b07725d4beadd557d273cba1ad1cd3db7393731eb26f949c932e644b4e3499ed

Analysis

max time kernel
106s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-02_d15b76e7c90f8d3160456ce67e2f68ef_black-basta_coinminer_hijackloader_ryuk.exe
Size

3.3MB
MD5

d15b76e7c90f8d3160456ce67e2f68ef
SHA1

ea9c747b8c32193b2bc8ba0cacec87fd7cc8a4e1
SHA256

b07725d4beadd557d273cba1ad1cd3db7393731eb26f949c932e644b4e3499ed
SHA512

5429f4935e890b812415fbb0dccdc5b115c2d683dffc588c5bd923e678793c647a72f02beb0c5bd3cf096a8e4271b22c49dfe47fad8fd2b21afeed12109e4795
SSDEEP

49152:dX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Q7:dlRsZ47/QXoHUOfAoj1x67

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3528	wmic.exe
Token: SeSecurityPrivilege	3528	wmic.exe
Token: SeTakeOwnershipPrivilege	3528	wmic.exe
Token: SeLoadDriverPrivilege	3528	wmic.exe
Token: SeSystemProfilePrivilege	3528	wmic.exe
Token: SeSystemtimePrivilege	3528	wmic.exe
Token: SeProfSingleProcessPrivilege	3528	wmic.exe
Token: SeIncBasePriorityPrivilege	3528	wmic.exe
Token: SeCreatePagefilePrivilege	3528	wmic.exe
Token: SeBackupPrivilege	3528	wmic.exe
Token: SeRestorePrivilege	3528	wmic.exe
Token: SeShutdownPrivilege	3528	wmic.exe
Token: SeDebugPrivilege	3528	wmic.exe
Token: SeSystemEnvironmentPrivilege	3528	wmic.exe
Token: SeRemoteShutdownPrivilege	3528	wmic.exe
Token: SeUndockPrivilege	3528	wmic.exe
Token: SeManageVolumePrivilege	3528	wmic.exe
Token: 33	3528	wmic.exe
Token: 34	3528	wmic.exe
Token: 35	3528	wmic.exe
Token: 36	3528	wmic.exe
Token: SeIncreaseQuotaPrivilege	3528	wmic.exe
Token: SeSecurityPrivilege	3528	wmic.exe
Token: SeTakeOwnershipPrivilege	3528	wmic.exe
Token: SeLoadDriverPrivilege	3528	wmic.exe
Token: SeSystemProfilePrivilege	3528	wmic.exe
Token: SeSystemtimePrivilege	3528	wmic.exe
Token: SeProfSingleProcessPrivilege	3528	wmic.exe
Token: SeIncBasePriorityPrivilege	3528	wmic.exe
Token: SeCreatePagefilePrivilege	3528	wmic.exe
Token: SeBackupPrivilege	3528	wmic.exe
Token: SeRestorePrivilege	3528	wmic.exe
Token: SeShutdownPrivilege	3528	wmic.exe
Token: SeDebugPrivilege	3528	wmic.exe
Token: SeSystemEnvironmentPrivilege	3528	wmic.exe
Token: SeRemoteShutdownPrivilege	3528	wmic.exe
Token: SeUndockPrivilege	3528	wmic.exe
Token: SeManageVolumePrivilege	3528	wmic.exe
Token: 33	3528	wmic.exe
Token: 34	3528	wmic.exe
Token: 35	3528	wmic.exe
Token: 36	3528	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 3528	4432	2025-04-02_d15b76e7c90f8d3160456ce67e2f68ef_black-basta_coinminer_hijackloader_ryuk.exe	87
PID 4432 wrote to memory of 3528	4432	2025-04-02_d15b76e7c90f8d3160456ce67e2f68ef_black-basta_coinminer_hijackloader_ryuk.exe	87

C:\Users\Admin\AppData\Local\Temp\2025-04-02_d15b76e7c90f8d3160456ce67e2f68ef_black-basta_coinminer_hijackloader_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_d15b76e7c90f8d3160456ce67e2f68ef_black-basta_coinminer_hijackloader_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3528

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads