Overview

overview

10

Static

static

10

4b8c4cfc22...1b.exe

windows7_x64

10

4b8c4cfc22...1b.exe

windows10_x64

8

Analysis

  • max time kernel
    152s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-12-2021 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b8c4cfc220a9a8c79b1e10712fe3f1b.exe

  • Size

    93KB

  • MD5

    4b8c4cfc220a9a8c79b1e10712fe3f1b

  • SHA1

    9a5c1db0c51cfd2a78b67f0fc69e76ebb846a6ed

  • SHA256

    2566b3c8958350c97d8332c921a5039d55b821a15440ac0e0087570d287338ba

  • SHA512

    1116c3b4a3f090afbd4e89571fefb8560b08df8fb9dce2bf940e27d298b95cb6f91ba1c45735abe238c2d0133053e37a873ad6d6b93ba71380f7cb4e74b0a522

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 4 IoCs
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b8c4cfc220a9a8c79b1e10712fe3f1b.exe
    "C:\Users\Admin\AppData\Local\Temp\4b8c4cfc220a9a8c79b1e10712fe3f1b.exe"
    1⤵
    • Drops startup file
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4b8c4cfc220a9a8c79b1e10712fe3f1b.exe" "4b8c4cfc220a9a8c79b1e10712fe3f1b.exe" ENABLE
      2⤵
        PID:588
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\4b8c4cfc220a9a8c79b1e10712fe3f1b.exe"
        2⤵
          PID:1404
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4b8c4cfc220a9a8c79b1e10712fe3f1b.exe" "4b8c4cfc220a9a8c79b1e10712fe3f1b.exe" ENABLE
          2⤵
            PID:1072

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/588-57-0x0000000000000000-mapping.dmp

          Download

        • memory/1072-60-0x0000000000000000-mapping.dmp

          Download

        • memory/1404-59-0x0000000000000000-mapping.dmp

          Download

        • memory/1732-55-0x0000000074F11000-0x0000000074F13000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1732-56-0x00000000000E0000-0x00000000000E1000-memory.dmp

          Filesize

          4KB

          Download