Overview

overview

10

Static

static

1

0003a6af85...06.exe

windows7-x64

10

0003a6af85...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-04-2023 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0003a6af8597e5d734e36244fb7b3e3be4016f3e3d83c0b9610338e1fcd59206.exe

  • Size

    9.1MB

  • MD5

    298157ab2d8c50fb948102d1d232b068

  • SHA1

    761182c5993c52d0e037855ef688ac43ae42fc0b

  • SHA256

    0003a6af8597e5d734e36244fb7b3e3be4016f3e3d83c0b9610338e1fcd59206

  • SHA512

    4fe7bfdc1a7abbe295cf55e86f37a51238f4307eca104780d54ca2303b575f1d399d52e1109f24ca0588e9dfbadfbfcd87f114b2a7bf06826fb53f61d2161637

  • SSDEEP

    196608:nkrzreGkrYVue+NW+sI3FhgJSvTBvDD8f6xK4jIEv/F:nqX1hH+M305v8CxzT/

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 16 IoCs
    miner
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0003a6af8597e5d734e36244fb7b3e3be4016f3e3d83c0b9610338e1fcd59206.exe
    "C:\Users\Admin\AppData\Local\Temp\0003a6af8597e5d734e36244fb7b3e3be4016f3e3d83c0b9610338e1fcd59206.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\system32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\system32\powercfg.exe
        powercfg /x -hibernate-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
      • C:\Windows\system32\powercfg.exe
        powercfg /x -hibernate-timeout-dc 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
      • C:\Windows\system32\powercfg.exe
        powercfg /x -standby-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
      • C:\Windows\system32\powercfg.exe
        powercfg /x -standby-timeout-dc 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:860
    • C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Users\Admin\AppData\Roaming\Google\Libs\" & wmic PATH Win32_VideoController GET Name > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic PATH Win32_VideoController GET Name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe xksrsphpkhdkzeta 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnasCD7XnRLS04n/3PSQs4Y8N1gwqW8cNAIYLDJ8a1VM5jC42Fu45IQxMHZ6UbMAINd+j6rWyjR4c9wHzXrSPt+JO2vXjM9T/tr8xKXbcIp6p5AEolkWO531Ai57/AA54nTHCWk1C1lfJkJlng+A+045NaoEev2vxtN0yY+wXL4vn/AgvKv2NvGySX3VL4aaXWkYGDrhqyQkIiI66de13hYChA1HJfwz/0hA09e7EJtDlWJYiqjzeDLfeTpOris1uTeAjvscK9uO/vHjNoqRdTZ8aNFKeO7C80Ai+bTi4K2QXu6ouHh30Iwbf3q3yJiDpNe7c3Vr+x7P1kSgLlDw2EewvMr8Kt6kJgQOg5NvZ9PWBQLOi/tsrchS1m2/eJZ/w6ZcWHgt0l3usMrsAAec/Hqu1r4pnq7GeRnzY7diGKN2RVrztExappHcjjYN7gOznasN2urWT77J3/0L9mH5DR+cg7USdYj3oHU7R467VOrVHQ==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
    Filesize

    134B

    MD5

    13704a81e6a12d0657753b6746a4fb24

    SHA1

    9e1dd1fa6000c991e12a1ab41f3fb04ed37a6cca

    SHA256

    56556055091ba96cf10e85b2db4c5154e2b647b832a272915f973862c3c531a4

    SHA512

    e099d6c94c431c4cc9df82f4993a8d91a36b1c351f1a4eb699fc6b67b3a8dd0c386b2346dc1dcb854db004cea2070f38d717caba8a922926ecec968ebe6db66e

    Download Submit

  • memory/1276-55-0x0000000077310000-0x0000000077312000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1276-54-0x0000000077310000-0x0000000077312000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1276-56-0x0000000077310000-0x0000000077312000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1276-57-0x0000000077320000-0x0000000077322000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1276-58-0x0000000077320000-0x0000000077322000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1276-59-0x0000000077320000-0x0000000077322000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1276-60-0x0000000140000000-0x0000000141019000-memory.dmp

    Filesize

    16.1MB

    Download

  • memory/1752-71-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-76-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-69-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-70-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-67-0x00000000000E0000-0x0000000000100000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1752-72-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-73-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-74-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-75-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-68-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-77-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-78-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-79-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-80-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-81-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-82-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/1752-83-0x0000000140000000-0x00000001407F4000-memory.dmp

    Filesize

    8.0MB

    Download