Overview

overview

10

Static

static

537534bb72...8b.exe

windows7-x64

10

537534bb72...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2022 23:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b.exe

  • Size

    2.1MB

  • MD5

    e4ea85000f7e19cd745aaebca5309b58

  • SHA1

    562370dcc59955b44bbf5509c7467c70e8256d11

  • SHA256

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b

  • SHA512

    4126a75fb73aafe6cc4d09bcbe601c9238ee6ecd044f342c65e659c7b5abb8a28e9f69d891975d68175edc0777c2c39ce11e7ae354257a58e3d25b2f3e23ae47

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • XMRig Miner payload 7 IoCs
    miner
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 3 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b.exe
    "C:\Users\Admin\AppData\Local\Temp\537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Windows\SystemCare\Microsoft /tr "C:\ProgramData\MicrosoftCare.exe" /st 00:00 /sc daily /du 9999:59 /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:1476
    • C:\Windows\SysWOW64\tasklist.exe
      "C:\Windows\System32\tasklist.exe"
      2⤵
      • Enumerates processes with tasklist
      PID:1316
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {07F8D384-AC7C-4A3C-869D-9515A4304E10} S-1-5-21-3440072777-2118400376-1759599358-1000:NKWDSIWE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\ProgramData\MicrosoftCare.exe
      C:\ProgramData\MicrosoftCare.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn \Windows\SystemCare\Microsoft /tr "C:\ProgramData\MicrosoftCare.exe" /st 00:00 /sc daily /du 9999:59 /ri 1 /f
        3⤵
        • Creates scheduled task(s)
        PID:1864
    • C:\ProgramData\MicrosoftCare.exe
      C:\ProgramData\MicrosoftCare.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn \Windows\SystemCare\Microsoft /tr "C:\ProgramData\MicrosoftCare.exe" /st 00:00 /sc daily /du 9999:59 /ri 1 /f
        3⤵
        • Creates scheduled task(s)
        PID:1012
    • C:\ProgramData\MicrosoftCare.exe
      C:\ProgramData\MicrosoftCare.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MicrosoftCare.exe
    Filesize

    2.1MB

    MD5

    e4ea85000f7e19cd745aaebca5309b58

    SHA1

    562370dcc59955b44bbf5509c7467c70e8256d11

    SHA256

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b

    SHA512

    4126a75fb73aafe6cc4d09bcbe601c9238ee6ecd044f342c65e659c7b5abb8a28e9f69d891975d68175edc0777c2c39ce11e7ae354257a58e3d25b2f3e23ae47

    Download Submit
  • C:\ProgramData\MicrosoftCare.exe
    Filesize

    2.1MB

    MD5

    e4ea85000f7e19cd745aaebca5309b58

    SHA1

    562370dcc59955b44bbf5509c7467c70e8256d11

    SHA256

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b

    SHA512

    4126a75fb73aafe6cc4d09bcbe601c9238ee6ecd044f342c65e659c7b5abb8a28e9f69d891975d68175edc0777c2c39ce11e7ae354257a58e3d25b2f3e23ae47

    Download Submit
  • C:\ProgramData\MicrosoftCare.exe
    Filesize

    2.1MB

    MD5

    e4ea85000f7e19cd745aaebca5309b58

    SHA1

    562370dcc59955b44bbf5509c7467c70e8256d11

    SHA256

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b

    SHA512

    4126a75fb73aafe6cc4d09bcbe601c9238ee6ecd044f342c65e659c7b5abb8a28e9f69d891975d68175edc0777c2c39ce11e7ae354257a58e3d25b2f3e23ae47

    Download Submit
  • memory/700-67-0x00000000777F0000-0x0000000077970000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/700-64-0x0000000000180000-0x00000000006CF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/700-60-0x0000000000000000-mapping.dmp
    Download
  • memory/700-66-0x0000000000180000-0x00000000006CF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/700-62-0x0000000000180000-0x00000000006CF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/776-68-0x0000000000000000-mapping.dmp
    Download
  • memory/776-70-0x0000000000180000-0x00000000006CF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/776-74-0x00000000777F0000-0x0000000077970000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/776-73-0x0000000000180000-0x00000000006CF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/776-72-0x00000000777F0000-0x0000000077970000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/956-55-0x00000000777F0000-0x0000000077970000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/956-54-0x0000000000180000-0x00000000006CF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/956-65-0x0000000000180000-0x00000000006CF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1012-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1316-57-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/1316-58-0x000000000044D0EC-mapping.dmp
    Download
  • memory/1472-75-0x0000000000000000-mapping.dmp
    Download
  • memory/1472-77-0x0000000000180000-0x00000000006CF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1472-78-0x0000000000180000-0x00000000006CF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1472-79-0x00000000777F0000-0x0000000077970000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1476-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1864-63-0x0000000000000000-mapping.dmp
    Download