Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23/04/2023, 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    5.4MB

  • MD5

    41ab08c1955fce44bfd0c76a64d1945a

  • SHA1

    2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

  • SHA256

    dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

  • SHA512

    38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

  • SSDEEP

    98304:vavlQIN33nVKboT7MAwtCUxDwoQtKjnX6Og6X2XcNlfYWzdgIT3:vIlQIN33nVKboT7MAwtCYzQQjn46yQls

Score
10/10
xmrigminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 14 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        PID:2004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:804
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
        2⤵
          PID:572
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:692
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
            3⤵
            • Creates scheduled task(s)
            PID:1588
        • C:\Windows\System32\notepad.exe
          C:\Windows\System32\notepad.exe
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1228
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {852862B7-B5FC-40CF-ACED-F96DD3325868} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
          "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1980

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        6355a8b5f8282c3fbdfd30ea7cd2233e

        SHA1

        781cac9baeabf55ff842fd18139d811ab18ed94d

        SHA256

        6858bbc6bdd647b16d1e5b6689974addfd3268d6ddce15d59a832004d2fc3aa6

        SHA512

        fc54aca584935cff81fc7dd5e1626128eb53ff57bda192f0359959d15a1bcd7aea3d019e290a4a61c64bf6352c8bdc9dfb3b9d91157c89273c266f71761b1b15

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ER1HN5YVY0I8TRI29AMT.temp
        Filesize

        7KB

        MD5

        6355a8b5f8282c3fbdfd30ea7cd2233e

        SHA1

        781cac9baeabf55ff842fd18139d811ab18ed94d

        SHA256

        6858bbc6bdd647b16d1e5b6689974addfd3268d6ddce15d59a832004d2fc3aa6

        SHA512

        fc54aca584935cff81fc7dd5e1626128eb53ff57bda192f0359959d15a1bcd7aea3d019e290a4a61c64bf6352c8bdc9dfb3b9d91157c89273c266f71761b1b15

        Download Submit

      • C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
        Filesize

        5.4MB

        MD5

        41ab08c1955fce44bfd0c76a64d1945a

        SHA1

        2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

        SHA256

        dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

        SHA512

        38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

        Download Submit

      • \Users\Admin\Windows Upgrade\wupgrdsv.exe
        Filesize

        5.4MB

        MD5

        41ab08c1955fce44bfd0c76a64d1945a

        SHA1

        2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

        SHA256

        dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

        SHA512

        38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

        Download Submit

      • memory/692-73-0x000000001B0D0000-0x000000001B3B2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/692-78-0x000000000269B000-0x00000000026D2000-memory.dmp

        Filesize

        220KB

        Download

      • memory/692-77-0x0000000002690000-0x0000000002710000-memory.dmp

        Filesize

        512KB

        Download

      • memory/692-76-0x0000000002690000-0x0000000002710000-memory.dmp

        Filesize

        512KB

        Download

      • memory/692-75-0x0000000002690000-0x0000000002710000-memory.dmp

        Filesize

        512KB

        Download

      • memory/692-74-0x0000000001F00000-0x0000000001F08000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1228-89-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-91-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-97-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-96-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-95-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-94-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-93-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-82-0x00000000000B0000-0x00000000000D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1228-83-0x0000000000190000-0x00000000001B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1228-84-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-85-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-86-0x0000000000190000-0x00000000001B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1228-87-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-88-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-92-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1228-90-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/1940-58-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1940-59-0x0000000001D30000-0x0000000001D38000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1940-60-0x0000000002330000-0x00000000023B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1940-61-0x0000000002330000-0x00000000023B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1940-62-0x0000000002330000-0x00000000023B0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1980-81-0x000000013FEA0000-0x0000000140416000-memory.dmp

        Filesize

        5.5MB

        Download

      • memory/2004-64-0x000000013FC70000-0x00000001401E6000-memory.dmp

        Filesize

        5.5MB

        Download