Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:26
General
-
Target
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe
-
Size
2.4MB
-
MD5
05e5b7a1ba45c36e63bb4bc1d39874c9
-
SHA1
db184def60fb765dd0c14db6d77661611011c097
-
SHA256
a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e
-
SHA512
979ece9f909d9b7c299d688cd6aa9997f33c6bd5660f082e976df92797359709bf6c4b199d6429b31edcd8bf3d7d45696f3e534fac537ce1f441322d1fd15ade
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 3 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe"C:\Users\Admin\AppData\Local\Temp\a36430851072c9ef0330d0fa58f5f777983f20a2b7415733e2a62f092429d67e.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\muuEquuwjW\cfgi"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\muuEquuwjW\cfgiFilesize
550B
MD5ecf7d1daa62b857e40a493f631724288
SHA164b3b1fe9f5ba2373a29a5fb65c48a01dda0d368
SHA256df7a381eb21a2b0045bba660c9af597157e07c202a49446a166894ec6f214a69
SHA512042eb8e953188ca9b574e1f14d1bc95aaa643ca7d31bf6ba7b10fa97964332ff6a0b97a90d8199ed99eece61d8c47c08f0af9ccfdb67c4d25c4931fd03c970e6
-
memory/952-133-0x0000000000000000-mapping.dmp
-
memory/952-134-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/952-136-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/952-142-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1496-132-0x0000000000400000-0x0000000000769000-memory.dmpFilesize
3.4MB
-
memory/3452-137-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/3452-138-0x00000000004E78B0-mapping.dmp
-
memory/3452-139-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/3452-140-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/3452-141-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB
-
memory/3452-144-0x0000000000400000-0x00000000004ED000-memory.dmpFilesize
948KB