ta505 | eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08.exe
Size

164KB
MD5

77334f046a50530cdc6e585e59165264
SHA1

657a584eafe86df36e719526d445b570e135d217
SHA256

eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08
SHA512

97936dd74d7eef8d69dae0d83b6d1554bd54d5302b5b2ff886ff66c040b083d7d086089de12b57a491cf7269a7d076e4d2a52839aaac519386b77297bc3a5c90
SSDEEP

3072:DlxjOCto1mb719Iz9cIp23YWMBjk3RzYISn7ApmHVVjKu:5xjD+sF9IKIgnwkRUbAI1F

Score

10^/10

ta505 xmrig miner persistence

Malware Config

Signatures

TA505
Cybercrime group active since 2015, responsible for families like Dridex and Locky.
ta505
Ta505 family
ta505

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0008000000023c91-13.dat	family_xmrig
behavioral2/files/0x0008000000023c91-13.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3108	mi.exe

Loads dropped DLL 1 IoCs

pid	Process
3108	mi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM Surrogate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08.exe"	eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08.exe
Token: SeLockMemoryPrivilege	3108	mi.exe
Token: SeLockMemoryPrivilege	3108	mi.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3108	mi.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 3108	860	eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08.exe	91
PID 860 wrote to memory of 3108	860	eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08.exe	91

C:\Users\Admin\AppData\Local\Temp\eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08.exe
"C:\Users\Admin\AppData\Local\Temp\eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\asm\mi.exe
  "C:\Users\Admin\AppData\Local\asm\mi.exe" --config="C:\Users\Admin\AppData\Local\asm\config.json"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\asm\config.json

Filesize
2KB

MD5
dcb095940d9fb21102941fbeb7bbe9f7

SHA1
3c0d33b914bc5b174cd9c13427ec8700c09d96ca

SHA256
ba88bbb257474d6d7e8e9bec7a12ff826c3fa80cb019fbc92ea8d6253c2400b1

SHA512
c384a68fac9c301efd695605e6b14e1e201be687d99cc1e31c6ed2c3d17f37c28802179dd175b4aadb29a3dd6d808b203e18ee96db63a5dbcb92c9d42d2036c2

Download Submit
C:\Users\Admin\AppData\Local\asm\mi.exe

Filesize
6.1MB

MD5
f6d520ae125f03056c4646c508218d16

SHA1
f65e63d14dd57eadb262deaa2b1a8a965a2a962c

SHA256
d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1

SHA512
d1ec3da141ce504993a0cbf8ea4b719ffa40a2be4941c18ffc64ec3f71435f7bddadda6032ec0ae6cada66226ee39a2012079ed318df389c7c6584ad3e1c334d

Download Submit
C:\Users\Admin\AppData\Local\asm\xmrig-cuda.dll

Filesize
31.4MB

MD5
0eaba7ef81b53a938d96921fb2185c19

SHA1
9154ad5f8d24426e2ba63212461ae48db8dd9085

SHA256
9d3aa03f8a003a0142ca6bca93d8b86bc6785b5076d1d2a6528602c110d5e4eb

SHA512
0ab9caae19b9c97958b8d9084585bd4ef2857e9a6956d4cf87f57e1b25d873f911b05da3532acf15d9956286ab0b0e1606f9ea5e3f84b25f495506b0fab02569

Download Submit
memory/860-0-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

Filesize
8KB

Download
memory/860-1-0x000001C0072F0000-0x000001C00731E000-memory.dmp

Filesize
184KB

Download
memory/860-2-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/860-7-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

Filesize
8KB

Download
memory/860-8-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3108-15-0x0000022F29600000-0x0000022F29620000-memory.dmp

Filesize
128KB

Download
memory/3108-20-0x0000022F29780000-0x0000022F297A0000-memory.dmp

Filesize
128KB

Download
memory/3108-21-0x0000022F297A0000-0x0000022F297C0000-memory.dmp

Filesize
128KB

Download
memory/3108-22-0x0000022F297A0000-0x0000022F297C0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads