Analysis
-
max time kernel
301s -
max time network
282s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
03/12/2022, 22:40
General
-
Target
97ded6f6cd27d350b54088294d10b471cb7caacd8b900e95ef78a6bebcc91bc9.exe
-
Size
56KB
-
MD5
93a8bd28a6dad78859808a3b4d3cf107
-
SHA1
354e8696fd578e73061f670f91f6bd1579ddacf1
-
SHA256
97ded6f6cd27d350b54088294d10b471cb7caacd8b900e95ef78a6bebcc91bc9
-
SHA512
4fef9b319208036c92a182fbb3d356a2f2eac14eabdfa1fb1304b56654506ad7892a171ec97a0efbe43cd47f832d2ef437854bbd262112afc6ce966e886a824e
-
SSDEEP
768:frKuHIjixyEdRiVWhExfZNbJ5NtTbZRX+6gV/EL4:TKuHm+yEnXCfZNN5/bZ5/gqc
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\97ded6f6cd27d350b54088294d10b471cb7caacd8b900e95ef78a6bebcc91bc9.exe"C:\Users\Admin\AppData\Local\Temp\97ded6f6cd27d350b54088294d10b471cb7caacd8b900e95ef78a6bebcc91bc9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3005" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3171" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3171" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1780" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk5270" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
-
C:\ProgramData\Dllhost\winlogson.exeC:\ProgramData\Dllhost\winlogson.exe -c config.json4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD58eac424b39ecd7724237708242536dce
SHA1dbd058d840422fcaaf1d6897564e73be3641f7d3
SHA256a43dad593d702d374a6f7d8f0a7de4a1e98a8a7edbf25cc01c45b7f26e60a229
SHA5121ed33db65161a5ee089f4f030c42ac5168be0d5fd041422575d23e2f414a477b18397f583d7d53a744df716798f79de407bcb33ab8602644371c44291fa0c7fa
-
Filesize
60KB
MD58eac424b39ecd7724237708242536dce
SHA1dbd058d840422fcaaf1d6897564e73be3641f7d3
SHA256a43dad593d702d374a6f7d8f0a7de4a1e98a8a7edbf25cc01c45b7f26e60a229
SHA5121ed33db65161a5ee089f4f030c42ac5168be0d5fd041422575d23e2f414a477b18397f583d7d53a744df716798f79de407bcb33ab8602644371c44291fa0c7fa
-
Filesize
7.8MB
MD56f4532e49d65c2be0355b222f96e06e8
SHA1268e90ce25e01bbb205f6ae3f493f8da36a61480
SHA256acaf8e844ef7f4f65033ebe9546c394cc21bce175dac8b59199106309f04e5ab
SHA51285f495b0bbd0673df376f44e912f9a0a8d201c2843f1a9efa64d93703a2d8ba2b6fa2638a747e79604715d26ddfc07de26ba43d03adf86290d928b442bf09207
-
Filesize
310B
MD5aea3666ca9ce85cda48dde4d4037dafb
SHA10cd2e08c350e2f692a95f621a861a61ddc883d27
SHA2563c5de1ade38c6857790fec477097f1aa1438e7400cfe5f422218d2b6ec5c50f3
SHA512cd8926b5da72973931a7f8253e086c8aa1d6e9f1839072c71d54747278954792f7b5837231dc8a443e9da16695a7eefb0f2fe3cc5d58926c3ec162d7d7786647
-
Filesize
1KB
MD533a040d2940740ccd0fe09ee63a71420
SHA1e7b386485ffdca5e24538acb6d9ce77f3cba044a
SHA2565ba31918946a9a81a4f2308a12980b5695039a13297361dc193cd81b6d6c25d5
SHA5125834b6c6402b2b6507eba3323ff7019662d6aa7a9839d2e2fe3241ae981ba11ac3a2692b496e5f0a6f0d49553f9cc665bd4f94a7c8cd828385468924720ccfba
-
Filesize
24KB
-
Filesize
88KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
80KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
24KB
-
Filesize
5.0MB
-
Filesize
1.6MB
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
40KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
408KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
300KB
-
Filesize
660KB
-
Filesize
120KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
204KB
-
Filesize
216KB
-
Filesize
592KB
-
Filesize
472KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB