Overview

overview

10

Static

static

032f2e845d...be.exe

windows7-x64

10

032f2e845d...be.exe

windows10-2004-x64

10

Resubmissions

23-11-2022 12:41

221123-pw91csfe6t 10

23-11-2022 12:32

221123-pqv91sfb5y 10

Analysis

  • max time kernel
    1201s
  • max time network
    1207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe

  • Size

    6.8MB

  • MD5

    a5cc0738a563489458f6541c3d3dc722

  • SHA1

    c4647225139bfde320f51f7af5751c33930f3787

  • SHA256

    032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe

  • SHA512

    3239e0fedecb92738fed530822bbe5b49c011cd425f162c2032df068ce676cb6286b1d2eb3d7711d090e5014228d1cf021410ff7d3351e81acbf1d046ab02537

  • SSDEEP

    196608:WIQ9gu6aCQeL7fgzVwu4UN6KB3/0V61S+I:WIsp6axeLCIE6QyIvI

Score
10/10
xmrigminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Executes dropped EXE 3 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 59 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe
    "C:\Users\Admin\AppData\Local\Temp\032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\Admin\AppData\Local\Temp\032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • Runs ping.exe
        PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c del /a /f "C:\Users\Admin\AppData\Local\Temp\032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe.exe"
        3⤵
          PID:3336
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\SysWOW64\schtasks.exe
        /End /TN "\Microsoft\Windows\UPnP\RpcPolicyHost"
        2⤵
          PID:4868
        • C:\Windows\SysWOW64\schtasks.exe
          /Delete /TN "\Microsoft\Windows\UPnP\RpcPolicyHost" /F
          2⤵
            PID:1264
          • C:\Windows\SysWOW64\dllhost.exe
            C:\Windows\system32\dllhost.exe
            2⤵
              PID:4316
            • C:\Windows\SysWOW64\dllhostex.exe
              "C:\Windows\system32\dllhostex.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1456
            • C:\Windows\SysWOW64\TaskIndexer.exe
              "C:\Windows\system32\TaskIndexer.exe"
              2⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:1740
              • C:\Windows\SysWOW64\WUDHostServices.exe
                "C:\Windows\system32\WUDHostServices.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1764

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\RemoteRPCEvent.dll
            Filesize

            106KB

            MD5

            1b24ee642dfec6571593572ca1fcc3bf

            SHA1

            e48a76c939c7b0bbefdaaa4f2acdce28f055bded

            SHA256

            88d534bc3e21fb26546e5fc0b228b9dddd44981184b27f686f87e958c4f6976d

            SHA512

            43ab384be9eff955c7e9191886857946490e69ba818f566a28934092467a42577720dd8a19464c292031590545e0b0bb6bd130c536f5717120611ce70639128d

            Download Submit
          • C:\Windows\SysWOW64\TaskIndexer.exe
            Filesize

            322KB

            MD5

            de48b20faf52987aafa1c95d6249bb2a

            SHA1

            411096f531f7018f15014e6cc7c27f0ce50798b1

            SHA256

            2190b455d68a372eef870b4b967d49e2f17b26cdcbe307fd46d27de9f99c17fe

            SHA512

            6b1f2b0344eebdd68ad19db3d7dda38371b0d336360e583154fd676b84d22355296ed19180b5b468625b3d8f81dd3de4530072fdac5de962ca0b143d15e33a26

            Download Submit
          • C:\Windows\SysWOW64\TaskIndexer.exe
            Filesize

            322KB

            MD5

            de48b20faf52987aafa1c95d6249bb2a

            SHA1

            411096f531f7018f15014e6cc7c27f0ce50798b1

            SHA256

            2190b455d68a372eef870b4b967d49e2f17b26cdcbe307fd46d27de9f99c17fe

            SHA512

            6b1f2b0344eebdd68ad19db3d7dda38371b0d336360e583154fd676b84d22355296ed19180b5b468625b3d8f81dd3de4530072fdac5de962ca0b143d15e33a26

            Download Submit
          • C:\Windows\SysWOW64\WUDHostServices.exe
            Filesize

            46KB

            MD5

            fc7880429d850789e40808d1ab45c119

            SHA1

            9d6bb1bc89bac653ae4d40107bbed6e07551d8ee

            SHA256

            c71623b62590e904e77f597b9f956a6f6a7b266206a75ddac3fd91d86652e55d

            SHA512

            bad391f5d0b014bfcb43015ac5e789e55b4492114516f09c4ecd1023470ad97ab824f929f4b9ce97da56c55f7f94d82e0c9319488bdfd1e5b6834a8da31525b4

            Download Submit
          • C:\Windows\SysWOW64\WUDHostServices.exe
            Filesize

