2608	2764	cmd.exe	39
PID 2732 wrote to memory of 2712	2732	setup #2.exe	40
PID 2732 wrote to memory of 2712	2732	setup #2.exe	40
PID 2732 wrote to memory of 2712	2732	setup #2.exe	40
PID 2732 wrote to memory of 2712	2732	setup #2.exe	40
PID 2712 wrote to memory of 1500	2712	cmd.exe	42
PID 2712 wrote to memory of 1500	2712	cmd.exe	42
PID 2712 wrote to memory of 1500	2712	cmd.exe	42
PID 2712 wrote to memory of 1500	2712	cmd.exe	42
PID 2732 wrote to memory of 2316	2732	setup #2.exe	43
PID 2732 wrote to memory of 2316	2732	setup #2.exe	43
PID 2732 wrote to memory of 2316	2732	setup #2.exe	43
PID 2732 wrote to memory of 2316	2732	setup #2.exe	43
PID 2316 wrote to memory of 536	2316	cmd.exe	45
PID 2316 wrote to memory of 536	2316	cmd.exe	45
PID 2316 wrote to memory of 536	2316	cmd.exe	45
PID 2316 wrote to memory of 536	2316	cmd.exe	45
PID 2732 wrote to memory of 1608	2732	setup #2.exe	46
PID 2732 wrote to memory of 1608	2732	setup #2.exe	46
PID 2732 wrote to memory of 1608	2732	setup #2.exe	46
PID 2732 wrote to memory of 1608	2732	setup #2.exe	46
PID 1608 wrote to memory of 2916	1608	cmd.exe	48
PID 1608 wrote to memory of 2916	1608	cmd.exe	48
PID 1608 wrote to memory of 2916	1608	cmd.exe	48
PID 1608 wrote to memory of 2916	1608	cmd.exe	48
PID 2916 wrote to memory of 2944	2916	net.exe	49
PID 2916 wrote to memory of 2944	2916	net.exe	49
PID 2916 wrote to memory of 2944	2916	net.exe	49
PID 2916 wrote to memory of 2944	2916	net.exe	49

C:\Users\Admin\AppData\Local\Temp\setup #2.exe
"C:\Users\Admin\AppData\Local\Temp\setup #2.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C net stop MiningeService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\net.exe
    net stop MiningeService
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MiningeService
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C Sc delete MiningeService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\sc.exe
    Sc delete MiningeService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\sc.exe
    Sc create MiningeService binpath= C:\Windows\Client.exe start= auto DisplayName= MiningeService
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc description MiningeService ServiceManagerForMiner
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\sc.exe
    sc description MiningeService ServiceManagerForMiner
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C sc failure MiningeService reset= 3600 actions= restart/60000/restart/60000/restart/60000
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\sc.exe
    sc failure MiningeService reset= 3600 actions= restart/60000/restart/60000/restart/60000
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C net start MiningeService
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\net.exe
    net start MiningeService
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start MiningeService
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944

C:\Windows\Client.exe
C:\Windows\Client.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Client.exe

Filesize
5.9MB

MD5
f8438bd3fca219217028fea807ed48bc

SHA1
0493a4709267bf676bbbfdf07b99b5c743b5211f

SHA256
140a81444519172a3abc697b5f6be243bfcb2b99dc63be92b2c32446825f04d8

SHA512
ec7bdc067ea5dbfee23a266fcf6256434873a601eb932d0a338089d476bd851f1e89dcee8aff52efa565d27e78de8506d1a53f4d858388764f4f07582f67414b

Download Submit
C:\Windows\parameters.ini

Filesize
178B

MD5
7e536b53ae4a6bc175c3405e7340430b

SHA1
382165bdb8f86cca31975251b95f055801a6eef2

SHA256
4c9247b6803dcf1c8f1b0af41388e4777896793eee21f7d5f3d0e1921f66ade1

SHA512
fbe0b17a0691f7de618b8b883ab67642330d31f0eaedbf1e8a47010a110dbcc3909ea8b9e808c6f2e96ec957081f5183ed9fc9f5c18fee7c1df3f66579275b1c

Download Submit
C:\Windows\parameters.ini

Filesize
224B

MD5
0d02811e84824496cd06b5731426938c

SHA1
4635c077d8ad899dcf8e4d8ce4bbfb8355e10954

SHA256
93f9928778f50575a097eb0c374df689f38863294c3a32e3218ca1167275e604

SHA512
8211bd350d615eca829e738e50f07b419697009bfa35ff44288a163709da6f4f5267e7b3dcc462e8fc6ddb8c9e2cad2777efd8bc96e302d06dfebbd647b0f3cf

Download Submit
\Users\Admin\AppData\Local\Temp\nst732E.tmp\nsExec.dll

Filesize
6KB

MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nst732E.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/1844-48-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-52-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-47-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-45-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-49-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-50-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-51-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-46-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-53-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-54-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-55-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-56-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-57-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download
memory/1844-58-0x0000000000D70000-0x0000000001376000-memory.dmp

Filesize
6.0MB

Download