Overview

overview

10

Static

static

1

sysran - 副本.exe

windows7-x64

10

sysran - 副本.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sysran - 副本.exe

  • Size

    5.2MB

  • MD5

    6e33878559f72813842849a3f50bf84f

  • SHA1

    3a9f03b46c767776a8d3d5fd474cdbfec2e6f2d3

  • SHA256

    8066b322136c434437c4754418e75779ccb560b802bded19356427ec2c10ea52

  • SHA512

    ec5607b2eda5239694cf696d836df1af8953ee30737e5a7a0fcbebfbdefdce812338a4db05cb61fccd49092e0a8842e34648d7bb2249174484db4670e5b9aa66

  • SSDEEP

    98304:q4qdva9J5hbLhDCis2yAXI7WRQDXtT35CukrTk:q/kJ7bZCis2yAXIJ5urTk

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 8 IoCs
    miner
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\sysran - 副本.exe
        "C:\Users\Admin\AppData\Local\Temp\sysran - 副本.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in Drivers directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:2792
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:2044
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:2636
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:1952
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:2808
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
        2⤵
          PID:3040
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2536
          • C:\Windows\System32\powercfg.exe
            powercfg /x -hibernate-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1628
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-ac 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2572
          • C:\Windows\System32\powercfg.exe
            powercfg /x -standby-timeout-dc 0
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xbpxoyrdaild.xml"
          2⤵
          • Creates scheduled task(s)
          PID:2564
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
          2⤵
            PID:2816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
            2⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1924
            • C:\Windows\System32\sc.exe
              sc stop UsoSvc
              3⤵
              • Launches sc.exe
              PID:2716
            • C:\Windows\System32\sc.exe
              sc stop WaaSMedicSvc
              3⤵
              • Launches sc.exe
              PID:1188
            • C:\Windows\System32\sc.exe
              sc stop wuauserv
              3⤵
              • Launches sc.exe
              PID:1868
            • C:\Windows\System32\sc.exe
              sc stop dosvc
              3⤵
              • Launches sc.exe
              PID:1380
            • C:\Windows\System32\sc.exe
              sc stop bits
              3⤵
              • Launches sc.exe
              PID:1272
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1312
            • C:\Windows\System32\powercfg.exe
              powercfg /x -hibernate-timeout-ac 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2864
            • C:\Windows\System32\powercfg.exe
              powercfg /x -hibernate-timeout-dc 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2852
            • C:\Windows\System32\powercfg.exe
              powercfg /x -standby-timeout-ac 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2836
            • C:\Windows\System32\powercfg.exe
              powercfg /x -standby-timeout-dc 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2684
          • C:\Windows\System32\schtasks.exe
            C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xbpxoyrdaild.xml"
            2⤵
            • Creates scheduled task(s)
            PID:676
          • C:\Windows\System32\conhost.exe
            C:\Windows\System32\conhost.exe
            2⤵
              PID:1008
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1632
          • C:\Program Files\Google\Chrome\updater.exe
            "C:\Program Files\Google\Chrome\updater.exe"
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2872

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Google\Chrome\updater.exe
            Filesize

            5.2MB

            MD5

            6e33878559f72813842849a3f50bf84f

            SHA1

            3a9f03b46c767776a8d3d5fd474cdbfec2e6f2d3

            SHA256

            8066b322136c434437c4754418e75779ccb560b802bded19356427ec2c10ea52

            SHA512

            ec5607b2eda5239694cf696d836df1af8953ee30737e5a7a0fcbebfbdefdce812338a4db05cb61fccd49092e0a8842e34648d7bb2249174484db4670e5b9aa66

            Download Submit

          • C:\Program Files\Google\Chrome\updater.exe
            Filesize

            5.2MB

            MD5

            6e33878559f72813842849a3f50bf84f

            SHA1

            3a9f03b46c767776a8d3d5fd474cdbfec2e6f2d3

            SHA256

            8066b322136c434437c4754418e75779ccb560b802bded19356427ec2c10ea52

            SHA512

            ec5607b2eda5239694cf696d836df1af8953ee30737e5a7a0fcbebfbdefdce812338a4db05cb61fccd49092e0a8842e34648d7bb2249174484db4670e5b9aa66

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\xbpxoyrdaild.xml
            Filesize

            1KB

            MD5

            546d67a48ff2bf7682cea9fac07b942e

            SHA1

            a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

            SHA256

            eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

            SHA512

            10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

            Download Submit

          • C:\Windows\TEMP\xbpxoyrdaild.xml
            Filesize

            1KB

            MD5

            546d67a48ff2bf7682cea9fac07b942e

            SHA1

            a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

            SHA256

            eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

            SHA512

            10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

            Download Submit

          • \Program Files\Google\Chrome\updater.exe
            Filesize

            5.2MB

            MD5

            6e33878559f72813842849a3f50bf84f

            SHA1

            3a9f03b46c767776a8d3d5fd474cdbfec2e6f2d3

            SHA256

            8066b322136c434437c4754418e75779ccb560b802bded19356427ec2c10ea52

            SHA512

            ec5607b2eda5239694cf696d836df1af8953ee30737e5a7a0fcbebfbdefdce812338a4db05cb61fccd49092e0a8842e34648d7bb2249174484db4670e5b9aa66

            Download Submit

          • memory/1008-42-0x0000000140000000-0x0000000140013000-memory.dmp

            Filesize

            76KB

            Download

          • memory/1632-44-0x0000000000AE0000-0x0000000000B00000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1632-46-0x0000000140000000-0x0000000140840000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1632-54-0x0000000140000000-0x0000000140840000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1632-43-0x0000000140000000-0x0000000140840000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1632-48-0x0000000140000000-0x0000000140840000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1632-56-0x0000000140000000-0x0000000140840000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1632-50-0x0000000140000000-0x0000000140840000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1632-41-0x0000000000AE0000-0x0000000000B00000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1632-40-0x0000000000050000-0x0000000000070000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1632-58-0x0000000140000000-0x0000000140840000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1632-52-0x0000000140000000-0x0000000140840000-memory.dmp

            Filesize

            8.2MB

            Download

          • memory/1648-15-0x000000013FA70000-0x000000013FFB3000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/1648-18-0x000000013FA70000-0x000000013FFB3000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/1648-0-0x000000013FA70000-0x000000013FFB3000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/1948-6-0x0000000001D30000-0x0000000001D38000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1948-7-0x000000000286B000-0x00000000028D2000-memory.dmp

            Filesize

            412KB

            Download

          • memory/1948-8-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1948-11-0x0000000002860000-0x00000000028E0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1948-10-0x0000000002860000-0x00000000028E0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1948-9-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1948-5-0x000000001B270000-0x000000001B552000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2376-23-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2376-22-0x0000000019B40000-0x0000000019E22000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2376-25-0x0000000000920000-0x00000000009A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2376-24-0x00000000009C0000-0x00000000009C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2376-27-0x0000000000920000-0x00000000009A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2376-26-0x0000000000920000-0x00000000009A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2376-30-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2376-29-0x0000000000920000-0x00000000009A0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2376-28-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2872-21-0x000000013F6D0000-0x000000013FC13000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/2872-39-0x000000013F6D0000-0x000000013FC13000-memory.dmp

            Filesize

            5.3MB

            Download