Overview

overview

10

Static

static

82c911654f...68.exe

windows7_x64

10

82c911654f...68.exe

windows10_x64

8

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    15-05-2021 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe

  • Size

    1.5MB

  • MD5

    823f26a80be46a78c0165bff11c19070

  • SHA1

    d580906a344590011caf1f980143887a4a903c58

  • SHA256

    82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68

  • SHA512

    440b0721f5739c3310f73788809619c0cea0f7a46dabe7eb7cd69a99373cd8dda2876b7e49be0d7eaa9d1c7e89dda406e3659be7500050d90f8e707a6998d377

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
    "C:\Users\Admin\AppData\Local\Temp\82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:484
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\SysWOW64\wscript.exe
        WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
        3⤵
        • Drops startup file
        PID:616
    • C:\Windows\notepad.exe
      "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/484-60-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/484-59-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/916-66-0x0000000000400000-0x0000000000504000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/916-69-0x0000000000400000-0x0000000000504000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/916-67-0x0000000000400000-0x0000000000504000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/916-71-0x00000000004AD000-0x0000000000503000-memory.dmp

    Filesize

    344KB

    Download

  • memory/916-72-0x0000000000401000-0x00000000004AD000-memory.dmp

    Filesize

    688KB

    Download