Overview

overview

10

Static

static

ac4daabcc33e6d...9a.exe

windows7_x64

10

ac4daabcc33e6d...9a.exe

windows10-2004_x64

10
General
Target

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

Filesize

1MB

Completed

21-05-2022 00:52

Task

behavioral2

Score
10/10
MD5

ce854dd32e1d931cd6a791b30dcd9458

SHA1

0b247814ee8be3926e0dd64e749d7a4f174f96b7

SHA256

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a

SHA256

12cc6264daa1deaf81d59153f8cb9f9ed5b67dd45d6c954706c4a9052807384395ceb008b082e9bf903493dc9e52769fcf91a8295be9beae95655691a72c7e42

Malware Config
Signatures 8

Filter: none

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • XMRig Miner Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3960-135-0x0000000000624080-mapping.dmpxmrig
    behavioral2/memory/3960-138-0x0000000000400000-0x0000000000626000-memory.dmpxmrig
    behavioral2/memory/3960-141-0x000000000058C000-0x0000000000625000-memory.dmpxmrig
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3960-130-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral2/memory/3960-132-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral2/memory/3960-133-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral2/memory/3960-136-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral2/memory/3960-137-0x0000000000400000-0x0000000000626000-memory.dmpupx
    behavioral2/memory/3960-138-0x0000000000400000-0x0000000000626000-memory.dmpupx
  • Drops startup file
    wscript.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zylUYKzaGy.urlwscript.exe
  • Suspicious use of SetThreadContext
    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3184 set thread context of 39603184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
  • Suspicious behavior: EnumeratesProcesses
    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

    Reported IOCs

    pidprocess
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
  • Suspicious use of AdjustPrivilegeToken
    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    Token: SeLockMemoryPrivilege3960notepad.exe
    Token: SeLockMemoryPrivilege3960notepad.exe
  • Suspicious use of WriteProcessMemory
    ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3184 wrote to memory of 39603184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 3184 wrote to memory of 39603184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 3184 wrote to memory of 39603184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 3184 wrote to memory of 39603184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 3184 wrote to memory of 39603184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 3184 wrote to memory of 39603184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 3184 wrote to memory of 39603184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 3184 wrote to memory of 39603184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe
    PID 3184 wrote to memory of 28523184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe
    PID 3184 wrote to memory of 28523184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe
    PID 3184 wrote to memory of 28523184ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe
    PID 2852 wrote to memory of 3642852cmd.exewscript.exe
    PID 2852 wrote to memory of 3642852cmd.exewscript.exe
    PID 2852 wrote to memory of 3642852cmd.exewscript.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
    "C:\Users\Admin\AppData\Local\Temp\ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Windows\notepad.exe
      "C:\Windows\notepad.exe" -c "C:\ProgramData\iEtHqNVRGt\cfgi"
      Suspicious use of AdjustPrivilegeToken
      PID:3960
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C WScript "C:\ProgramData\iEtHqNVRGt\r.vbs"
      Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\wscript.exe
        WScript "C:\ProgramData\iEtHqNVRGt\r.vbs"
        Drops startup file
        PID:364
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • C:\ProgramData\iEtHqNVRGt\cfgi

                            MD5

                            34bb94db8839a2aaeac48594a3f0ebe8

                            SHA1

                            ba81d8aa9c4309a35c8e1f0a58791c3d39bf5edd

                            SHA256

                            c09aec150148504183dac3ea39b5d3f04bb1779f27da8cca219e1990071cbede

                            SHA512

                            86ebc7ead25933cac0c0668fb5a4d2dea38dabee20f0771a30ffa79d0a852bae19f659ae4b29fce72d4cfd4e26264874fb4566211b03e9dc554e53425b26a592

                            Download Submit

                          • C:\ProgramData\iEtHqNVRGt\r.vbs

                            MD5

                            b23a1fc8e307280ef31a642edfce3a21

                            SHA1

                            383a780d371e77d5235420d88e951784397fe92d

                            SHA256

                            73d8861c33c983a15faa95dddb4cdbc2b4937884e806a7d84bf8442bc7861067

                            SHA512

                            04c753ef23e9d8f02f3e022e61efa68ee0c284f4395d4dbbf561a643ff998b377e767e19411b53b382bb4fb8b17fdeb7214bbe3cac14ab40f5aefb396413a0f8

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zylUYKzaGy.url

                            MD5

                            0635cf33c47c96c413afe48d40842b84

                            SHA1

                            f3c064987470725dea67c15807dbb7efb52fc72b

                            SHA256

                            0c7b61e072a3b51c27d9b1beb7751a49fc830973f7f4069c2651af5f049b8dc3

                            SHA512

                            bfb65c35d2431eeca8c8635646517e94692d770edc8884d1c297a2b1688946288589196fb3fa409e81a351c894e30693e7d4cfffdfe4fbc85267ac8164483bae

                            Download Submit

                          • memory/364-145-0x0000000000000000-mapping.dmp

                            Download

                          • memory/2852-144-0x0000000000000000-mapping.dmp

                            Download

                          • memory/3960-140-0x000001E0B58D0000-0x000001E0B58E0000-memory.dmp

                            Download

                          • memory/3960-138-0x0000000000400000-0x0000000000626000-memory.dmp

                            Download

                          • memory/3960-137-0x0000000000400000-0x0000000000626000-memory.dmp

                            Download

                          • memory/3960-135-0x0000000000624080-mapping.dmp

                            Download

                          • memory/3960-142-0x0000000000401000-0x000000000058C000-memory.dmp

                            Download

                          • memory/3960-141-0x000000000058C000-0x0000000000625000-memory.dmp

                            Download

                          • memory/3960-143-0x000001E0B58E0000-0x000001E0B58E4000-memory.dmp

                            Download

                          • memory/3960-136-0x0000000000400000-0x0000000000626000-memory.dmp

                            Download

                          • memory/3960-133-0x0000000000400000-0x0000000000626000-memory.dmp

                            Download

                          • memory/3960-132-0x0000000000400000-0x0000000000626000-memory.dmp

                            Download

                          • memory/3960-130-0x0000000000400000-0x0000000000626000-memory.dmp

                            Download