Overview

overview

10

Static

static

032f2e845d...be.exe

windows7-x64

10

032f2e845d...be.exe

windows10-2004-x64

10

Resubmissions

23-11-2022 12:41

221123-pw91csfe6t 10

23-11-2022 12:32

221123-pqv91sfb5y 10

Analysis

  • max time kernel
    270s
  • max time network
    293s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe

  • Size

    6.8MB

  • MD5

    a5cc0738a563489458f6541c3d3dc722

  • SHA1

    c4647225139bfde320f51f7af5751c33930f3787

  • SHA256

    032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe

  • SHA512

    3239e0fedecb92738fed530822bbe5b49c011cd425f162c2032df068ce676cb6286b1d2eb3d7711d090e5014228d1cf021410ff7d3351e81acbf1d046ab02537

  • SSDEEP

    196608:WIQ9gu6aCQeL7fgzVwu4UN6KB3/0V61S+I:WIsp6axeLCIE6QyIvI

Score
10/10
xmrigminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Executes dropped EXE 2 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 59 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe
    "C:\Users\Admin\AppData\Local\Temp\032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\Admin\AppData\Local\Temp\032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • Runs ping.exe
        PID:628
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c del /a /f "C:\Users\Admin\AppData\Local\Temp\032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe"
        3⤵
        • Deletes itself
        PID:268
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\SysWOW64\schtasks.exe
      /End /TN "\Microsoft\Windows\UPnP\RpcPolicyHost"
      2⤵
        PID:1564
      • C:\Windows\SysWOW64\schtasks.exe
        /Delete /TN "\Microsoft\Windows\UPnP\RpcPolicyHost" /F
        2⤵
          PID:1888
        • C:\Windows\SysWOW64\dllhostex.exe
          "C:\Windows\system32\dllhostex.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
        • C:\Windows\SysWOW64\searchprotocolhost.exe
          C:\Windows\system32\searchprotocolhost.exe
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1068
          • C:\Windows\SysWOW64\WUDHostServices.exe
            "C:\Windows\system32\WUDHostServices.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1120

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\WUDHostServices.exe
        Filesize

        46KB

        MD5

        fc7880429d850789e40808d1ab45c119

        SHA1

        9d6bb1bc89bac653ae4d40107bbed6e07551d8ee

        SHA256

        c71623b62590e904e77f597b9f956a6f6a7b266206a75ddac3fd91d86652e55d

        SHA512

        bad391f5d0b014bfcb43015ac5e789e55b4492114516f09c4ecd1023470ad97ab824f929f4b9ce97da56c55f7f94d82e0c9319488bdfd1e5b6834a8da31525b4

        Download Submit

      • C:\Windows\SysWOW64\dllhostex.exe
        Filesize

        1.3MB

        MD5

        9d31226e4e5e486c0ad4f904405c3592

        SHA1

        c54ae00c31c3e417ce68e7405f66c2d6e9e4ab98

        SHA256

        95415e1067177a7e0409904231f503c8684d26b55c0dfe632053ce304aaf3354

        SHA512

        bb3a82aa72d66e9581b174397f7ae1681465dafd3a85defe3bdafbd83a62740c1c866441dcda69ccfa39a3015682e02df99111e6ae6338edaa9c731dfb875e08

        Download Submit

      • C:\Windows\SysWOW64\msvcmjv.log
        Filesize

        6.7MB

        MD5

        2fffb3077a386cd27259ac7a4957e1d6

        SHA1

        022d49e632b2996e955d4eebf360245c65a59093

        SHA256

        6790df7aa6bc871da4c62af4db9555de3de3b4813a0df374b11f70df81fbccdb

        SHA512

        66ae49ed96d4ac304f05a5ed1f1d6ac1b021c02045fcd94ded3a3506c3eef146db835622133eb13baa4b96799665acde98be0f624b29f0d6dfc6c1f09a95ab5b

        Download Submit

      • \??\c:\windows\SysWOW64\functionupdateclient.dll
        Filesize

        106KB

        MD5

        64436d1159d55597d0bc969775370d47

        SHA1

        a91b93fe77a5505390568b90dffa5b8678a04845

        SHA256

        835ad44be060c236561b536d8dee4bc88b9ef05d74562cb957bf4860fdd27c0d

        SHA512

        e45a819359a5a54ad5a6527ab9ab64b6c4de83f4c6f07c117840cbd1da4850915cc7f01c936cefef3bb1381e29692b74d1de75638802d1a1ee2aa573a9db1cfc

