Overview

overview

10

Static

static

8

04443c70d3...be.exe

windows7_x64

9

04443c70d3...be.exe

windows10_x64

9

05535d72f3...06.exe

windows7_x64

1

05535d72f3...06.exe

windows10_x64

1

1bec139d54...72.exe

windows7_x64

8

1bec139d54...72.exe

windows10_x64

8

1f670ff8cc...55.exe

windows7_x64

1

1f670ff8cc...55.exe

windows10_x64

1

2deaa0ec74...ea.exe

windows7_x64

10

2deaa0ec74...ea.exe

windows10_x64

10

372b929ae9...ef.dll

windows7_x64

9

372b929ae9...ef.dll

windows10_x64

9

38ee6bea62...15.exe

windows7_x64

3

38ee6bea62...15.exe

windows10_x64

3

437d91ce52...8f.exe

windows7_x64

1

437d91ce52...8f.exe

windows10_x64

4

447058c1c6...a8.exe

windows7_x64

9

447058c1c6...a8.exe

windows10_x64

9

5061c0b08d...03.exe

windows7_x64

1

5061c0b08d...03.exe

windows10_x64

1

5ed4b682ef...d4.exe

windows7_x64

8

5ed4b682ef...d4.exe

windows10_x64

8

6970600d21...b5.exe

windows7_x64

1

6970600d21...b5.exe

windows10_x64

1

72f528f9a6...92.exe

windows7_x64

8

72f528f9a6...92.exe

windows10_x64

8

73dcee7abe...99.exe

windows7_x64

1

73dcee7abe...99.exe

windows10_x64

1

7e118b534a...d2.exe

windows7_x64

10

7e118b534a...d2.exe

windows10_x64

10

8034fffb03...3c.exe

windows7_x64

10

8034fffb03...3c.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-03-2021 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe

  • Size

    730KB

  • MD5

    07f1fa24a6fcb3708ab0689a2706ad8c

  • SHA1

    5da69784e467f242b4f0318fed2b3aed988c6466

  • SHA256

    04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be

  • SHA512

    59a67d2e495b948a45f32f67e3e2a85f0d8343942677e16d8f53162b42ba3a535dd72b713ca1ab59f871a7cbb614f13626741b782b2b2cc4c875bf3a82e83bfb

Score
9/10
minerpersistenceupx

Malware Config

Signatures

  • Detected Stratum cryptominer command

    Looks to be attempting to contact Stratum mining pool.

    miner
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Cryptocurrency Miner

    Makes network request to known mining pool URL.

    miner
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe
    "C:\Users\Admin\AppData\Local\Temp\04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\notepad.exe
      -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x -t 2
      2⤵
        PID:3440

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1452-2-0x0000000000D40000-0x0000000000DFA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/3440-4-0x00000000004873E0-mapping.dmp

      Download

    • memory/3440-3-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download

    • memory/3440-5-0x0000000000400000-0x0000000000489000-memory.dmp

      Filesize

      548KB

      Download