Analysis
-
max time kernel
75s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-04-2021 11:52
General
-
Target
file.exe
-
Size
126KB
-
MD5
fdefd1e361d1020577bf018a5a98040c
-
SHA1
2d7c4cfa15f4cb29ce95e7a59c3089a081a772a2
-
SHA256
01cb6ab274dc0ac90192b537a606965d98f03d99c95b3a0e24bc6cad724d42c7
-
SHA512
adb42dc5cc31b95f6e3d463068d57480acb50c80ce49f4fabd0fa87700dda3d92afe543f2569f2e92077afd0d00869c5cdf24902968050132eccd9a230719378
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\AE08.tmp.exe"C:\Users\Admin\AppData\Roaming\AE08.tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999993⤵
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99993⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\AF03.tmp.exe"C:\Users\Admin\AppData\Roaming\AF03.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\AF03.tmp.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AE08.tmp.exeMD5
01e6cae5a0f506d2b3b01162bcc7b078
SHA16e6d05630da0163a38a70865280fcad42ab1c74d
SHA25625e36c95be9a4255ae41717a89b4f3749bc438640fc48be7b7560cd1afb855d1
SHA512ee4fa60e70f6532896633a6c2f683405fa2f4246b9e4336a9a0171124e21761153c859f2ca69207e0e1a4f8979d192727c0b6c05879f4676646c1c12010a77ea
-
C:\Users\Admin\AppData\Roaming\AE08.tmp.exeMD5
01e6cae5a0f506d2b3b01162bcc7b078
SHA16e6d05630da0163a38a70865280fcad42ab1c74d
SHA25625e36c95be9a4255ae41717a89b4f3749bc438640fc48be7b7560cd1afb855d1
SHA512ee4fa60e70f6532896633a6c2f683405fa2f4246b9e4336a9a0171124e21761153c859f2ca69207e0e1a4f8979d192727c0b6c05879f4676646c1c12010a77ea
-
C:\Users\Admin\AppData\Roaming\AF03.tmp.exeMD5
98d0976214fb5720a6b2c23ba035b741
SHA11eb4da1f7de4ca6718d75c6ac713b6324948ad6c
SHA256553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144
SHA5124a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925
-
C:\Users\Admin\AppData\Roaming\AF03.tmp.exeMD5
98d0976214fb5720a6b2c23ba035b741
SHA11eb4da1f7de4ca6718d75c6ac713b6324948ad6c
SHA256553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144
SHA5124a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925
-
memory/96-22-0x0000000000400000-0x000000000587C000-memory.dmpFilesize
84.5MB
-
memory/96-6-0x0000000000000000-mapping.dmp
-
memory/96-21-0x00000000077E0000-0x000000000CC5C000-memory.dmpFilesize
84.5MB
-
memory/644-9-0x0000000003600000-0x0000000003648000-memory.dmpFilesize
288KB
-
memory/644-2-0x00000000009C0000-0x00000000009CD000-memory.dmpFilesize
52KB
-
memory/2192-19-0x0000000000000000-mapping.dmp
-
memory/2320-20-0x0000000000000000-mapping.dmp
-
memory/2956-12-0x0000000140000000-0x0000000140383000-memory.dmpFilesize
3.5MB
-
memory/2956-11-0x00000001401FBC30-mapping.dmp
-
memory/2956-10-0x0000000140000000-0x0000000140383000-memory.dmpFilesize
3.5MB
-
memory/3284-24-0x0000000000000000-mapping.dmp
-
memory/3404-3-0x0000000000000000-mapping.dmp
-
memory/3472-18-0x000002695B400000-0x000002695B420000-memory.dmpFilesize
128KB
-
memory/3472-17-0x0000000140000000-0x000000014070A000-memory.dmpFilesize
7.0MB
-
memory/3472-16-0x0000000140000000-0x000000014070A000-memory.dmpFilesize
7.0MB
-
memory/3472-15-0x000002695B3C0000-0x000002695B3D4000-memory.dmpFilesize
80KB
-
memory/3472-14-0x00000001402CA898-mapping.dmp
-
memory/3472-13-0x0000000140000000-0x000000014070A000-memory.dmpFilesize
7.0MB
-
memory/3472-25-0x000002695B520000-0x000002695B540000-memory.dmpFilesize
128KB
-
memory/4084-23-0x0000000000000000-mapping.dmp