Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 05:03
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
8.3MB
-
MD5
66039c9e643542b612ee5b216900c910
-
SHA1
3af08524281635f64e17f89838c6e528da7d723c
-
SHA256
35c6740a3fb5e35fc261d619abd34c2aaaa761096e36bb03515b536998bc1144
-
SHA512
220901ea547e2200700059944209958b929f237d58f6275fcca3ec27352766e002674202611f1f850074eb4b8bbe0b97797fd170265d9446f54a50bfbe0f79a0
-
SSDEEP
196608:ZBH5dgA2rBsUPeOOsmgGZ6SO7gTTYFaklmZChu+5pz:zEAIeOOsmguLtTd8hb5pz
Malware Config
Signatures
-
Xmrig family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 15 IoCs
resource yara_rule behavioral1/memory/2544-45-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-47-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-59-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-58-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-56-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-53-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-50-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-49-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-48-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-46-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-44-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-57-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-60-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-43-0x0000000140000000-0x000000014082C000-memory.dmp xmrig behavioral1/memory/2544-61-0x0000000140000000-0x000000014082C000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2956 powershell.exe 2548 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts file.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Executes dropped EXE 2 IoCs
pid Process 476 Process not Found 788 updater.exe -
Loads dropped DLL 1 IoCs
pid Process 476 Process not Found -
resource yara_rule behavioral1/memory/2248-0-0x000000013F9B0000-0x0000000140931000-memory.dmp themida behavioral1/memory/2248-2-0x000000013F9B0000-0x0000000140931000-memory.dmp themida behavioral1/memory/2248-3-0x000000013F9B0000-0x0000000140931000-memory.dmp themida behavioral1/memory/2248-4-0x000000013F9B0000-0x0000000140931000-memory.dmp themida behavioral1/memory/2248-5-0x000000013F9B0000-0x0000000140931000-memory.dmp themida behavioral1/memory/2248-21-0x000000013F9B0000-0x0000000140931000-memory.dmp themida behavioral1/files/0x0008000000018690-22.dat themida behavioral1/memory/788-25-0x000000013F560000-0x00000001404E1000-memory.dmp themida behavioral1/memory/788-26-0x000000013F560000-0x00000001404E1000-memory.dmp themida behavioral1/memory/788-27-0x000000013F560000-0x00000001404E1000-memory.dmp themida behavioral1/memory/788-28-0x000000013F560000-0x00000001404E1000-memory.dmp themida behavioral1/memory/788-55-0x000000013F560000-0x00000001404E1000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 688 powercfg.exe 1312 powercfg.exe 2000 powercfg.exe 2576 powercfg.exe 2592 powercfg.exe 2636 powercfg.exe 2612 powercfg.exe 2944 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe file.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2248 file.exe 788 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 788 set thread context of 1984 788 updater.exe 82 PID 788 set thread context of 2544 788 updater.exe 87 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2760 sc.exe 2608 sc.exe 2688 sc.exe 3048 sc.exe 1992 sc.exe 2096 sc.exe 2436 sc.exe 2720 sc.exe 2584 sc.exe 2824 sc.exe 1736 sc.exe 2628 sc.exe 1544 sc.exe 2924 sc.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0c6288e2d28db01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2248 file.exe 2956 powershell.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 2248 file.exe 788 updater.exe 2548 powershell.exe 788 updater.exe 788 updater.exe 788 updater.exe 788 updater.exe 788 updater.exe 788 updater.exe 788 updater.exe 788 updater.exe 788 updater.exe 788 updater.exe 788 updater.exe 788 updater.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2956 powershell.exe Token: SeShutdownPrivilege 2576 powercfg.exe Token: SeShutdownPrivilege 2592 powercfg.exe Token: SeShutdownPrivilege 2636 powercfg.exe Token: SeShutdownPrivilege 2612 powercfg.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeShutdownPrivilege 2000 powercfg.exe Token: SeShutdownPrivilege 688 powercfg.exe Token: SeShutdownPrivilege 1312 powercfg.exe Token: SeShutdownPrivilege 2944 powercfg.exe Token: SeLockMemoryPrivilege 2544 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2968 2868 cmd.exe 38 PID 2868 wrote to memory of 2968 2868 cmd.exe 38 PID 2868 wrote to memory of 2968 2868 cmd.exe 38 PID 484 wrote to memory of 1272 484 cmd.exe 69 PID 484 wrote to memory of 1272 484 cmd.exe 69 PID 484 wrote to memory of 1272 484 cmd.exe 69 PID 788 wrote to memory of 1984 788 updater.exe 82 PID 788 wrote to memory of 1984 788 updater.exe 82 PID 788 wrote to memory of 1984 788 updater.exe 82 PID 788 wrote to memory of 1984 788 updater.exe 82 PID 788 wrote to memory of 1984 788 updater.exe 82 PID 788 wrote to memory of 1984 788 updater.exe 82 PID 788 wrote to memory of 1984 788 updater.exe 82 PID 788 wrote to memory of 1984 788 updater.exe 82 PID 788 wrote to memory of 1984 788 updater.exe 82 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87 PID 788 wrote to memory of 2544 788 updater.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:2968
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2760
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2688
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2584
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2608
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"2⤵
- Launches sc.exe
PID:3048
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"2⤵
- Launches sc.exe
PID:2628
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:1992
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"2⤵
- Launches sc.exe
PID:2096
-
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:1272
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2824
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1544
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2924
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1736
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2436
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:1984
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
Filesize
8.3MB
MD566039c9e643542b612ee5b216900c910
SHA13af08524281635f64e17f89838c6e528da7d723c
SHA25635c6740a3fb5e35fc261d619abd34c2aaaa761096e36bb03515b536998bc1144
SHA512220901ea547e2200700059944209958b929f237d58f6275fcca3ec27352766e002674202611f1f850074eb4b8bbe0b97797fd170265d9446f54a50bfbe0f79a0