Overview

overview

10

Static

static

file3.exe

windows7_x64

10

file3.exe

windows10_x64

10

Analysis

  • max time kernel
    61s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    29-04-2021 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file3.exe

  • Size

    4.4MB

  • MD5

    85916ca32ad6adf4bcc68318fcfe1722

  • SHA1

    e58a67d48b79cc828e31121f5c3ed2b06ebd4f85

  • SHA256

    3e3a2350cc65c94f1139adf4229a5d1a0c0fdd7aa79c5ba8612011e2a5113b0f

  • SHA512

    db3e042b77f5f4b5e1b83dac49f24e1159552c7a7207ab2897e44bcb58875dc87a84257ef3ca95606c565d7baaa55db67f36f47d8adcfb8b4aa9d5aa522dfb90

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 4 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file3.exe
    "C:\Users\Admin\AppData\Local\Temp\file3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\file3.exe
      "{path}"
      2⤵
        PID:2284
      • C:\Users\Admin\AppData\Local\Temp\file3.exe
        "{path}"
        2⤵
          PID:2192
        • C:\Users\Admin\AppData\Local\Temp\file3.exe
          "{path}"
          2⤵
            PID:1940
          • C:\Users\Admin\AppData\Local\Temp\file3.exe
            "{path}"
            2⤵
              PID:932
            • C:\Users\Admin\AppData\Local\Temp\file3.exe
              "{path}"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1248
              • C:\Users\Admin\AppData\Roaming\xmrig.exe
                "C:\Users\Admin\AppData\Roaming\xmrig.exe" -p trinity-miner --donate-level 5 -o pool.supportxmr.com:443 -u 89UyhNJWGyP6xoycGBA3A6HjdNEs7g3jr34EXVtqGYzg5wLEbmZY2AcGy5Kw5NRfjaYTUyW1dKCHGinv7fGMg45zVCRQwNM -k --tls
                3⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3956

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file3.exe.log
            MD5

            0c2899d7c6746f42d5bbe088c777f94c

            SHA1

            622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

            SHA256

            5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

            SHA512

            ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

            Download Submit
          • C:\Users\Admin\AppData\Roaming\xmrig.exe
            MD5

            184fb976a5e2ff8241f6d7799ba930be

            SHA1

            6b9043b37361225cb709ef927f23cbac65063588

            SHA256

            fd0f5b78bcc0c8c9690777f1be1602f006e627fff201b8111275a10edfb76c83

            SHA512

            9752bd4251a6f2daac1525ecb345e2026fd00647f8e0120dc577341b6b216f3934ff11398ef77742bb4621a90fddeabceb6757d527d2e13bd10ae6e154fbf2c9

            Download Submit
          • C:\Users\Admin\AppData\Roaming\xmrig.exe
            MD5

            184fb976a5e2ff8241f6d7799ba930be

            SHA1

            6b9043b37361225cb709ef927f23cbac65063588

            SHA256

            fd0f5b78bcc0c8c9690777f1be1602f006e627fff201b8111275a10edfb76c83

            SHA512

            9752bd4251a6f2daac1525ecb345e2026fd00647f8e0120dc577341b6b216f3934ff11398ef77742bb4621a90fddeabceb6757d527d2e13bd10ae6e154fbf2c9

            Download Submit
          • memory/1248-124-0x0000000000400000-0x0000000000872000-memory.dmp
            Filesize

            4.4MB

            Download
          • memory/1248-125-0x000000000086D6EA-mapping.dmp
            Download
          • memory/3540-123-0x000000000BFF0000-0x000000000C460000-memory.dmp
            Filesize

            4.4MB

            Download
          • memory/3540-116-0x0000000006090000-0x0000000006091000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3540-122-0x00000000099A0000-0x0000000009C78000-memory.dmp
            Filesize

            2.8MB

            Download
          • memory/3540-114-0x0000000000F60000-0x0000000000F61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3540-120-0x0000000005B90000-0x000000000608E000-memory.dmp
            Filesize

            5.0MB

            Download
          • memory/3540-119-0x00000000077A0000-0x00000000077A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3540-118-0x0000000005D90000-0x0000000005D91000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3540-121-0x0000000005E60000-0x0000000005E6E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/3540-117-0x0000000005C30000-0x0000000005C31000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3956-129-0x0000000000000000-mapping.dmp
            Download
          • memory/3956-132-0x000001C4A56F0000-0x000001C4A5710000-memory.dmp
            Filesize

            128KB

            Download
          • memory/3956-133-0x000001C4A5720000-0x000001C4A5740000-memory.dmp
            Filesize

            128KB

            Download
          • memory/3956-135-0x000001C4A5760000-0x000001C4A5780000-memory.dmp
            Filesize

            128KB

            Download
          • memory/3956-134-0x000001C4A5740000-0x000001C4A5760000-memory.dmp
            Filesize

            128KB

            Download