Overview

overview

10

Static

static

taskhost.exe

windows7_x64

10

taskhost.exe

windows10_x64

8

Analysis

  • max time kernel
    152s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    05-05-2021 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    taskhost.exe

  • Size

    2.8MB

  • MD5

    7f6b8e103f0a42615d90a2b7ad862135

  • SHA1

    095d2bef8afc9a657cb0dfbe9e95ae467a7364d0

  • SHA256

    51edeab1acc8739d6e419b59c1ea6c1e1a8e783d1a3852729b35781ddb008639

  • SHA512

    b058baa67cce6631bb4937b8df81ac42fbe2955c1c43723b136a74378dece449dcd50d0c7ea3d2b9817939e1126767c3935d12dde7863edcb66d1bd56675ca83

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:316
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C WScript "C:\ProgramData\lSuRugDFHR\r.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Windows\SysWOW64\wscript.exe
          WScript "C:\ProgramData\lSuRugDFHR\r.vbs"
          4⤵
          • Drops startup file
          PID:1612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\lSuRugDFHR\cfgi
    MD5

    d61241d9a72a0f30b8ed3fc7b969fbe3

    SHA1

    9946a4deca135c6d519b817f3edf05834760579f

    SHA256

    8068396e6684ddefdd868be556ea224609854aa3ff653747dc05f1fcc20dd41c

    SHA512

    4dde04224c4d22c718fc907020eefc7bb1ee55eb124b1efa4cca5949276c3e367223cdc0fd6ca1be677d3354ec993fb8aca18c19e68e746798913a116fc5d7c6

    Download Submit
  • C:\ProgramData\lSuRugDFHR\r.vbs
    MD5

    aaeac492102e79fb3268ee27bbb46cac

    SHA1

    240f554c3ea020167019406c36e06a68c4cc1b63

    SHA256

    2c914731f4e36b3601bc30706bb1a2339a1970af9d87630886208a1ebef04fb4

    SHA512

    1b4c3a755fc84d26a60dce9ac6a112de999d3c17fd48ec749d6003496753c7eb2e037f57885bf810f2ecb0e18b00ca0da49ae7b19f337d50e3a5aa7b2de462a5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UkeplxjeiD.url
    MD5

    35015db45f574eb0c6202efeef2c0dcc

    SHA1

    6fcd6a0cc15a21477bf99f05add9015eb7e11aa6

    SHA256

    e43d7feb7648b9b5ee2bed19aeb990818429580dfd731106f25caade1f485f5e

    SHA512

    d145ec6ee6ce970dc4397305fe4f5ee7addf2e43b0e10b6f3e87eb56fc5cce603e2b2ad6c534dda082e756e423cb79e0a96564df86ecf86ebe464f40fb891612

    Download Submit
  • memory/316-69-0x00000000000F0000-0x0000000000104000-memory.dmp
    Filesize

    80KB

    Download
  • memory/316-72-0x0000000000401000-0x0000000000938000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/316-66-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/316-67-0x0000000000A14AA0-mapping.dmp
    Download
  • memory/316-68-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/316-74-0x0000000000B20000-0x0000000000B40000-memory.dmp
    Filesize

    128KB

    Download
  • memory/316-73-0x0000000000B00000-0x0000000000B20000-memory.dmp
    Filesize

    128KB

    Download
  • memory/316-65-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/316-71-0x0000000000938000-0x0000000000A15000-memory.dmp
    Filesize

    884KB

    Download
  • memory/828-75-0x0000000000000000-mapping.dmp
    Download
  • memory/828-76-0x0000000000250000-0x0000000000424000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1612-77-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-64-0x0000000000400000-0x00000000005D4000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2036-62-0x0000000000404470-mapping.dmp
    Download
  • memory/2036-63-0x0000000075EF1000-0x0000000075EF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-61-0x0000000000400000-0x00000000005D4000-memory.dmp
    Filesize

    1.8MB

    Download