Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 09:22
Static task
static1
Behavioral task
behavioral1
Sample
drop2.exe
Resource
win7-20241023-en
General
-
Target
drop2.exe
-
Size
2.5MB
-
MD5
226eb2bbb97abbcabbd5bf08418cbe9c
-
SHA1
53c7485db2e1acb4b70a0a277d58e9ffec8a050d
-
SHA256
97e37eaf752b14313ee9aaa158f7028c092adeb4a902cb9618f58cffe29eeed2
-
SHA512
ccdb91715dc244364ac80bf7dff4b971b4ce5473ebed7f59a3ac68c4b5b7c0919cadf352a64b008d2af8ce5081440119a4db55d7b208de94411761cb42ce055b
-
SSDEEP
49152:8F6Y8mlBll44tW535rFyGAlvZVzfKQJYvDCZ3OL0WiqIZJdGUH1SOfSLA+DpHscK:TUBLTErFyGA1DJY7CZeL0WFwGUVSOf+b
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral2/memory/3268-22-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3268-21-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3268-20-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3268-19-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3268-17-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3268-16-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3268-23-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3268-24-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/3268-25-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 1232 Edgee.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 4780 powercfg.exe 4680 powercfg.exe 4676 powercfg.exe 3544 powercfg.exe 436 powercfg.exe 4468 powercfg.exe 3440 powercfg.exe 3512 powercfg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1232 set thread context of 4848 1232 Edgee.exe 115 PID 1232 set thread context of 3268 1232 Edgee.exe 119 -
resource yara_rule behavioral2/memory/3268-11-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-14-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-15-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-12-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-22-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-21-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-20-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-19-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-17-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-16-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-13-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-23-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-24-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/3268-25-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 552 sc.exe 2276 sc.exe 4700 sc.exe 1292 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2840 drop2.exe 2840 drop2.exe 2840 drop2.exe 2840 drop2.exe 2840 drop2.exe 2840 drop2.exe 2840 drop2.exe 2840 drop2.exe 1232 Edgee.exe 1232 Edgee.exe 1232 Edgee.exe 1232 Edgee.exe 1232 Edgee.exe 1232 Edgee.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe 3268 svchost.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeShutdownPrivilege 4680 powercfg.exe Token: SeCreatePagefilePrivilege 4680 powercfg.exe Token: SeShutdownPrivilege 4780 powercfg.exe Token: SeCreatePagefilePrivilege 4780 powercfg.exe Token: SeShutdownPrivilege 4676 powercfg.exe Token: SeCreatePagefilePrivilege 4676 powercfg.exe Token: SeShutdownPrivilege 3544 powercfg.exe Token: SeCreatePagefilePrivilege 3544 powercfg.exe Token: SeShutdownPrivilege 3512 powercfg.exe Token: SeCreatePagefilePrivilege 3512 powercfg.exe Token: SeShutdownPrivilege 3440 powercfg.exe Token: SeCreatePagefilePrivilege 3440 powercfg.exe Token: SeShutdownPrivilege 436 powercfg.exe Token: SeCreatePagefilePrivilege 436 powercfg.exe Token: SeLockMemoryPrivilege 3268 svchost.exe Token: SeShutdownPrivilege 4468 powercfg.exe Token: SeCreatePagefilePrivilege 4468 powercfg.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1232 wrote to memory of 4848 1232 Edgee.exe 115 PID 1232 wrote to memory of 4848 1232 Edgee.exe 115 PID 1232 wrote to memory of 4848 1232 Edgee.exe 115 PID 1232 wrote to memory of 4848 1232 Edgee.exe 115 PID 1232 wrote to memory of 4848 1232 Edgee.exe 115 PID 1232 wrote to memory of 4848 1232 Edgee.exe 115 PID 1232 wrote to memory of 4848 1232 Edgee.exe 115 PID 1232 wrote to memory of 4848 1232 Edgee.exe 115 PID 1232 wrote to memory of 4848 1232 Edgee.exe 115 PID 1232 wrote to memory of 3268 1232 Edgee.exe 119 PID 1232 wrote to memory of 3268 1232 Edgee.exe 119 PID 1232 wrote to memory of 3268 1232 Edgee.exe 119 PID 1232 wrote to memory of 3268 1232 Edgee.exe 119 PID 1232 wrote to memory of 3268 1232 Edgee.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\drop2.exe"C:\Users\Admin\AppData\Local\Temp\drop2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "chrome"2⤵
- Launches sc.exe
PID:4700
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "chrome" binpath= "C:\ProgramData\MicrosoftEdge\Edgee.exe" start= "auto"2⤵
- Launches sc.exe
PID:1292
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:552
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "chrome"2⤵
- Launches sc.exe
PID:2276
-
-
C:\ProgramData\MicrosoftEdge\Edgee.exeC:\ProgramData\MicrosoftEdge\Edgee.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4848
-
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5226eb2bbb97abbcabbd5bf08418cbe9c
SHA153c7485db2e1acb4b70a0a277d58e9ffec8a050d
SHA25697e37eaf752b14313ee9aaa158f7028c092adeb4a902cb9618f58cffe29eeed2
SHA512ccdb91715dc244364ac80bf7dff4b971b4ce5473ebed7f59a3ac68c4b5b7c0919cadf352a64b008d2af8ce5081440119a4db55d7b208de94411761cb42ce055b