        Download Submit

      • \Windows\SysWOW64\FunctionUpdateClient.dll
        Filesize

        106KB

        MD5

        64436d1159d55597d0bc969775370d47

        SHA1

        a91b93fe77a5505390568b90dffa5b8678a04845

        SHA256

        835ad44be060c236561b536d8dee4bc88b9ef05d74562cb957bf4860fdd27c0d

        SHA512

        e45a819359a5a54ad5a6527ab9ab64b6c4de83f4c6f07c117840cbd1da4850915cc7f01c936cefef3bb1381e29692b74d1de75638802d1a1ee2aa573a9db1cfc

        Download Submit

      • \Windows\SysWOW64\WUDHostServices.exe
        Filesize

        46KB

        MD5

        fc7880429d850789e40808d1ab45c119

        SHA1

        9d6bb1bc89bac653ae4d40107bbed6e07551d8ee

        SHA256

        c71623b62590e904e77f597b9f956a6f6a7b266206a75ddac3fd91d86652e55d

        SHA512

        bad391f5d0b014bfcb43015ac5e789e55b4492114516f09c4ecd1023470ad97ab824f929f4b9ce97da56c55f7f94d82e0c9319488bdfd1e5b6834a8da31525b4

        Download Submit

      • \Windows\SysWOW64\WUDHostServices.exe
        Filesize

        46KB

        MD5

        fc7880429d850789e40808d1ab45c119

        SHA1

        9d6bb1bc89bac653ae4d40107bbed6e07551d8ee

        SHA256

        c71623b62590e904e77f597b9f956a6f6a7b266206a75ddac3fd91d86652e55d

        SHA512

        bad391f5d0b014bfcb43015ac5e789e55b4492114516f09c4ecd1023470ad97ab824f929f4b9ce97da56c55f7f94d82e0c9319488bdfd1e5b6834a8da31525b4

        Download Submit

      • \Windows\SysWOW64\dllhostex.exe
        Filesize

        1.3MB

        MD5

        9d31226e4e5e486c0ad4f904405c3592

        SHA1

        c54ae00c31c3e417ce68e7405f66c2d6e9e4ab98

        SHA256

        95415e1067177a7e0409904231f503c8684d26b55c0dfe632053ce304aaf3354

        SHA512

        bb3a82aa72d66e9581b174397f7ae1681465dafd3a85defe3bdafbd83a62740c1c866441dcda69ccfa39a3015682e02df99111e6ae6338edaa9c731dfb875e08

        Download Submit

      • memory/268-88-0x0000000000000000-mapping.dmp

        Download

      • memory/628-86-0x0000000000000000-mapping.dmp

        Download

      • memory/840-82-0x0000000000000000-mapping.dmp

        Download

      • memory/892-54-0x0000000075141000-0x0000000075143000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1068-77-0x00000000000C0000-0x0000000000113000-memory.dmp

        Filesize

        332KB

        Download

      • memory/1068-74-0x00000000000D119D-mapping.dmp

        Download

      • memory/1068-84-0x00000000000C0000-0x0000000000113000-memory.dmp

        Filesize

        332KB

        Download

      • memory/1068-76-0x00000000000C0000-0x0000000000113000-memory.dmp

        Filesize

        332KB

        Download

      • memory/1068-71-0x00000000000C0000-0x0000000000113000-memory.dmp

        Filesize

        332KB

        Download

      • memory/1068-73-0x00000000000C0000-0x0000000000113000-memory.dmp

        Filesize

        332KB

        Download

      • memory/1120-80-0x0000000000000000-mapping.dmp

        Download

      • memory/1436-64-0x0000000000250000-0x000000000026F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1436-67-0x0000000000E00000-0x0000000000E26000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1436-65-0x0000000000210000-0x0000000000248000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1436-60-0x00000000002C0000-0x00000000002DD000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1436-61-0x0000000000E00000-0x0000000000E26000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1436-83-0x0000000000210000-0x0000000000248000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1436-66-0x00000000002C0000-0x00000000002DD000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1436-58-0x0000000000210000-0x0000000000248000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1436-59-0x0000000000250000-0x000000000026F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1564-62-0x0000000000000000-mapping.dmp

        Download

      • memory/1712-69-0x0000000000000000-mapping.dmp

        Download

      • memory/1888-63-0x0000000000000000-mapping.dmp

        Download