Overview

overview

10

Static

static

10

a3e86b5863...73.exe

windows7_x64

10

a3e86b5863...73.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe

  • Size

    773KB

  • MD5

    28fb61a68956efd2dd8c76d2da0ac9e8

  • SHA1

    1ac9eb475b3fbe7d818825fe9551e7e4e2d3cbff

  • SHA256

    a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373

  • SHA512

    1792e750838cf1a66f63691d97aa8f09c70a9808ac1a26c67efde1ce86fae4e563c3be58fb206c53b1fbb7364221e8d278f8672b2f3e2868d6d39d4b6c38e78a

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 6 IoCs
    miner
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
    "C:\Users\Admin\AppData\Local\Temp\a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Windows\Recovery\Cleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:3764
    • C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Views/modifies file attributes
      PID:1604
  • C:\ProgramData\Iostream.exe
    C:\ProgramData\Iostream.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Windows\Recovery\Cleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:2216
  • C:\ProgramData\Iostream.exe
    C:\ProgramData\Iostream.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Windows\Recovery\Cleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Iostream.exe
    Filesize

    773KB

    MD5

    28fb61a68956efd2dd8c76d2da0ac9e8

    SHA1

    1ac9eb475b3fbe7d818825fe9551e7e4e2d3cbff

    SHA256

    a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373

    SHA512

    1792e750838cf1a66f63691d97aa8f09c70a9808ac1a26c67efde1ce86fae4e563c3be58fb206c53b1fbb7364221e8d278f8672b2f3e2868d6d39d4b6c38e78a

    Download Submit
  • C:\ProgramData\Iostream.exe
    Filesize

    773KB

    MD5

    28fb61a68956efd2dd8c76d2da0ac9e8

    SHA1

    1ac9eb475b3fbe7d818825fe9551e7e4e2d3cbff

    SHA256

    a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373

    SHA512

    1792e750838cf1a66f63691d97aa8f09c70a9808ac1a26c67efde1ce86fae4e563c3be58fb206c53b1fbb7364221e8d278f8672b2f3e2868d6d39d4b6c38e78a

    Download Submit
  • memory/1604-131-0x0000000000000000-mapping.dmp
    Download
  • memory/1604-132-0x0000000000400000-0x000000000048D000-memory.dmp
    Filesize

    564KB

    Download
  • memory/1604-133-0x0000000000400000-0x000000000048D000-memory.dmp
    Filesize

    564KB

    Download
  • memory/1604-134-0x0000000000400000-0x000000000048D000-memory.dmp
    Filesize

    564KB

    Download
  • memory/1604-135-0x0000000000400000-0x000000000048D000-memory.dmp
    Filesize

    564KB

    Download
  • memory/1824-139-0x0000000000000000-mapping.dmp
    Download
  • memory/2216-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3764-130-0x0000000000000000-mapping.dmp
    Download