Analysis
-
max time kernel
156s -
max time network
172s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
16-05-2022 13:25
General
-
Target
71f53d9f51c308218ce477988f33c8ce23fc766a60bb803baa8062ec3911a46d.exe
-
Size
6.6MB
-
MD5
9227df15a138dd7f048f001db44c6ab4
-
SHA1
8f3a07f9afcb8d8d1beb0134470980b8c464c8fe
-
SHA256
71f53d9f51c308218ce477988f33c8ce23fc766a60bb803baa8062ec3911a46d
-
SHA512
abf151151b4ae26a35eafeb9d2986f99ddb1cdf91ce8d2100fcc7f0120ac027885a12fe152d0b44a213273bec91d40eaa76195bba00c3862c9552dda38994044
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 5 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\71f53d9f51c308218ce477988f33c8ce23fc766a60bb803baa8062ec3911a46d.exe"C:\Users\Admin\AppData\Local\Temp\71f53d9f51c308218ce477988f33c8ce23fc766a60bb803baa8062ec3911a46d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe --algo TON --pool wss://pplns.toncoinpool.io/stratum --user UQBsVUYloPrD2oLXlFJTD9eh_74LlcUD9zrdzlmQM3RoxHuQ.dalshe4⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe -o xmr.2miners.com:2222 -u 44W9eLcymm66Eie5AyD11jYW1DaJ4GTHzZEu1QELPGS3U9vKtWEyUCaCFwhn4af8zjeQ2MWeuLgCVDTjAjiGUbyYAtQBvC1 -p "dalshe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 0200000000000000000000003⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
4KB
MD5f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
302B
MD5a506182cb17e3dbc7cc80ba7ce51518d
SHA12443d22b06f6f1d0268155dcccec7d598c6d7963
SHA256c3ea3bc50fb2182b03d68c81b0ffd5cbe8c45eea63a58a036591cca154bbe695
SHA512b6e865e25e6a3a5669d18e566e43503e988fa25df0b561b6d3d3b8048dcca0527d40b26d0fe78a588acc71c0582ddf908adb30a5f9e860ea3f75d5c34ce9ef74
-
C:\Users\Admin\AppData\Local\Microsoft\0TY6A8SuskIDMD_sFilesize
235B
MD54183c5a785fbf0c26237b573ad90d702
SHA15f9dc32793fd32a4ee27255d19317d298b0f3bb3
SHA2564136a41fe9417ff2ce9e8f505fd88b6ecf9231647ae507d14cea35cb7d8abe13
SHA51267b0ee171d2bf37b83a112476dc4b5426683b03a82fabe27915fd064e5db969eaad35e579596e7a7da40f5270226491cdbf59f52cc4124be2450362fa6ee2f29
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeFilesize
175KB
MD5f3af73070387fb75b19286826cc3126c
SHA17774854137d7ada89f3b4bdf67631456a1e74853
SHA256974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610
SHA512a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dllFilesize
316KB
MD5fed6517a5f84eecc29edee5586d7feeb
SHA156df244bf73c7ec7b59c98e1f5d47b379b58a06b
SHA2565075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6
SHA51245cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642
-
\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dllFilesize
316KB
MD5fed6517a5f84eecc29edee5586d7feeb
SHA156df244bf73c7ec7b59c98e1f5d47b379b58a06b
SHA2565075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6
SHA51245cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642
-
memory/60-123-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/60-116-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/60-122-0x0000000000424E93-mapping.dmp
-
memory/2060-124-0x0000000000000000-mapping.dmp
-
memory/2080-136-0x0000000140000000-0x0000000142B59000-memory.dmpFilesize
43.3MB
-
memory/2080-135-0x0000000142B56500-mapping.dmp
-
memory/2080-134-0x0000000140000000-0x0000000142B59000-memory.dmpFilesize
43.3MB
-
memory/2512-142-0x0000000140000000-0x00000001407DD000-memory.dmpFilesize
7.9MB
-
memory/2512-137-0x0000000140000000-0x00000001407DD000-memory.dmpFilesize
7.9MB
-
memory/2512-138-0x000000014034CF44-mapping.dmp
-
memory/2512-139-0x0000000140000000-0x00000001407DD000-memory.dmpFilesize
7.9MB
-
memory/2512-140-0x0000000140000000-0x00000001407DD000-memory.dmpFilesize
7.9MB
-
memory/2512-141-0x00000247149B0000-0x00000247149D0000-memory.dmpFilesize
128KB
-
memory/2512-145-0x00000247163C0000-0x0000024716400000-memory.dmpFilesize
256KB
-
memory/2512-146-0x0000024716400000-0x0000024716420000-memory.dmpFilesize
128KB
-
memory/2512-147-0x0000024716420000-0x0000024716440000-memory.dmpFilesize
128KB
-
memory/3140-127-0x0000000000000000-mapping.dmp
-
memory/3256-130-0x0000000000000000-mapping.dmp