Overview

overview

10

Static

static

taskhost.exe

windows7_x64

10

taskhost.exe

windows10_x64

8

Analysis

  • max time kernel
    151s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-05-2021 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    taskhost.exe

  • Size

    2.8MB

  • MD5

    4d07687083cbaa9c4f9ed49ce324a74b

  • SHA1

    b56252678f52db028b3731de9940bffe4d666fcc

  • SHA256

    fd262d6c99b548dc34af6c75ec941894432781cbd760e8213be95ce65f1a7bba

  • SHA512

    07962b7d646a6e2d8c570da102a1bbd960c81df22c5681b39c49b307a9cf2a4dfea8e607f5be40c43a5828ba15d1c4ada76ebc95d0f6d540e2d0b86a32d41ba7

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1424
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C WScript "C:\ProgramData\lSuRugDFHR\r.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:620
        • C:\Windows\SysWOW64\wscript.exe
          WScript "C:\ProgramData\lSuRugDFHR\r.vbs"
          4⤵
          • Drops startup file
          PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\lSuRugDFHR\cfgi
    MD5

    d61241d9a72a0f30b8ed3fc7b969fbe3

    SHA1

    9946a4deca135c6d519b817f3edf05834760579f

    SHA256

    8068396e6684ddefdd868be556ea224609854aa3ff653747dc05f1fcc20dd41c

    SHA512

    4dde04224c4d22c718fc907020eefc7bb1ee55eb124b1efa4cca5949276c3e367223cdc0fd6ca1be677d3354ec993fb8aca18c19e68e746798913a116fc5d7c6

    Download Submit
  • C:\ProgramData\lSuRugDFHR\r.vbs
    MD5

    aaeac492102e79fb3268ee27bbb46cac

    SHA1

    240f554c3ea020167019406c36e06a68c4cc1b63

    SHA256

    2c914731f4e36b3601bc30706bb1a2339a1970af9d87630886208a1ebef04fb4

    SHA512

    1b4c3a755fc84d26a60dce9ac6a112de999d3c17fd48ec749d6003496753c7eb2e037f57885bf810f2ecb0e18b00ca0da49ae7b19f337d50e3a5aa7b2de462a5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UkeplxjeiD.url
    MD5

    35015db45f574eb0c6202efeef2c0dcc

    SHA1

    6fcd6a0cc15a21477bf99f05add9015eb7e11aa6

    SHA256

    e43d7feb7648b9b5ee2bed19aeb990818429580dfd731106f25caade1f485f5e

    SHA512

    d145ec6ee6ce970dc4397305fe4f5ee7addf2e43b0e10b6f3e87eb56fc5cce603e2b2ad6c534dda082e756e423cb79e0a96564df86ecf86ebe464f40fb891612

    Download Submit
  • memory/620-77-0x0000000000290000-0x0000000000464000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/620-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1120-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1424-70-0x0000000000260000-0x0000000000274000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1424-69-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1424-72-0x0000000000938000-0x0000000000A15000-memory.dmp
    Filesize

    884KB

    Download
  • memory/1424-68-0x0000000000A14AA0-mapping.dmp
    Download
  • memory/1424-73-0x0000000000401000-0x0000000000938000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1424-74-0x00000000003D0000-0x00000000003F0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1424-75-0x0000000002320000-0x0000000002340000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1424-67-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1424-66-0x0000000000400000-0x0000000000A16000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1684-62-0x0000000000400000-0x00000000005D4000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1684-65-0x0000000000400000-0x00000000005D4000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1684-64-0x0000000075891000-0x0000000075893000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1684-63-0x0000000000404470-mapping.dmp
    Download