Overview

overview

10

Static

static

10

189ca1951e...df.exe

windows7-x64

10

189ca1951e...df.exe

windows10-2004-x64

10

37ca1cfa1f...60.exe

windows7-x64

10

37ca1cfa1f...60.exe

windows10-2004-x64

10

37e3ba3283...c3.elf

debian-9-armhf

1

3898dfa5cb...ba.exe

windows7-x64

10

3898dfa5cb...ba.exe

windows10-2004-x64

10

3e488cd6f6...e9.exe

windows7-x64

10

3e488cd6f6...e9.exe

windows10-2004-x64

10

505fe3cf69...cb.exe

windows7-x64

10

505fe3cf69...cb.exe

windows10-2004-x64

10

6543c547b8...84.exe

windows7-x64

1

6543c547b8...84.exe

windows10-2004-x64

10

911bb31927...e4.exe

windows7-x64

10

911bb31927...e4.exe

windows10-2004-x64

10

913aec7dc7...60.exe

windows7-x64

10

913aec7dc7...60.exe

windows10-2004-x64

10

NEAS.arm7elf_JC.elf

debian-9-armhf

1

a23543464a...48.exe

windows7-x64

10

a23543464a...48.exe

windows10-2004-x64

10

ad21aff38e...59.exe

windows7-x64

1

ad21aff38e...59.exe

windows10-2004-x64

10

ba5ce65d72...ff.exe

windows7-x64

10

ba5ce65d72...ff.exe

windows10-2004-x64

10

ca1af61fd2...7f.elf

debian-9-mipsel

9

cad291a2df...eb.exe

windows7-x64

10

cad291a2df...eb.exe

windows10-2004-x64

10

da8e7392c3...fb.exe

windows7-x64

10

da8e7392c3...fb.exe

windows10-2004-x64

10

e3a0367cf2...02.exe

windows7-x64

10

e3a0367cf2...02.exe

windows10-2004-x64

10

f8ac9d00a1...1b.exe

windows7-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2023 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe

  • Size

    5.2MB

  • MD5

    d381d9db9cbd1b60afdfb4f05e52a775

  • SHA1

    d59c52583ca791e07f3e6aec2ee2590ab9bfd67e

  • SHA256

    3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9

  • SHA512

    cebe8732fbcdc7d5672667d94473245377780e7cce940f5162789fcb6684c49b3c9c9cef6d7aff3cb005d614e32c228fe958011ee27d5063ca488b28b594d861

  • SSDEEP

    98304:Qp4L/JhqnNKIjRFlrDlyzVd/dCR36YDAbJC5kZne:QeL/JhqNRrhyXCR3FAbfhe

Score
10/10
xmrigminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3172
      • C:\Users\Admin\AppData\Local\Temp\3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
        "C:\Users\Admin\AppData\Local\Temp\3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        PID:4656
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4508
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1316
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:384
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2768
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1824
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:4952
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
          2⤵
          • Creates scheduled task(s)
          PID:2628
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
          2⤵
            PID:3272
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4184
            • C:\Windows\System32\powercfg.exe
              powercfg /x -hibernate-timeout-ac 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3056
            • C:\Windows\System32\powercfg.exe
              powercfg /x -hibernate-timeout-dc 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1916
            • C:\Windows\System32\powercfg.exe
              powercfg /x -standby-timeout-ac 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:980
            • C:\Windows\System32\powercfg.exe
              powercfg /x -standby-timeout-dc 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5072
          • C:\Windows\System32\schtasks.exe
            C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
            2⤵
            • Creates scheduled task(s)
            PID:3756
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5036
        • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
          C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
          1⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1108

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Persistence

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml
          Filesize

          1KB

          MD5

          059ccb70dc2c65c81c0dc8bea26a4bb2

          SHA1

          09c60376bf998dff186950104a6e7e4f74b37c24

          SHA256

          0b28be2c63d9b0b5936fb7a5fecbe3dc9bb69de7d212fadaefc03d643bf9482d

          SHA512

          416909daef33f4c55dcd99594b47a2ea65a0fa034179cb206a477d73378b8981eddb2187398e4b121b5448d3643f48033bf131c89d6fbfab3c33f21b8bd42c9d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml
          Filesize

          1KB

          MD5

          059ccb70dc2c65c81c0dc8bea26a4bb2

          SHA1

          09c60376bf998dff186950104a6e7e4f74b37c24

          SHA256

          0b28be2c63d9b0b5936fb7a5fecbe3dc9bb69de7d212fadaefc03d643bf9482d

          SHA512

          416909daef33f4c55dcd99594b47a2ea65a0fa034179cb206a477d73378b8981eddb2187398e4b121b5448d3643f48033bf131c89d6fbfab3c33f21b8bd42c9d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
          Filesize

          5.2MB

          MD5

          d381d9db9cbd1b60afdfb4f05e52a775

          SHA1

          d59c52583ca791e07f3e6aec2ee2590ab9bfd67e

          SHA256

          3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9

          SHA512

          cebe8732fbcdc7d5672667d94473245377780e7cce940f5162789fcb6684c49b3c9c9cef6d7aff3cb005d614e32c228fe958011ee27d5063ca488b28b594d861

          Download Submit
        • memory/1108-13-0x00007FF6198A0000-0x00007FF619DD0000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/1108-7-0x00007FF6198A0000-0x00007FF619DD0000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/4656-3-0x00007FF6594A0000-0x00007FF6599D0000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/4656-5-0x00007FF6594A0000-0x00007FF6599D0000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/4656-0-0x00007FF6594A0000-0x00007FF6599D0000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/5036-17-0x0000000013960000-0x0000000013980000-memory.dmp
          Filesize

          128KB

          Download
        • memory/5036-22-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-15-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-16-0x0000000013940000-0x0000000013960000-memory.dmp
          Filesize

          128KB

          Download
        • memory/5036-12-0x0000000001010000-0x0000000001030000-memory.dmp
          Filesize

          128KB

          Download
        • memory/5036-18-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-20-0x0000000013960000-0x0000000013980000-memory.dmp
          Filesize

          128KB

          Download
        • memory/5036-19-0x0000000013940000-0x0000000013960000-memory.dmp
          Filesize

          128KB

          Download
        • memory/5036-21-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-14-0x0000000002DF0000-0x0000000002E30000-memory.dmp
          Filesize

          256KB

          Download
        • memory/5036-23-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-24-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-25-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-26-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-27-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-28-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download
        • memory/5036-29-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp
          Filesize

          8.2MB

          Download