Analysis Overview
SHA256
9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439
Threat Level: Known bad
The file 9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439 was found to be: Known bad.
Malicious Activity Summary
RedLine
Eternity
xmrig
XMRig Miner payload
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Program crash
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-04 08:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-04 08:31
Reported
2022-09-04 08:34
Platform
win10v2004-20220812-en
Max time kernel
170s
Max time network
171s
Command Line
Signatures
Eternity
RedLine
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Miner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\installs49.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Miner.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\installs49.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\installs49.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\installs49.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe
"C:\Users\Admin\AppData\Local\Temp\9508f7888f8d8f0297c20762f4a372e704649a903b961dfe9ac4a5dc12bb5439.exe"
C:\Users\Admin\AppData\Local\Temp\Miner.exe
"C:\Users\Admin\AppData\Local\Temp\Miner.exe"
C:\Users\Admin\AppData\Local\Temp\installs49.exe
"C:\Users\Admin\AppData\Local\Temp\installs49.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2108 -ip 2108
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Miner.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1408
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Miner" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
"C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe"
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe
"C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe" -a cryptonight -o pool.supportxmr.com:3333 -u 45coZygmFLnRF5NY7Uz51tadci9wak52fbbhfgKR5q5BTB9QbKMiCnXiPiiwCwyUTQeF4nZD5mdAugj8yB5hTLA9ViAFFR8.Admin_TMKNGOMU -p --max-cpu-usage=40 --donate-level=1
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| LV | 94.140.112.157:29329 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet | udp |
| US | 198.251.83.154:80 | rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pool.supportxmr.com | udp |
| FR | 141.94.96.195:3333 | pool.supportxmr.com | tcp |
| FR | 2.18.110.76:443 | tcp |
Files
memory/2108-132-0x0000000002ECC000-0x0000000002F00000-memory.dmp
memory/2108-133-0x0000000002D00000-0x0000000002D42000-memory.dmp
memory/2108-134-0x0000000000400000-0x0000000002BB6000-memory.dmp
memory/2108-135-0x0000000007450000-0x00000000079F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Miner.exe
| MD5 | d1b22ce6e0f11c1b8283a85d9f902bbd |
| SHA1 | 8593038e651f856367d094b4541dd7cbffb8e7a3 |
| SHA256 | 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8 |
| SHA512 | d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed |
memory/3876-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Miner.exe
| MD5 | d1b22ce6e0f11c1b8283a85d9f902bbd |
| SHA1 | 8593038e651f856367d094b4541dd7cbffb8e7a3 |
| SHA256 | 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8 |
| SHA512 | d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed |
memory/3876-139-0x0000000000D60000-0x0000000000D6A000-memory.dmp
memory/3876-140-0x00000000055A0000-0x0000000005606000-memory.dmp
memory/748-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\installs49.exe
| MD5 | 24f5400ea175ed8a981c5f4184587ac4 |
| SHA1 | 24b9e12675b4e5f389eb01d6c423e123909d02d9 |
| SHA256 | 3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4 |
| SHA512 | 4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669 |
C:\Users\Admin\AppData\Local\Temp\installs49.exe
| MD5 | 24f5400ea175ed8a981c5f4184587ac4 |
| SHA1 | 24b9e12675b4e5f389eb01d6c423e123909d02d9 |
| SHA256 | 3be6f25cd0a2f0c367e34e6b2d300671626dcb7ce46aeb83f3396433d8da9bc4 |
| SHA512 | 4d685f9f062359b6aae187cb88c98d55c059a316bccf6fc07aed3cbb172ee55edf84aa2fd53f67d9a5301195dddf7dc68e7e10ea2ffdf7d8a13750440f0a9669 |
