Overview

overview

10

Static

static

537534bb72...8b.exe

windows7-x64

10

537534bb72...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220715-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220715-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2022 23:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b.exe

  • Size

    2.1MB

  • MD5

    e4ea85000f7e19cd745aaebca5309b58

  • SHA1

    562370dcc59955b44bbf5509c7467c70e8256d11

  • SHA256

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b

  • SHA512

    4126a75fb73aafe6cc4d09bcbe601c9238ee6ecd044f342c65e659c7b5abb8a28e9f69d891975d68175edc0777c2c39ce11e7ae354257a58e3d25b2f3e23ae47

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • XMRig Miner payload 12 IoCs
    miner
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b.exe
    "C:\Users\Admin\AppData\Local\Temp\537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Windows\SystemCare\Microsoft /tr "C:\ProgramData\MicrosoftCare.exe" /st 00:00 /sc daily /du 9999:59 /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:64
    • C:\Windows\SysWOW64\tasklist.exe
      "C:\Windows\System32\tasklist.exe"
      2⤵
      • Enumerates processes with tasklist
      PID:4312
  • C:\ProgramData\MicrosoftCare.exe
    C:\ProgramData\MicrosoftCare.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Windows\SystemCare\Microsoft /tr "C:\ProgramData\MicrosoftCare.exe" /st 00:00 /sc daily /du 9999:59 /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:680
  • C:\ProgramData\MicrosoftCare.exe
    C:\ProgramData\MicrosoftCare.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Windows\SystemCare\Microsoft /tr "C:\ProgramData\MicrosoftCare.exe" /st 00:00 /sc daily /du 9999:59 /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:1424
  • C:\ProgramData\MicrosoftCare.exe
    C:\ProgramData\MicrosoftCare.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Identifies Wine through registry keys
    PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MicrosoftCare.exe
    Filesize

    2.1MB

    MD5

    e4ea85000f7e19cd745aaebca5309b58

    SHA1

    562370dcc59955b44bbf5509c7467c70e8256d11

    SHA256

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b

    SHA512

    4126a75fb73aafe6cc4d09bcbe601c9238ee6ecd044f342c65e659c7b5abb8a28e9f69d891975d68175edc0777c2c39ce11e7ae354257a58e3d25b2f3e23ae47

    Download Submit
  • C:\ProgramData\MicrosoftCare.exe
    Filesize

    2.1MB

    MD5

    e4ea85000f7e19cd745aaebca5309b58

    SHA1

    562370dcc59955b44bbf5509c7467c70e8256d11

    SHA256

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b

    SHA512

    4126a75fb73aafe6cc4d09bcbe601c9238ee6ecd044f342c65e659c7b5abb8a28e9f69d891975d68175edc0777c2c39ce11e7ae354257a58e3d25b2f3e23ae47

    Download Submit
  • C:\ProgramData\MicrosoftCare.exe
    Filesize

    2.1MB

    MD5

    e4ea85000f7e19cd745aaebca5309b58

    SHA1

    562370dcc59955b44bbf5509c7467c70e8256d11

    SHA256

    537534bb72f2f3945b9d4fcbfc30425eb4f9faeaac120fc560a130a11121e68b

    SHA512

    4126a75fb73aafe6cc4d09bcbe601c9238ee6ecd044f342c65e659c7b5abb8a28e9f69d891975d68175edc0777c2c39ce11e7ae354257a58e3d25b2f3e23ae47

    Download Submit
  • memory/64-131-0x0000000000000000-mapping.dmp
    Download
  • memory/624-149-0x0000000077650000-0x00000000777F3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/624-145-0x0000000077650000-0x00000000777F3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/624-148-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/624-147-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/624-144-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/680-146-0x0000000000000000-mapping.dmp
    Download
  • memory/1348-156-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1424-151-0x0000000000000000-mapping.dmp
    Download
  • memory/1684-153-0x0000000077650000-0x00000000777F3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1684-152-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1684-154-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2392-142-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2392-130-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2392-141-0x0000000077650000-0x00000000777F3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2392-138-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2392-133-0x0000000000AA0000-0x0000000000FEF000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2392-132-0x0000000077650000-0x00000000777F3000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4312-140-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/4312-139-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/4312-137-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/4312-136-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/4312-135-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/4312-134-0x0000000000000000-mapping.dmp
    Download