Overview

overview

10

Static

static

7

2db57ce54e...00.exe

windows7-x64

10

2db57ce54e...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2023 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2db57ce54e3c9ee09054c858d89e9300.exe

  • Size

    205.9MB

  • MD5

    2db57ce54e3c9ee09054c858d89e9300

  • SHA1

    eceb2f537bed937badcd1ff64eff898584f1a238

  • SHA256

    8374150f7e13d1cdc83fd837b81155268daa32c4cf645bbfa557f59c532d4e16

  • SHA512

    331ad9ac464b4370f1497c387e33ac86dbffe0aff418f8e458ff528a10477ce865eefa07e7313f3cbaf06b98e6cf5dd308e2d53acfc77a373dffb401706e397d

  • SSDEEP

    196608:Y+Q/XL8rMJqxd9aammTdhs5vARNEdwjRRj1iwXx1oW:Y+Q/b8rMJ2dMammJhs+EMRJiwXxP

Score
10/10
xmrigevasionminerthemidatrojan

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • XMRig Miner payload 10 IoCs
    miner
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\2db57ce54e3c9ee09054c858d89e9300.exe
        "C:\Users\Admin\AppData\Local\Temp\2db57ce54e3c9ee09054c858d89e9300.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:2924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2224
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:3024
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:2356
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:2624
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:2700
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:2712
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /delete /f /tn "AppData"
        2⤵
          PID:2764
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "AppData" /xml "C:\Users\Admin\AppData\Local\Temp\zmyrrcgaiphy.xml"
          2⤵
          • Creates scheduled task(s)
          PID:2732
        • C:\Windows\System32\schtasks.exe
          C:\Windows\System32\schtasks.exe /run /tn "AppData"
          2⤵
            PID:2744
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2db57ce54e3c9ee09054c858d89e9300.exe"
            2⤵
            • Deletes itself
            • Suspicious use of WriteProcessMemory
            PID:2288
            • C:\Windows\System32\choice.exe
              choice /C Y /N /D Y /T 3
              3⤵
                PID:2816
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
              2⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2552
            • C:\Windows\System32\cmd.exe
              C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2796
              • C:\Windows\System32\sc.exe
                sc stop UsoSvc
                3⤵
                • Launches sc.exe
                PID:1064
              • C:\Windows\System32\sc.exe
                sc stop WaaSMedicSvc
                3⤵
                • Launches sc.exe
                PID:1232
              • C:\Windows\System32\sc.exe
                sc stop wuauserv
                3⤵
                • Launches sc.exe
                PID:328
              • C:\Windows\System32\sc.exe
                sc stop bits
                3⤵
                • Launches sc.exe
                PID:2008
              • C:\Windows\System32\sc.exe
                sc stop dosvc
                3⤵
                • Launches sc.exe
                PID:2016
            • C:\Windows\System32\schtasks.exe
              C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "AppData" /xml "C:\Windows\TEMP\zmyrrcgaiphy.xml"
              2⤵
              • Creates scheduled task(s)
              PID:1704
            • C:\Windows\System32\conhost.exe
              C:\Windows\System32\conhost.exe
              2⤵
                PID:2428
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1800
            • C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe
              "C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe"
              1⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2520

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe
              Filesize

              205.9MB

              MD5

              2db57ce54e3c9ee09054c858d89e9300

              SHA1

              eceb2f537bed937badcd1ff64eff898584f1a238

              SHA256

              8374150f7e13d1cdc83fd837b81155268daa32c4cf645bbfa557f59c532d4e16

              SHA512

              331ad9ac464b4370f1497c387e33ac86dbffe0aff418f8e458ff528a10477ce865eefa07e7313f3cbaf06b98e6cf5dd308e2d53acfc77a373dffb401706e397d

              Download Submit

            • C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe
              Filesize

              205.9MB

              MD5

              2db57ce54e3c9ee09054c858d89e9300

              SHA1

              eceb2f537bed937badcd1ff64eff898584f1a238

              SHA256

              8374150f7e13d1cdc83fd837b81155268daa32c4cf645bbfa557f59c532d4e16

              SHA512

              331ad9ac464b4370f1497c387e33ac86dbffe0aff418f8e458ff528a10477ce865eefa07e7313f3cbaf06b98e6cf5dd308e2d53acfc77a373dffb401706e397d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\zmyrrcgaiphy.xml
              Filesize