memory/748-144-0x0000000000DF0000-0x0000000000E0C000-memory.dmp
memory/2612-145-0x0000000000000000-mapping.dmp
memory/116-146-0x0000000000000000-mapping.dmp
memory/1132-147-0x0000000000000000-mapping.dmp
memory/748-148-0x00000000067B0000-0x0000000006DC8000-memory.dmp
memory/748-149-0x0000000005690000-0x00000000056A2000-memory.dmp
memory/748-150-0x00000000057C0000-0x00000000058CA000-memory.dmp
memory/748-151-0x00000000056F0000-0x000000000572C000-memory.dmp
memory/2108-152-0x0000000002ECC000-0x0000000002F00000-memory.dmp
memory/2108-153-0x0000000000400000-0x0000000002BB6000-memory.dmp
memory/748-154-0x0000000006530000-0x00000000065C2000-memory.dmp
memory/748-155-0x0000000007A80000-0x0000000007AD0000-memory.dmp
memory/3636-157-0x0000000000000000-mapping.dmp
memory/748-156-0x0000000007AD0000-0x0000000007B46000-memory.dmp
memory/4524-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
| MD5 | d1b22ce6e0f11c1b8283a85d9f902bbd |
| SHA1 | 8593038e651f856367d094b4541dd7cbffb8e7a3 |
| SHA256 | 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8 |
| SHA512 | d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed |
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
| MD5 | d1b22ce6e0f11c1b8283a85d9f902bbd |
| SHA1 | 8593038e651f856367d094b4541dd7cbffb8e7a3 |
| SHA256 | 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8 |
| SHA512 | d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Miner.exe.log
| MD5 | 81ab0e59097e03cb04c32378024d6628 |
| SHA1 | cc2a7a335f905e787906b6a0820acfbd4c5d0ed2 |
| SHA256 | 704dd8b8fb6dfccf43fd0712e36950102151fe7232d6602c53a42af967969533 |
| SHA512 | 3dd1374962c4d913ad6ec4207889abcca3e28946fa8937626bd2d13025a538e676bfc2efe76d27031d3f741bb3934104c0cf4e10da62758839add1fe543dfacb |
memory/748-162-0x0000000006770000-0x000000000678E000-memory.dmp
memory/748-163-0x0000000007280000-0x0000000007442000-memory.dmp
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
| MD5 | d1b22ce6e0f11c1b8283a85d9f902bbd |
| SHA1 | 8593038e651f856367d094b4541dd7cbffb8e7a3 |
| SHA256 | 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8 |
| SHA512 | d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed |
memory/748-165-0x00000000090F0000-0x000000000961C000-memory.dmp
memory/4072-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe
| MD5 | 84cbc72865b542c646bd89bb9430e7d1 |
| SHA1 | c8320b1e24f22b36c1a283506dacdcbcf5598a4f |
| SHA256 | 323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4 |
| SHA512 | 235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8 |
C:\Users\Admin\AppData\Local\Temp\Admin_TMKNGOMU.exe
| MD5 | 84cbc72865b542c646bd89bb9430e7d1 |
| SHA1 | c8320b1e24f22b36c1a283506dacdcbcf5598a4f |
| SHA256 | 323a18d661fab8c743bb0584b4182902f49640a9ead4b9cedfb548889c25a9d4 |
| SHA512 | 235afdba7fcf029920a20ac3d99ce0dacd87554d27a0e473ff5636c74f7f747ed9d242637d10963bac7461f789266191b37beaec0b9acdd2dc38b0f196ae65a8 |
memory/4072-169-0x000001C6B2850000-0x000001C6B2870000-memory.dmp
memory/4072-170-0x000001C6B2880000-0x000001C6B28C0000-memory.dmp
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
| MD5 | d1b22ce6e0f11c1b8283a85d9f902bbd |
| SHA1 | 8593038e651f856367d094b4541dd7cbffb8e7a3 |
| SHA256 | 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8 |
| SHA512 | d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed |
memory/4072-172-0x000001C6B28C0000-0x000001C6B28E0000-memory.dmp
memory/4072-173-0x000001C6B28E0000-0x000001C6B2900000-memory.dmp
memory/4072-174-0x000001C6B28C0000-0x000001C6B28E0000-memory.dmp
memory/4072-175-0x000001C6B28E0000-0x000001C6B2900000-memory.dmp
C:\Users\Admin\AppData\Local\ServiceHub\Miner.exe
| MD5 | d1b22ce6e0f11c1b8283a85d9f902bbd |
| SHA1 | 8593038e651f856367d094b4541dd7cbffb8e7a3 |
| SHA256 | 95aaf5cd2e08561391d3cc3056d8d629d7caa5ab5117bb7dbf0d7da1e3dbcdf8 |
| SHA512 | d212280985c97c6c9b4055783ae6839e42289a72a59c2863b93b1ce93edfd8ab16a5f802806f818360753e0e5f802392fbe0382eb7fae299e67bdec2205ad7ed |