Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 05:30
Static task
static1
Behavioral task
behavioral1
Sample
f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe
Resource
win7-20240903-en
General
-
Target
f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe
-
Size
2.9MB
-
MD5
5f10f34b3ef012f1db5f21755cad4ab1
-
SHA1
439ab3bd92cd515b092607291ac054f3fad1359f
-
SHA256
f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660
-
SHA512
7f6473adb10d878b8c9cb9360c04ed843401d6eb69ca1df546e956e18032598cbdd1fffbdc45c0fe7d3927a6fa54ef77b9d2e10175e3ca15c6421cfa678d59ce
-
SSDEEP
49152:ZtH86NYYGclfMk3iDPS6wcXLuankPBUJCBuB+zVma85E4xTz:ZtH8SHGc5MWiDdj7uakPBUJ1oV0EkTz
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/676-42-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/676-43-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/676-47-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/676-48-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/676-49-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/676-46-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/676-45-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/676-50-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1828 powershell.exe 1868 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 2120 prog.exe 476 Process not Found 1800 svhost.exe -
Loads dropped DLL 3 IoCs
pid Process 2124 f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe 2124 f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe 476 Process not Found -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2276 powercfg.exe 2888 powercfg.exe 2580 powercfg.exe 2584 powercfg.exe 2848 powercfg.exe 2700 powercfg.exe 2452 powercfg.exe 2680 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe svhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe prog.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1800 set thread context of 2240 1800 svhost.exe 85 PID 1800 set thread context of 676 1800 svhost.exe 88 -
resource yara_rule behavioral1/memory/676-37-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-42-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-41-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-40-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-38-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-39-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-43-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-47-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-48-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-49-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-46-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-45-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/676-50-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2816 sc.exe 1528 sc.exe 1796 sc.exe 2016 sc.exe 1624 sc.exe 2904 sc.exe 2932 sc.exe 2896 sc.exe 2736 sc.exe 2776 sc.exe 2608 sc.exe 2600 sc.exe 1180 sc.exe 1716 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70ecad643128db01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2120 prog.exe 1828 powershell.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 2120 prog.exe 1800 svhost.exe 1868 powershell.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 1800 svhost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe 676 svchost.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 2120 prog.exe Token: SeShutdownPrivilege 2848 powercfg.exe Token: SeShutdownPrivilege 2700 powercfg.exe Token: SeShutdownPrivilege 2584 powercfg.exe Token: SeShutdownPrivilege 2580 powercfg.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 1800 svhost.exe Token: SeShutdownPrivilege 2888 powercfg.exe Token: SeShutdownPrivilege 2276 powercfg.exe Token: SeShutdownPrivilege 2452 powercfg.exe Token: SeShutdownPrivilege 2680 powercfg.exe Token: SeLockMemoryPrivilege 676 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2120 2124 f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe 31 PID 2124 wrote to memory of 2120 2124 f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe 31 PID 2124 wrote to memory of 2120 2124 f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe 31 PID 2124 wrote to memory of 2120 2124 f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe 31 PID 2796 wrote to memory of 2236 2796 cmd.exe 40 PID 2796 wrote to memory of 2236 2796 cmd.exe 40 PID 2796 wrote to memory of 2236 2796 cmd.exe 40 PID 2032 wrote to memory of 840 2032 cmd.exe 70 PID 2032 wrote to memory of 840 2032 cmd.exe 70 PID 2032 wrote to memory of 840 2032 cmd.exe 70 PID 1800 wrote to memory of 2240 1800 svhost.exe 85 PID 1800 wrote to memory of 2240 1800 svhost.exe 85 PID 1800 wrote to memory of 2240 1800 svhost.exe 85 PID 1800 wrote to memory of 2240 1800 svhost.exe 85 PID 1800 wrote to memory of 2240 1800 svhost.exe 85 PID 1800 wrote to memory of 2240 1800 svhost.exe 85 PID 1800 wrote to memory of 2240 1800 svhost.exe 85 PID 1800 wrote to memory of 2240 1800 svhost.exe 85 PID 1800 wrote to memory of 2240 1800 svhost.exe 85 PID 1800 wrote to memory of 676 1800 svhost.exe 88 PID 1800 wrote to memory of 676 1800 svhost.exe 88 PID 1800 wrote to memory of 676 1800 svhost.exe 88 PID 1800 wrote to memory of 676 1800 svhost.exe 88 PID 1800 wrote to memory of 676 1800 svhost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe"C:\Users\Admin\AppData\Local\Temp\f161b56490087b75b15207598c6e0526afd184e3f8e76ab6eff8eaa6f573b660.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\prog.exe"C:\Users\Admin\AppData\Local\Temp\prog.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
PID:2236
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:2816
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2736
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:2932
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:2776
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:2608
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "appdata"3⤵
- Launches sc.exe
PID:2600
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "appdata" binpath= "C:\ProgramData\win32\svhost.exe" start= "auto"3⤵
- Launches sc.exe
PID:1180
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:1528
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "appdata"3⤵
- Launches sc.exe
PID:1716
-
-
-
C:\ProgramData\win32\svhost.exeC:\ProgramData\win32\svhost.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:840
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1796
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1624
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2016
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2896
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2904
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2240
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5d3adc3ec7b76556b7fac591c33f31ea9
SHA1b7295fae70f550aa2963da196b08636094e26e93
SHA25625231ba6616c0c1bbc4dda82bdd46ad067577e16971bae412b1192b250b456dc
SHA5120edd9263191b82e525da655f76597bbd755174e8436e1e3a783a6a7f7064077e651a7d4dd36b3fd1b353bc435ff9d3ade466d43327ba086dee89b712cab73985