Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 13:02
General
-
Target
xmr.exe
-
Size
1.8MB
-
MD5
b1e29e528a7510be3c04dcff622f63ab
-
SHA1
ae8a2d88a4b0bcd8a11364be5a687f2a2a86d83a
-
SHA256
a98ccb74c29d4e6c3929cfea2f157dd53ce9c3ea67bd25934aab24f416ce9d13
-
SHA512
e7f59ab406d79832dacd0c4bdeb4bbbe8cc626bcf247502f8a817d2f2e39449450806976f5cb725a35f1bb1a58ef41488b32d6aea9cf3a54590c7989d3696040
Score
8/10
Malware Config
Signatures
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 15 IoCs
-
Program crash 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\xmr.exe"C:\Users\Admin\AppData\Local\Temp\xmr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2408 -s 1163⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.execmd.exe /C WScript "C:\ProgramData\CjtqpVHEcA\r.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeWScript "C:\ProgramData\CjtqpVHEcA\r.vbs"3⤵
- Drops startup file
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2348 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 188 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1504 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1704 -s 1883⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2760 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2260 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3400 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 208 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2528 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2408 -s 2003⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3284 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1704 -s 1883⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3880 -s 1803⤵
- Program crash
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 680 -s 1803⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\CjtqpVHEcA\r.vbsMD5
0065ee24d4dd8d3de7357eca05dd7605
SHA18ec12f52f6c59a894c0d7aa829be62f0a9423a92
SHA2565b5f9317f61c56cf5f568327c0220b23287f7043b071e93e1f3a2d3f31cacda3
SHA51271966d11180ee59316922b576d6c1d5ec80694d899f861d83e28012418fedf57b0a3a53d5de2e3f52dde1cf376fc57efbe4b8ef1a182d5a798c02ac291265bb6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gCJCBpvUDZ.urlMD5
0d14a943975c648c95879341d15993c5
SHA1f3b9af3e748daee22572d5b9d94e5b25795acb04
SHA2569a0efbbe99d58279d8df483820fc8d0990719164254def0109564540cad9dc58
SHA512f898b8421ecf615d501c883ffb395da9d3512d6918100b8a1061121b6540d7d6cfae96b07b80eeba4bba0c940c567f0630031609917ec86904420045de9f2c9f
-
memory/188-130-0x0000000000A14AA0-mapping.dmp
-
memory/208-160-0x0000000000A14AA0-mapping.dmp
-
memory/680-190-0x0000000000A14AA0-mapping.dmp
-
memory/1504-135-0x0000000000A14AA0-mapping.dmp
-
memory/1704-140-0x0000000000A14AA0-mapping.dmp
-
memory/1704-180-0x0000000000A14AA0-mapping.dmp
-
memory/2260-150-0x0000000000A14AA0-mapping.dmp
-
memory/2348-125-0x0000000000A14AA0-mapping.dmp
-
memory/2408-168-0x0000000000400000-0x0000000000400138-memory.dmpFilesize
312B
-
memory/2408-114-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2408-116-0x0000000000A14AA0-mapping.dmp
-
memory/2408-170-0x0000000000A14AA0-mapping.dmp
-
memory/2408-115-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2528-165-0x0000000000A14AA0-mapping.dmp
-
memory/2760-145-0x0000000000A14AA0-mapping.dmp
-
memory/2760-119-0x0000000000000000-mapping.dmp
-
memory/3284-175-0x0000000000A14AA0-mapping.dmp
-
memory/3400-155-0x0000000000A14AA0-mapping.dmp
-
memory/3512-120-0x0000000000000000-mapping.dmp
-
memory/3880-185-0x0000000000A14AA0-mapping.dmp