General
Target

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

Filesize

1MB

Completed

21-05-2022 00:53

Task

behavioral1

Score
10/10
MD5

ce854dd32e1d931cd6a791b30dcd9458

SHA1

0b247814ee8be3926e0dd64e749d7a4f174f96b7

SHA256

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a

SHA256

12cc6264daa1deaf81d59153f8cb9f9ed5b67dd45d6c954706c4a9052807384395ceb008b082e9bf903493dc9e52769fcf91a8295be9beae95655691a72c7e42

Malware Config
Signatures 8

Filter: none

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • XMRig Miner Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1912-65-0x0000000000624080-mapping.dmpxmrig
    behavioral1/memory/1912-68-0x0000000000400000-0x0000000000626000-memory.dmpxmrig
    behavioral1/memory/1912-70-0x000000000058C000-0x0000000000625000-memory.dmpxmrig
    behavioral1/memory/1912-74-0x0000000000000000-0x0000000000200000-memory.dmpxmrig
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1912-60-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral1/memory/1912-62-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral1/memory/1912-63-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral1/memory/1912-66-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral1/memory/1912-67-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral1/memory/1912-68-0x0000000000400000-0x0000000000626000-memory.dmpupx
  • Drops startup file
    wscript.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zylUYKzaGy.urlwscript.exe
  • Suspicious use of SetThreadContext
    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1096 set thread context of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
  • Suspicious behavior: EnumeratesProcesses
    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

    Reported IOCs

    pidprocess
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
  • Suspicious use of AdjustPrivilegeToken
    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    Token: SeLockMemoryPrivilege1912notepad.exe
    Token: SeLockMemoryPrivilege1912notepad.exe
  • Suspicious use of WriteProcessMemory
    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1096 wrote to memory of 8961096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe
    PID 1096 wrote to memory of 8961096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe
    PID 1096 wrote to memory of 8961096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe
    PID 1096 wrote to memory of 8961096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe
    PID 896 wrote to memory of 332896cmd.exewscript.exe
    PID 896 wrote to memory of 332896cmd.exewscript.exe
    PID 896 wrote to memory of 332896cmd.exewscript.exe
    PID 896 wrote to memory of 332896cmd.exewscript.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 1096 wrote to memory of 19121096ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    "C:\Users\Admin\AppData\Local\Temp\ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C WScript "C:\ProgramData\iEtHqNVRGt\r.vbs"
      Suspicious use of WriteProcessMemory
      PID:896
      • C:\Windows\SysWOW64\wscript.exe
        WScript "C:\ProgramData\iEtHqNVRGt\r.vbs"
        Drops startup file
        PID:332
    • C:\Windows\notepad.exe
      "C:\Windows\notepad.exe" -c "C:\ProgramData\iEtHqNVRGt\cfgi"
      Suspicious use of AdjustPrivilegeToken
      PID:1912
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\ProgramData\iEtHqNVRGt\cfgi

                            MD5

                            34bb94db8839a2aaeac48594a3f0ebe8

                            SHA1

                            ba81d8aa9c4309a35c8e1f0a58791c3d39bf5edd

                            SHA256

                            c09aec150148504183dac3ea39b5d3f04bb1779f27da8cca219e1990071cbede

                            SHA512

                            86ebc7ead25933cac0c0668fb5a4d2dea38dabee20f0771a30ffa79d0a852bae19f659ae4b29fce72d4cfd4e26264874fb4566211b03e9dc554e53425b26a592

                          • C:\ProgramData\iEtHqNVRGt\r.vbs

                            MD5

                            b23a1fc8e307280ef31a642edfce3a21

                            SHA1

                            383a780d371e77d5235420d88e951784397fe92d

                            SHA256

                            73d8861c33c983a15faa95dddb4cdbc2b4937884e806a7d84bf8442bc7861067

                            SHA512

                            04c753ef23e9d8f02f3e022e61efa68ee0c284f4395d4dbbf561a643ff998b377e767e19411b53b382bb4fb8b17fdeb7214bbe3cac14ab40f5aefb396413a0f8

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zylUYKzaGy.url

                            MD5

                            0635cf33c47c96c413afe48d40842b84

                            SHA1

                            f3c064987470725dea67c15807dbb7efb52fc72b

                            SHA256

                            0c7b61e072a3b51c27d9b1beb7751a49fc830973f7f4069c2651af5f049b8dc3

                            SHA512

                            bfb65c35d2431eeca8c8635646517e94692d770edc8884d1c297a2b1688946288589196fb3fa409e81a351c894e30693e7d4cfffdfe4fbc85267ac8164483bae

                          • memory/332-56-0x0000000000000000-mapping.dmp

                          • memory/896-55-0x0000000000000000-mapping.dmp

                          • memory/1096-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

                          • memory/1912-66-0x0000000000400000-0x0000000000626000-memory.dmp

                          • memory/1912-63-0x0000000000400000-0x0000000000626000-memory.dmp

                          • memory/1912-65-0x0000000000624080-mapping.dmp

                          • memory/1912-62-0x0000000000400000-0x0000000000626000-memory.dmp

                          • memory/1912-67-0x0000000000400000-0x0000000000626000-memory.dmp

                          • memory/1912-68-0x0000000000400000-0x0000000000626000-memory.dmp

                          • memory/1912-60-0x0000000000400000-0x0000000000626000-memory.dmp

                          • memory/1912-70-0x000000000058C000-0x0000000000625000-memory.dmp

                          • memory/1912-71-0x0000000000401000-0x000000000058C000-memory.dmp

                          • memory/1912-72-0x0000000000180000-0x0000000000190000-memory.dmp

                          • memory/1912-73-0x0000000000220000-0x0000000000224000-memory.dmp

                          • memory/1912-74-0x0000000000000000-0x0000000000200000-memory.dmp