Analysis
-
max time kernel
133s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
19/11/2023, 20:45
General
-
Target
1e9a457e1a02eb67419d8b9347893b0634096c892d9edf38e8a231852ef3ba0a.exe
-
Size
24.9MB
-
MD5
9a7ad587ebb1677287f7a9ffef2c1a20
-
SHA1
6c4ea120268888b821ce6b13d2965e64200075ba
-
SHA256
1e9a457e1a02eb67419d8b9347893b0634096c892d9edf38e8a231852ef3ba0a
-
SHA512
595b8401fc098428a25f75e072b8a98e01f043d02472c6d2eaccfcf45c5bd055a1fb58abf2dc0176ea4cc343f35107f6d411b66e1e43c23a43e2cae0d0266521
-
SSDEEP
98304:uSWRZML74SV5/tehLUI5YvY/hIf4n08IOeGq6Tt5r1MR:uLRZM/4a6XU40K1J5r1M
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 8 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 46 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1e9a457e1a02eb67419d8b9347893b0634096c892d9edf38e8a231852ef3ba0a.exe"C:\Users\Admin\AppData\Local\Temp\1e9a457e1a02eb67419d8b9347893b0634096c892d9edf38e8a231852ef3ba0a.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "AppData"2⤵
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "AppData" /xml "C:\Users\Admin\AppData\Local\Temp\nuwpcgvwftpl.xml"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1e9a457e1a02eb67419d8b9347893b0634096c892d9edf38e8a231852ef3ba0a.exe"2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "AppData"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "AppData" /xml "C:\Windows\TEMP\nuwpcgvwftpl.xml"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 31⤵
-
C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe"C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop dosvc1⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits1⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv1⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc1⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24.9MB
MD59a7ad587ebb1677287f7a9ffef2c1a20
SHA16c4ea120268888b821ce6b13d2965e64200075ba
SHA2561e9a457e1a02eb67419d8b9347893b0634096c892d9edf38e8a231852ef3ba0a
SHA512595b8401fc098428a25f75e072b8a98e01f043d02472c6d2eaccfcf45c5bd055a1fb58abf2dc0176ea4cc343f35107f6d411b66e1e43c23a43e2cae0d0266521
-
Filesize
24.9MB
MD59a7ad587ebb1677287f7a9ffef2c1a20
SHA16c4ea120268888b821ce6b13d2965e64200075ba
SHA2561e9a457e1a02eb67419d8b9347893b0634096c892d9edf38e8a231852ef3ba0a
SHA512595b8401fc098428a25f75e072b8a98e01f043d02472c6d2eaccfcf45c5bd055a1fb58abf2dc0176ea4cc343f35107f6d411b66e1e43c23a43e2cae0d0266521
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD595e95e8f4133ea80e2ea663a0afb2250
SHA151cdf84b91748323d6495df7228b1f15eef9a50d
SHA256b2a465f622636c8ff5942e86e7a77b3b72e217ade80b05f265d3b0e9798cf64f
SHA51248e77eb3d3127140d93c469d929976ce34bd6deffba2d97043c29cc1ad28064e8f650f5b1a8b2373c6253009b8491d4f189a94ec05d9e78603de744ca1ef7ca2
-
Filesize
1KB
MD595e95e8f4133ea80e2ea663a0afb2250
SHA151cdf84b91748323d6495df7228b1f15eef9a50d
SHA256b2a465f622636c8ff5942e86e7a77b3b72e217ade80b05f265d3b0e9798cf64f
SHA51248e77eb3d3127140d93c469d929976ce34bd6deffba2d97043c29cc1ad28064e8f650f5b1a8b2373c6253009b8491d4f189a94ec05d9e78603de744ca1ef7ca2
-
Filesize
8.2MB
-
Filesize
64KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
256KB
-
Filesize
128KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
104KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
724KB
-
Filesize
64KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
260KB
-
Filesize
9.1MB
-
Filesize
260KB
-
Filesize
632KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.8MB
-
Filesize
632KB
-
Filesize
260KB
-
Filesize
2.8MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
2.0MB
-
Filesize
76KB
-
Filesize
632KB
-
Filesize
2.8MB
-
Filesize
260KB
-
Filesize
9.1MB
-
Filesize
632KB
-
Filesize
2.0MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
2.0MB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
9.1MB
-
Filesize
2.8MB