Analysis

  • max time kernel
    127s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:34

General

  • Target

    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

  • Size

    1MB

  • MD5

    ce854dd32e1d931cd6a791b30dcd9458

  • SHA1

    0b247814ee8be3926e0dd64e749d7a4f174f96b7

  • SHA256

    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a

  • SHA512

    12cc6264daa1deaf81d59153f8cb9f9ed5b67dd45d6c954706c4a9052807384395ceb008b082e9bf903493dc9e52769fcf91a8295be9beae95655691a72c7e42

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner Payload ⋅ 4 IoCs
  • UPX packed file ⋅ 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file ⋅ 1 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 11 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    "C:\Users\Admin\AppData\Local\Temp\ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C WScript "C:\ProgramData\iEtHqNVRGt\r.vbs"
      Suspicious use of WriteProcessMemory
      PID:896
      • C:\Windows\SysWOW64\wscript.exe
        WScript "C:\ProgramData\iEtHqNVRGt\r.vbs"
        Drops startup file
        PID:332
    • C:\Windows\notepad.exe
      "C:\Windows\notepad.exe" -c "C:\ProgramData\iEtHqNVRGt\cfgi"
      Suspicious use of AdjustPrivilegeToken
      PID:1912

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • C:\ProgramData\iEtHqNVRGt\cfgi
                            MD5

                            34bb94db8839a2aaeac48594a3f0ebe8

                            SHA1

                            ba81d8aa9c4309a35c8e1f0a58791c3d39bf5edd

                            SHA256

                            c09aec150148504183dac3ea39b5d3f04bb1779f27da8cca219e1990071cbede

                            SHA512

                            86ebc7ead25933cac0c0668fb5a4d2dea38dabee20f0771a30ffa79d0a852bae19f659ae4b29fce72d4cfd4e26264874fb4566211b03e9dc554e53425b26a592

                          • C:\ProgramData\iEtHqNVRGt\r.vbs
                            MD5

                            b23a1fc8e307280ef31a642edfce3a21

                            SHA1

                            383a780d371e77d5235420d88e951784397fe92d

                            SHA256

                            73d8861c33c983a15faa95dddb4cdbc2b4937884e806a7d84bf8442bc7861067

                            SHA512

                            04c753ef23e9d8f02f3e022e61efa68ee0c284f4395d4dbbf561a643ff998b377e767e19411b53b382bb4fb8b17fdeb7214bbe3cac14ab40f5aefb396413a0f8

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zylUYKzaGy.url
                            MD5

                            0635cf33c47c96c413afe48d40842b84

                            SHA1

                            f3c064987470725dea67c15807dbb7efb52fc72b

                            SHA256

                            0c7b61e072a3b51c27d9b1beb7751a49fc830973f7f4069c2651af5f049b8dc3

                            SHA512

                            bfb65c35d2431eeca8c8635646517e94692d770edc8884d1c297a2b1688946288589196fb3fa409e81a351c894e30693e7d4cfffdfe4fbc85267ac8164483bae

                          • memory/332-56-0x0000000000000000-mapping.dmp
                          • memory/896-55-0x0000000000000000-mapping.dmp
                          • memory/1096-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp
                          • memory/1912-62-0x0000000000400000-0x0000000000626000-memory.dmp
                          • memory/1912-63-0x0000000000400000-0x0000000000626000-memory.dmp
                          • memory/1912-65-0x0000000000624080-mapping.dmp
                          • memory/1912-66-0x0000000000400000-0x0000000000626000-memory.dmp
                          • memory/1912-67-0x0000000000400000-0x0000000000626000-memory.dmp
                          • memory/1912-68-0x0000000000400000-0x0000000000626000-memory.dmp
                          • memory/1912-60-0x0000000000400000-0x0000000000626000-memory.dmp
                          • memory/1912-70-0x000000000058C000-0x0000000000625000-memory.dmp
                          • memory/1912-71-0x0000000000401000-0x000000000058C000-memory.dmp
                          • memory/1912-72-0x0000000000180000-0x0000000000190000-memory.dmp
                          • memory/1912-73-0x0000000000220000-0x0000000000224000-memory.dmp
                          • memory/1912-74-0x0000000000000000-0x0000000000200000-memory.dmp