Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
05/12/2022, 06:36
General
-
Target
48eef47ec9ad90d92639266af78c54f7.exe
-
Size
56KB
-
MD5
48eef47ec9ad90d92639266af78c54f7
-
SHA1
2e3c4b08672d5e9f26bf2ef486d911f9db422edf
-
SHA256
e15fd3f72f46f262efafde1c66af2566f441d9af6295bb09bd7c4ddfee50cf44
-
SHA512
1e6acfe205587a2982c279d177ba5fb1b8af9a8d8823d8133bc9b997df79f3de3b84a03e1d1de0ebded9074edde42d2f2ae5b1a56b7a6cb8d4dff0ef938ac7e8
-
SSDEEP
768:StoAk/F+TSsXubJprJchoWABDO5vPuRLkVOnWbrrkJvPTzGKuD:Uoprm0NWAo5vPuRgVQWbr6XTHw
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\48eef47ec9ad90d92639266af78c54f7.exe"C:\Users\Admin\AppData\Local\Temp\48eef47ec9ad90d92639266af78c54f7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk4922" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8034" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8034" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1659" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1659" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6853" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6853" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
-
C:\ProgramData\Dllhost\winlogson.exeC:\ProgramData\Dllhost\winlogson.exe -c config.json4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD58eac424b39ecd7724237708242536dce
SHA1dbd058d840422fcaaf1d6897564e73be3641f7d3
SHA256a43dad593d702d374a6f7d8f0a7de4a1e98a8a7edbf25cc01c45b7f26e60a229
SHA5121ed33db65161a5ee089f4f030c42ac5168be0d5fd041422575d23e2f414a477b18397f583d7d53a744df716798f79de407bcb33ab8602644371c44291fa0c7fa
-
Filesize
60KB
MD58eac424b39ecd7724237708242536dce
SHA1dbd058d840422fcaaf1d6897564e73be3641f7d3
SHA256a43dad593d702d374a6f7d8f0a7de4a1e98a8a7edbf25cc01c45b7f26e60a229
SHA5121ed33db65161a5ee089f4f030c42ac5168be0d5fd041422575d23e2f414a477b18397f583d7d53a744df716798f79de407bcb33ab8602644371c44291fa0c7fa
-
Filesize
7.8MB
MD56f4532e49d65c2be0355b222f96e06e8
SHA1268e90ce25e01bbb205f6ae3f493f8da36a61480
SHA256acaf8e844ef7f4f65033ebe9546c394cc21bce175dac8b59199106309f04e5ab
SHA51285f495b0bbd0673df376f44e912f9a0a8d201c2843f1a9efa64d93703a2d8ba2b6fa2638a747e79604715d26ddfc07de26ba43d03adf86290d928b442bf09207
-
Filesize
312B
MD511c76da7e5b49513d6199861b4155013
SHA1eeb027c4273975349d47b2d967be287dcc8c11f3
SHA2564422bdfa4969c89c1009d4e2a042240129332c08206823f8608d83b0e0333b45
SHA512d18eaf5e86a816ba792e97218832f109ffd7f0613a29a7b945ae11a161b04ed1076a03c96525ca78482f28144b721246c7df562512ada28eff1613c496acbce0
-
Filesize
1KB
MD542313a83cf392bd8c4ef0fa780279ef4
SHA1c36a9f33ef87497586bc06c9d064d84006f89687
SHA256923f6c0a813033b8d070dc90844a460ed9739f931ef183c0a96113df25f51058
SHA51241b97b5175ef145651c706627a19de46e35eaedebe064e620d723dcc1b95e807eb7533d36d9adbc7135fe268ee161c4d64a4744baef89555d4b6a8e8392b9f41
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
80KB
-
Filesize
584KB
-
Filesize
88KB
-
Filesize
128KB
-
Filesize
256KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
120KB