Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 09:22
Static task
static1
Behavioral task
behavioral1
Sample
drop2.exe
Resource
win7-20241023-en
General
-
Target
drop2.exe
-
Size
2.5MB
-
MD5
226eb2bbb97abbcabbd5bf08418cbe9c
-
SHA1
53c7485db2e1acb4b70a0a277d58e9ffec8a050d
-
SHA256
97e37eaf752b14313ee9aaa158f7028c092adeb4a902cb9618f58cffe29eeed2
-
SHA512
ccdb91715dc244364ac80bf7dff4b971b4ce5473ebed7f59a3ac68c4b5b7c0919cadf352a64b008d2af8ce5081440119a4db55d7b208de94411761cb42ce055b
-
SSDEEP
49152:8F6Y8mlBll44tW535rFyGAlvZVzfKQJYvDCZ3OL0WiqIZJdGUH1SOfSLA+DpHscK:TUBLTErFyGA1DJY7CZeL0WFwGUVSOf+b
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/2688-21-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2688-19-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2688-18-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2688-23-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2688-24-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2688-22-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2688-25-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2688-26-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/2688-27-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 2 IoCs
pid Process 476 Process not Found 2700 Edgee.exe -
Loads dropped DLL 1 IoCs
pid Process 476 Process not Found -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2808 powercfg.exe 2356 powercfg.exe 1952 powercfg.exe 1264 powercfg.exe 1660 powercfg.exe 2980 powercfg.exe 2728 powercfg.exe 2924 powercfg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2700 set thread context of 2880 2700 Edgee.exe 52 PID 2700 set thread context of 2688 2700 Edgee.exe 57 -
resource yara_rule behavioral1/memory/2688-14-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-13-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-21-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-19-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-15-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-18-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-17-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-16-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-23-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-24-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-22-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-25-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-26-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/2688-27-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2124 sc.exe 2800 sc.exe 2228 sc.exe 2960 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1980 drop2.exe 1980 drop2.exe 1980 drop2.exe 1980 drop2.exe 1980 drop2.exe 1980 drop2.exe 1980 drop2.exe 1980 drop2.exe 2700 Edgee.exe 2700 Edgee.exe 2700 Edgee.exe 2700 Edgee.exe 2700 Edgee.exe 2700 Edgee.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeShutdownPrivilege 1952 powercfg.exe Token: SeShutdownPrivilege 2356 powercfg.exe Token: SeShutdownPrivilege 1660 powercfg.exe Token: SeShutdownPrivilege 1264 powercfg.exe Token: SeShutdownPrivilege 2980 powercfg.exe Token: SeShutdownPrivilege 2728 powercfg.exe Token: SeShutdownPrivilege 2808 powercfg.exe Token: SeShutdownPrivilege 2924 powercfg.exe Token: SeLockMemoryPrivilege 2688 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2880 2700 Edgee.exe 52 PID 2700 wrote to memory of 2880 2700 Edgee.exe 52 PID 2700 wrote to memory of 2880 2700 Edgee.exe 52 PID 2700 wrote to memory of 2880 2700 Edgee.exe 52 PID 2700 wrote to memory of 2880 2700 Edgee.exe 52 PID 2700 wrote to memory of 2880 2700 Edgee.exe 52 PID 2700 wrote to memory of 2880 2700 Edgee.exe 52 PID 2700 wrote to memory of 2880 2700 Edgee.exe 52 PID 2700 wrote to memory of 2880 2700 Edgee.exe 52 PID 2700 wrote to memory of 2688 2700 Edgee.exe 57 PID 2700 wrote to memory of 2688 2700 Edgee.exe 57 PID 2700 wrote to memory of 2688 2700 Edgee.exe 57 PID 2700 wrote to memory of 2688 2700 Edgee.exe 57 PID 2700 wrote to memory of 2688 2700 Edgee.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\drop2.exe"C:\Users\Admin\AppData\Local\Temp\drop2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "chrome"2⤵
- Launches sc.exe
PID:2124
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "chrome" binpath= "C:\ProgramData\MicrosoftEdge\Edgee.exe" start= "auto"2⤵
- Launches sc.exe
PID:2800
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:2960
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "chrome"2⤵
- Launches sc.exe
PID:2228
-
-
C:\ProgramData\MicrosoftEdge\Edgee.exeC:\ProgramData\MicrosoftEdge\Edgee.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2880
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5226eb2bbb97abbcabbd5bf08418cbe9c
SHA153c7485db2e1acb4b70a0a277d58e9ffec8a050d
SHA25697e37eaf752b14313ee9aaa158f7028c092adeb4a902cb9618f58cffe29eeed2
SHA512ccdb91715dc244364ac80bf7dff4b971b4ce5473ebed7f59a3ac68c4b5b7c0919cadf352a64b008d2af8ce5081440119a4db55d7b208de94411761cb42ce055b