              1KB

              MD5

              95e95e8f4133ea80e2ea663a0afb2250

              SHA1

              51cdf84b91748323d6495df7228b1f15eef9a50d

              SHA256

              b2a465f622636c8ff5942e86e7a77b3b72e217ade80b05f265d3b0e9798cf64f

              SHA512

              48e77eb3d3127140d93c469d929976ce34bd6deffba2d97043c29cc1ad28064e8f650f5b1a8b2373c6253009b8491d4f189a94ec05d9e78603de744ca1ef7ca2

              Download Submit

            • C:\Windows\TEMP\zmyrrcgaiphy.xml
              Filesize

              1KB

              MD5

              95e95e8f4133ea80e2ea663a0afb2250

              SHA1

              51cdf84b91748323d6495df7228b1f15eef9a50d

              SHA256

              b2a465f622636c8ff5942e86e7a77b3b72e217ade80b05f265d3b0e9798cf64f

              SHA512

              48e77eb3d3127140d93c469d929976ce34bd6deffba2d97043c29cc1ad28064e8f650f5b1a8b2373c6253009b8491d4f189a94ec05d9e78603de744ca1ef7ca2

              Download Submit

            • \Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe
              Filesize

              205.9MB

              MD5

              2db57ce54e3c9ee09054c858d89e9300

              SHA1

              eceb2f537bed937badcd1ff64eff898584f1a238

              SHA256

              8374150f7e13d1cdc83fd837b81155268daa32c4cf645bbfa557f59c532d4e16

              SHA512

              331ad9ac464b4370f1497c387e33ac86dbffe0aff418f8e458ff528a10477ce865eefa07e7313f3cbaf06b98e6cf5dd308e2d53acfc77a373dffb401706e397d

              Download Submit

            • memory/1800-47-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/1800-51-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/1800-49-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/1800-53-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/1800-45-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/1800-43-0x0000000000390000-0x00000000003B0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1800-55-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/1800-42-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/1800-57-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/1800-59-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/1800-40-0x0000000000390000-0x00000000003B0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1800-38-0x0000000000230000-0x0000000000250000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1800-61-0x0000000140000000-0x0000000140840000-memory.dmp

              Filesize

              8.2MB

              Download

            • memory/2224-14-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2224-13-0x0000000001F80000-0x0000000002000000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2224-6-0x000000001B180000-0x000000001B462000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2224-8-0x00000000023A0000-0x00000000023A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2224-7-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2224-9-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2224-12-0x0000000001F80000-0x0000000002000000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2224-10-0x0000000001F80000-0x0000000002000000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2224-11-0x0000000001F80000-0x0000000002000000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2428-41-0x0000000140000000-0x0000000140013000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2520-22-0x0000000140000000-0x0000000140E0D000-memory.dmp

              Filesize

              14.1MB

              Download

            • memory/2520-39-0x0000000140000000-0x0000000140E0D000-memory.dmp

              Filesize

              14.1MB

              Download

            • memory/2520-21-0x0000000140000000-0x0000000140E0D000-memory.dmp

              Filesize

              14.1MB

              Download

            • memory/2520-31-0x0000000140000000-0x0000000140E0D000-memory.dmp

              Filesize

              14.1MB

              Download

            • memory/2552-23-0x00000000199E0000-0x0000000019CC2000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2552-25-0x0000000001080000-0x0000000001100000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2552-24-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2552-30-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2552-29-0x0000000001080000-0x0000000001100000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2552-28-0x0000000001080000-0x0000000001100000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2552-27-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2552-26-0x0000000000950000-0x0000000000958000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2924-0-0x0000000140000000-0x0000000140E0D000-memory.dmp

              Filesize

              14.1MB

              Download

            • memory/2924-18-0x0000000140000000-0x0000000140E0D000-memory.dmp

              Filesize

              14.1MB

              Download

            • memory/2924-1-0x0000000140000000-0x0000000140E0D000-memory.dmp

              Filesize

              14.1MB

              Download