Overview

overview

10

Static

static

5ebf110528...17.exe

windows7-x64

10

5ebf110528...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe

  • Size

    904KB

  • MD5

    903bd7b89548605115d214e7ee2f877f

  • SHA1

    831c4b9ebb534983d1fc94fd740f053c69f0d29d

  • SHA256

    5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717

  • SHA512

    55fc3a8081d972cc46aecaeb5e615bb219e327feee9b934cbbc1a9e5dbb1c074a48f1368e9971531652c559950e774e39b037a75bde971c90d8f269c41e2ccbc

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 3 IoCs
    miner
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
    "C:\Users\Admin\AppData\Local\Temp\5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\SysWOW64\wscript.exe
        WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
        3⤵
          PID:2708
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Windows\SysWOW64\wscript.exe
          WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
          3⤵
          • Drops startup file
          PID:4396

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\GCxcrhlcfj\cfgi
      Filesize

      796B

      MD5

      48456195558c0a03ebe7644d4629cbc9

      SHA1

      15c1c4cb1cd3526cb51f5bfd7caffd8d0cac95f1

      SHA256

      8bba157b1b92005777fcf32ea0b2ef98dca7fe7b9370ef10162829a93c3b9fa9

      SHA512

      afd6d157aa219a7eb24e6df86ff411cf734f6eb81701b293b8ed6cd683414bc8ff1257f3d3c6d4f976f1450b1839c7d278b728fc3c9b1f28e8643cb835b65c81

      Download Submit

    • C:\ProgramData\GCxcrhlcfj\r.vbs
      Filesize

      662B

      MD5

      7cc317139a7d477bc8c5faf0fafed491

      SHA1

      3966c44cf9988e6cc6af135eac5b7ab93d2c4058

      SHA256

      c065f76aad68eedaf001ec5142e7bcaaba73916b3903037cc46a54eb67be77a8

      SHA512

      5e8f3bc963c690f4000349589fe11f08b4efadff7b8d56a9634692ec4fbbbce4330935ee3afbd8542e3c770f68cab4b9949ea7f06c9996e040b42969a7fb7fd0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url
      Filesize

      74B

      MD5

      059ec62ae3c51a6ff8d0f02363e108e9

      SHA1

      24742ba20d3323718b0ee51c9efe166825b314a5

      SHA256

      117b0440b143c36cbe18a6b01f7f0c483a0a67a10600140e545d0c3c61634ac8

      SHA512

      62dafb2db57840cd0d0886dbe92af3a82f7f82902118a985e6baf81f3f3bc5dc5076d28c3a3ae601a83e7c2c9ee845c030752f36b02f586828bc427284989664

      Download Submit

    • memory/1220-134-0x0000000000000000-mapping.dmp

      Download

    • memory/1240-130-0x0000000000A10000-0x0000000000AD5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/1240-131-0x0000000000A10000-0x0000000000AD5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/1240-132-0x0000000000400000-0x00000000004E8000-memory.dmp

      Filesize

      928KB

      Download

    • memory/1240-133-0x0000000000A10000-0x0000000000AD5000-memory.dmp

      Filesize

      788KB

      Download

    • memory/2180-142-0x0000000000400000-0x0000000000504000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2180-141-0x0000000000400000-0x0000000000504000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2180-140-0x0000000000502B90-mapping.dmp

      Download

    • memory/2180-138-0x0000000000400000-0x0000000000504000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2180-143-0x0000000000400000-0x0000000000504000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2180-146-0x00000000004AD000-0x0000000000503000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2180-147-0x0000000000401000-0x00000000004AD000-memory.dmp

      Filesize

      688KB

      Download

    • memory/2180-137-0x0000000000400000-0x0000000000504000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2180-151-0x00000000004AD000-0x0000000000503000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2180-135-0x0000000000400000-0x0000000000504000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2708-144-0x0000000000000000-mapping.dmp

      Download

    • memory/3104-148-0x0000000000000000-mapping.dmp

      Download

    • memory/4396-149-0x0000000000000000-mapping.dmp

      Download