Overview

overview

10

Static

static

3

F-VPN.exe

windows7-x64

10

F-VPN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2023, 08:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    F-VPN.exe

  • Size

    7.1MB

  • MD5

    7106aab423db77a92c6e97a70bc8ef84

  • SHA1

    ffa5faac3ffd055869f5e5ee1a8106dc6a6cdea7

  • SHA256

    bf92cc39c4a885688598416d73f1d720023b7ff573224ab6b0790a042983245b

  • SHA512

    76fe0b1fbe366708ad53bbaa67a686e4fe7c5f59099c4143c88c032d0d3fdea977af7f4c43b93f8a6108ccb7a6c2361a7bed91de8f99e00e248275d781e18c2a

  • SSDEEP

    196608:l4R4y6i8QjS6/4osJem6/QBDpnDpxGTlO9enTtK6eq/g:y4O8QjVsJe//ANnD6TE9ecv3

Score
10/10
xmrigminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3152
      • C:\Users\Admin\AppData\Local\Temp\F-VPN.exe
        "C:\Users\Admin\AppData\Local\Temp\F-VPN.exe"
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\srf.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\srf.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4080
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.vbs"
          3⤵
            PID:2248
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eujmqqr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4152
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
          2⤵
            PID:4640
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\srf.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4872
            • C:\Windows\System32\choice.exe
              choice /C Y /N /D Y /T 3
              3⤵
                PID:2528
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eujmqqr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:768
            • C:\Windows\System32\conhost.exe
              C:\Windows\System32\conhost.exe
              2⤵
                PID:2436
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe
                2⤵
                • Checks BIOS information in registry
                • Suspicious behavior: EnumeratesProcesses
                PID:652
            • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
              C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
              1⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1692

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    3KB

                    MD5

                    fee026663fcb662152188784794028ee

                    SHA1

                    3c02a26a9cb16648fad85c6477b68ced3cb0cb45

                    SHA256

                    dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

                    SHA512

                    7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    62032a79f8416ef5fe25b81955c2f5dd

                    SHA1

                    9c996b27944668b8fe4a490d7c1a99e94efa190c

                    SHA256

                    02a537f84c804887adbfe6404b5b7e060cbe22204206d17cafb3f86c02e594fe

                    SHA512

                    f58610ff90367e6b4fa6eaeb9778e3d3032df44bf9577ddd338beaca7201a150709bcdfe38cf88039f4009cba22bcb11099562d2b01ac1089f4d6ee38cdead28

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.vbs
                    Filesize

                    68B

                    MD5

                    478b0463ff5e4688026acce0001bd938

                    SHA1

                    dabc6987cc86106e38572458e0768de3093d74a2

                    SHA256

                    474d94be4055c44a330e75ed1e81a82261916a090779285952aed22b1e597967

                    SHA512

                    4684298816b0c9654cae1e621445c75ba90fe6d31457b4a724e9a6e55bacd202b67c50cf72b2fbb20d2b5ef76cbd22a805db22b89b20cb8703913386c43b1787

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\srf.exe
                    Filesize

                    11.9MB

                    MD5

                    bd5df58cba552dd3a856fc24303e5dfe

                    SHA1

                    549720252ef69b9f8ad6eccce47f953be2e41933

                    SHA256

                    3a00b3c8271e9f8230ae038523a7658ce6e1cb365dd45a2b727840c9eb3e762f

                    SHA512

                    53fa99414f7023ba6d5835b98c7f97887c9861219abb045d7f5a186353f7592f9a2d08be0a949c40f9e691511539a95ec918443428796a99b1989fe6080ce54d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\srf.exe
                    Filesize

                    11.9MB

                    MD5

                    bd5df58cba552dd3a856fc24303e5dfe

                    SHA1

                    549720252ef69b9f8ad6eccce47f953be2e41933

                    SHA256

                    3a00b3c8271e9f8230ae038523a7658ce6e1cb365dd45a2b727840c9eb3e762f

                    SHA512

                    53fa99414f7023ba6d5835b98c7f97887c9861219abb045d7f5a186353f7592f9a2d08be0a949c40f9e691511539a95ec918443428796a99b1989fe6080ce54d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\srf.exe
                    Filesize

