Overview

overview

10

Static

static

10

223fe0971e...57.exe

windows7_x64

10

223fe0971e...57.exe

windows10_x64

8

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-12-2021 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    223fe0971e3093c48957b34f5f7e5d57.exe

  • Size

    93KB

  • MD5

    223fe0971e3093c48957b34f5f7e5d57

  • SHA1

    1355cb6ddd9d1f6098cc48f683d154c46cd61a64

  • SHA256

    4f26208a480c3c01ee313f6b8fa9f6e132ec02ab3e179600f0bb965f97cb610d

  • SHA512

    ad00da9253642f35e5d8f9359cb00ed0d3557f09c1db333cdb3ac2d1b7c726ad0194363c8920cd959885087e7b8771742e2a3b907de5724f04eb15212787f850

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 4 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\223fe0971e3093c48957b34f5f7e5d57.exe
    "C:\Users\Admin\AppData\Local\Temp\223fe0971e3093c48957b34f5f7e5d57.exe"
    1⤵
    • Drops startup file
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\223fe0971e3093c48957b34f5f7e5d57.exe" "223fe0971e3093c48957b34f5f7e5d57.exe" ENABLE
      2⤵
        PID:476
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\223fe0971e3093c48957b34f5f7e5d57.exe"
        2⤵
          PID:2012
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\223fe0971e3093c48957b34f5f7e5d57.exe" "223fe0971e3093c48957b34f5f7e5d57.exe" ENABLE
          2⤵
            PID:1184

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/476-57-0x0000000000000000-mapping.dmp

          Download

        • memory/1184-60-0x0000000000000000-mapping.dmp

          Download

        • memory/1940-55-0x00000000020B0000-0x00000000020B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1940-56-0x00000000760F1000-0x00000000760F3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2012-59-0x0000000000000000-mapping.dmp

          Download