Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 15:02
Static task
static1
Behavioral task
behavioral1
Sample
a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe
Resource
win7-20240903-en
General
-
Target
a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe
-
Size
5.8MB
-
MD5
190e68a764f232fa236a23317f80892b
-
SHA1
a37b9e226334bc69abaacb539fb7ba9722831a76
-
SHA256
a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7
-
SHA512
34c5d7d35a639a2c6ea183ad808a10bc0adaebf806975f6949da119c1d90c50f065b3d238a0bd6b7159394fe39a0322590fe229cae73f7c9cc393e721449c0a2
-
SSDEEP
98304:ICAKtK2disEKWIAN9rDUQ60m+E+3syUSIkJEhxfAF8p4ucmEyVHNJdNOD5A:I7ObErIYeQ3nEIsyU2Y48CeHxNV
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/1972-40-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1972-39-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1972-43-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1972-44-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1972-45-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1972-46-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1972-42-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1972-48-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/1972-47-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1732 powershell.exe 2932 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe File created C:\Windows\system32\drivers\etc\hosts Updater.exe -
Executes dropped EXE 2 IoCs
pid Process 476 Process not Found 2904 Updater.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2924 powercfg.exe 2672 powercfg.exe 3020 powercfg.exe 2232 powercfg.exe 2792 powercfg.exe 3056 powercfg.exe 2920 powercfg.exe 2664 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe Updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2904 set thread context of 2260 2904 Updater.exe 86 PID 2904 set thread context of 1972 2904 Updater.exe 87 -
resource yara_rule behavioral1/memory/1972-36-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-37-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-35-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-34-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-40-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-39-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-43-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-44-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-45-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-46-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-42-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-38-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-48-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1972-47-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2692 sc.exe 2688 sc.exe 2844 sc.exe 2316 sc.exe 2744 sc.exe 1432 sc.exe 2456 sc.exe 2796 sc.exe 2012 sc.exe 2080 sc.exe 2808 sc.exe 3036 sc.exe 824 sc.exe 2404 sc.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90880e528128db01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2932 powershell.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2364 a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe 2904 Updater.exe 1732 powershell.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 2904 Updater.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2932 powershell.exe Token: SeShutdownPrivilege 2792 powercfg.exe Token: SeShutdownPrivilege 2664 powercfg.exe Token: SeShutdownPrivilege 2920 powercfg.exe Token: SeShutdownPrivilege 3056 powercfg.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeShutdownPrivilege 2672 powercfg.exe Token: SeShutdownPrivilege 2924 powercfg.exe Token: SeShutdownPrivilege 3020 powercfg.exe Token: SeShutdownPrivilege 2232 powercfg.exe Token: SeLockMemoryPrivilege 1972 explorer.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1156 wrote to memory of 2960 1156 cmd.exe 39 PID 1156 wrote to memory of 2960 1156 cmd.exe 39 PID 1156 wrote to memory of 2960 1156 cmd.exe 39 PID 888 wrote to memory of 1944 888 cmd.exe 69 PID 888 wrote to memory of 1944 888 cmd.exe 69 PID 888 wrote to memory of 1944 888 cmd.exe 69 PID 2904 wrote to memory of 2260 2904 Updater.exe 86 PID 2904 wrote to memory of 2260 2904 Updater.exe 86 PID 2904 wrote to memory of 2260 2904 Updater.exe 86 PID 2904 wrote to memory of 2260 2904 Updater.exe 86 PID 2904 wrote to memory of 2260 2904 Updater.exe 86 PID 2904 wrote to memory of 2260 2904 Updater.exe 86 PID 2904 wrote to memory of 2260 2904 Updater.exe 86 PID 2904 wrote to memory of 2260 2904 Updater.exe 86 PID 2904 wrote to memory of 2260 2904 Updater.exe 86 PID 2904 wrote to memory of 1972 2904 Updater.exe 87 PID 2904 wrote to memory of 1972 2904 Updater.exe 87 PID 2904 wrote to memory of 1972 2904 Updater.exe 87 PID 2904 wrote to memory of 1972 2904 Updater.exe 87 PID 2904 wrote to memory of 1972 2904 Updater.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe"C:\Users\Admin\AppData\Local\Temp\a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:2960
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:824
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2796
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2404
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2844
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2688
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"2⤵
- Launches sc.exe
PID:2744
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"2⤵
- Launches sc.exe
PID:2692
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:3036
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"2⤵
- Launches sc.exe
PID:2456
-
-
C:\ProgramData\GoogleUP\Chrome\Updater.exeC:\ProgramData\GoogleUP\Chrome\Updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
PID:1944
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2808
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2080
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2316
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2012
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1432
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2260
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD5190e68a764f232fa236a23317f80892b
SHA1a37b9e226334bc69abaacb539fb7ba9722831a76
SHA256a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7
SHA51234c5d7d35a639a2c6ea183ad808a10bc0adaebf806975f6949da119c1d90c50f065b3d238a0bd6b7159394fe39a0322590fe229cae73f7c9cc393e721449c0a2
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f