                    11.9MB

                    MD5

                    bd5df58cba552dd3a856fc24303e5dfe

                    SHA1

                    549720252ef69b9f8ad6eccce47f953be2e41933

                    SHA256

                    3a00b3c8271e9f8230ae038523a7658ce6e1cb365dd45a2b727840c9eb3e762f

                    SHA512

                    53fa99414f7023ba6d5835b98c7f97887c9861219abb045d7f5a186353f7592f9a2d08be0a949c40f9e691511539a95ec918443428796a99b1989fe6080ce54d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzuyf2np.jpt.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
                    Filesize

                    11.9MB

                    MD5

                    bd5df58cba552dd3a856fc24303e5dfe

                    SHA1

                    549720252ef69b9f8ad6eccce47f953be2e41933

                    SHA256

                    3a00b3c8271e9f8230ae038523a7658ce6e1cb365dd45a2b727840c9eb3e762f

                    SHA512

                    53fa99414f7023ba6d5835b98c7f97887c9861219abb045d7f5a186353f7592f9a2d08be0a949c40f9e691511539a95ec918443428796a99b1989fe6080ce54d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
                    Filesize

                    11.9MB

                    MD5

                    bd5df58cba552dd3a856fc24303e5dfe

                    SHA1

                    549720252ef69b9f8ad6eccce47f953be2e41933

                    SHA256

                    3a00b3c8271e9f8230ae038523a7658ce6e1cb365dd45a2b727840c9eb3e762f

                    SHA512

                    53fa99414f7023ba6d5835b98c7f97887c9861219abb045d7f5a186353f7592f9a2d08be0a949c40f9e691511539a95ec918443428796a99b1989fe6080ce54d

                    Download Submit

                  • memory/652-200-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-202-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-218-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-216-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-214-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-212-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-210-0x00000000146F0000-0x0000000014710000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/652-209-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-207-0x00000000146F0000-0x0000000014710000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/652-206-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-204-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-198-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-197-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-195-0x0000000003A90000-0x0000000003AB0000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/652-193-0x00007FF69BB80000-0x00007FF69C5CF000-memory.dmp

                    Filesize

                    10.3MB

                    Download

                  • memory/652-194-0x0000000003A20000-0x0000000003A40000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/768-185-0x000001875A9B0000-0x000001875A9C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/768-182-0x000001875A9B0000-0x000001875A9C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/768-183-0x000001875A9B0000-0x000001875A9C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/768-184-0x000001875A9B0000-0x000001875A9C0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1692-170-0x00007FF7BE020000-0x00007FF7BEE2C000-memory.dmp

                    Filesize

                    14.0MB

                    Download

                  • memory/1692-192-0x00007FF7BE020000-0x00007FF7BEE2C000-memory.dmp

                    Filesize

                    14.0MB

                    Download

                  • memory/2436-199-0x00007FF7A91C0000-0x00007FF7A91E9000-memory.dmp

                    Filesize

                    164KB

                    Download

                  • memory/2436-196-0x00007FF7A91C0000-0x00007FF7A91E9000-memory.dmp

                    Filesize

                    164KB

                    Download

                  • memory/4080-164-0x00007FF651710000-0x00007FF65251C000-memory.dmp

                    Filesize

                    14.0MB

                    Download

                  • memory/4080-147-0x00007FF651710000-0x00007FF65251C000-memory.dmp

                    Filesize

                    14.0MB

                    Download

                  • memory/4080-166-0x00007FF651710000-0x00007FF65251C000-memory.dmp

                    Filesize

                    14.0MB

                    Download

                  • memory/4152-158-0x000002565C960000-0x000002565C970000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4152-157-0x00000256443E0000-0x0000025644402000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/4152-159-0x000002565C960000-0x000002565C970000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4152-160-0x000002565C960000-0x000002565C970000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4152-163-0x000002565CA70000-0x000002565CC8C000-memory.dmp

                    Filesize

                    2.1MB

                    Download