Overview

overview

10

Static

static

eb1e5037bd...75.exe

windows7-x64

10

eb1e5037bd...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe

  • Size

    1.8MB

  • MD5

    f92e1254e1a933a527e26140232721d6

  • SHA1

    7b437180af319d4db464f7eaaed54e6bb9ce2526

  • SHA256

    eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675

  • SHA512

    ed67f804a13c86a648ad4be6cbe63402037d71598c259d3f02ddcede84fa5393e2ce5f7fb1cc58db7d9cce721c500d9b606f50a0e7deb926fc271e434ba8e6f5

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 3 IoCs
    miner
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
    "C:\Users\Admin\AppData\Local\Temp\eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C WScript "C:\ProgramData\nEzJvZquBf\r.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\SysWOW64\wscript.exe
        WScript "C:\ProgramData\nEzJvZquBf\r.vbs"
        3⤵
        • Drops startup file
        PID:2924
    • C:\Windows\notepad.exe
      "C:\Windows\notepad.exe" -c "C:\ProgramData\nEzJvZquBf\cfgi"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\nEzJvZquBf\cfgi
    Filesize

    800B

    MD5

    b30a8c50fd41a1fba0e147a132345bd1

    SHA1

    009984071571a35bf8fde8930bd34a175ecac4a8

    SHA256

    11e4116727dc29bd8e4ece5b293a94e571d34e149b60549f3434bc8f4e31cd60

    SHA512

    df93a37a1486bd69069dddab1c914e072b3bee29b42ce864241bd72ce06c4f0bd2205441607ff26496374d368bd72d9e1d2ee9399bec08e700537b5988579405

    Download Submit
  • C:\ProgramData\nEzJvZquBf\r.vbs
    Filesize

    660B

    MD5

    d409859af56603061a0b72e8f6535b79

    SHA1

    3d705a45d05e537f589c863440dbe60b1e5063b3

    SHA256

    29999515e6085335d6cfbec789387c36559c16a8675e5f1882fb28618ed6d794

    SHA512

    6754721373e400dcb3b3ce75fe7b6d67a4a077f6416efcf9c358b56f5eb9c2d40a0b59b1d8e4c173bff5a5ec9924a84c2fd3629fdbb6bca437f2763cea74b752

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WTeEqNLdqe.url
    Filesize

    73B

    MD5

    2d8b5417b1f66ae3a1f63884d9c487ff

    SHA1

    81e8455bb9150180f9846f3c445e695d06bd7463

    SHA256

    7cc41e8d2a8ff132f72cbfd0cc8a5bc904fe9ec217f95e61d31d63ce342abf20

    SHA512

    2adc356d1bf6050786276b3032f7ba1bc64150f36f6ae7fa6913a1f11322840d57dd649ec315d02238049c86d31d0e6b523fe07678b86743522cd2b6c08bab46

    Download Submit
  • memory/1164-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1968-142-0x0000000000624080-mapping.dmp
    Download
  • memory/1968-145-0x0000000000400000-0x0000000000626000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1968-153-0x00000155D9920000-0x00000155D9924000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1968-137-0x0000000000400000-0x0000000000626000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1968-139-0x0000000000400000-0x0000000000626000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1968-140-0x0000000000400000-0x0000000000626000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1968-152-0x000000000058C000-0x0000000000625000-memory.dmp
    Filesize

    612KB

    Download
  • memory/1968-143-0x0000000000400000-0x0000000000626000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1968-144-0x0000000000400000-0x0000000000626000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1968-151-0x00000155D9B40000-0x00000155D9B44000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1968-150-0x00000155D9920000-0x00000155D9924000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1968-147-0x000000000058C000-0x0000000000625000-memory.dmp
    Filesize

    612KB

    Download
  • memory/1968-148-0x0000000000401000-0x000000000058C000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1968-149-0x00000155D9700000-0x00000155D9710000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2924-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4468-131-0x0000000000400000-0x000000000065F000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/4468-130-0x00000000025B8000-0x00000000026FD000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4468-132-0x00000000025B8000-0x00000000026FD000-memory.dmp
    Filesize

    1.3MB

    Download