            46KB

            MD5

            fc7880429d850789e40808d1ab45c119

            SHA1

            9d6bb1bc89bac653ae4d40107bbed6e07551d8ee

            SHA256

            c71623b62590e904e77f597b9f956a6f6a7b266206a75ddac3fd91d86652e55d

            SHA512

            bad391f5d0b014bfcb43015ac5e789e55b4492114516f09c4ecd1023470ad97ab824f929f4b9ce97da56c55f7f94d82e0c9319488bdfd1e5b6834a8da31525b4

            Download Submit
          • C:\Windows\SysWOW64\dllhostex.exe
            Filesize

            1.3MB

            MD5

            9d31226e4e5e486c0ad4f904405c3592

            SHA1

            c54ae00c31c3e417ce68e7405f66c2d6e9e4ab98

            SHA256

            95415e1067177a7e0409904231f503c8684d26b55c0dfe632053ce304aaf3354

            SHA512

            bb3a82aa72d66e9581b174397f7ae1681465dafd3a85defe3bdafbd83a62740c1c866441dcda69ccfa39a3015682e02df99111e6ae6338edaa9c731dfb875e08

            Download Submit
          • C:\Windows\SysWOW64\dllhostex.exe
            Filesize

            1.3MB

            MD5

            9d31226e4e5e486c0ad4f904405c3592

            SHA1

            c54ae00c31c3e417ce68e7405f66c2d6e9e4ab98

            SHA256

            95415e1067177a7e0409904231f503c8684d26b55c0dfe632053ce304aaf3354

            SHA512

            bb3a82aa72d66e9581b174397f7ae1681465dafd3a85defe3bdafbd83a62740c1c866441dcda69ccfa39a3015682e02df99111e6ae6338edaa9c731dfb875e08

            Download Submit
          • C:\Windows\SysWOW64\msvcubn.nls
            Filesize

            6.7MB

            MD5

            2fffb3077a386cd27259ac7a4957e1d6

            SHA1

            022d49e632b2996e955d4eebf360245c65a59093

            SHA256

            6790df7aa6bc871da4c62af4db9555de3de3b4813a0df374b11f70df81fbccdb

            SHA512

            66ae49ed96d4ac304f05a5ed1f1d6ac1b021c02045fcd94ded3a3506c3eef146db835622133eb13baa4b96799665acde98be0f624b29f0d6dfc6c1f09a95ab5b

            Download Submit
          • \??\c:\windows\SysWOW64\remoterpcevent.dll
            Filesize

            106KB

            MD5

            1b24ee642dfec6571593572ca1fcc3bf

            SHA1

            e48a76c939c7b0bbefdaaa4f2acdce28f055bded

            SHA256

            88d534bc3e21fb26546e5fc0b228b9dddd44981184b27f686f87e958c4f6976d

            SHA512

            43ab384be9eff955c7e9191886857946490e69ba818f566a28934092467a42577720dd8a19464c292031590545e0b0bb6bd130c536f5717120611ce70639128d

            Download Submit
          • memory/1132-145-0x0000000000000000-mapping.dmp
            Download
          • memory/1264-143-0x0000000000000000-mapping.dmp
            Download
          • memory/1456-151-0x0000000000000000-mapping.dmp
            Download
          • memory/1740-155-0x0000000000000000-mapping.dmp
            Download
          • memory/1764-158-0x0000000000000000-mapping.dmp
            Download
          • memory/3144-146-0x0000000001900000-0x0000000001926000-memory.dmp
            Filesize

            152KB

            Download
          • memory/3144-139-0x0000000000DE0000-0x0000000000DFD000-memory.dmp
            Filesize

            116KB

            Download
          • memory/3144-148-0x0000000001560000-0x0000000001598000-memory.dmp
            Filesize

            224KB

            Download
          • memory/3144-135-0x0000000001560000-0x0000000001598000-memory.dmp
            Filesize

            224KB

            Download
          • memory/3144-136-0x0000000000DE0000-0x0000000000DFD000-memory.dmp
            Filesize

            116KB

            Download
          • memory/3144-142-0x00000000015E0000-0x00000000015FF000-memory.dmp
            Filesize

            124KB

            Download
          • memory/3144-137-0x00000000015E0000-0x00000000015FF000-memory.dmp
            Filesize

            124KB

            Download
          • memory/3144-138-0x0000000001900000-0x0000000001926000-memory.dmp
            Filesize

            152KB

            Download
          • memory/3144-140-0x0000000001560000-0x0000000001598000-memory.dmp
            Filesize

            224KB

            Download
          • memory/3336-147-0x0000000000000000-mapping.dmp
            Download
          • memory/4316-153-0x0000000000330000-0x0000000000383000-memory.dmp
            Filesize

            332KB

            Download
          • memory/4316-150-0x0000000000330000-0x0000000000383000-memory.dmp
            Filesize

            332KB

            Download
          • memory/4316-149-0x0000000000000000-mapping.dmp
            Download
          • memory/4868-141-0x0000000000000000-mapping.dmp
            Download
          • memory/4940-144-0x0000000000000000-mapping.dmp
            Download