Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    295s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 22:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe

  • Size

    6.4MB

  • MD5

    2eafb4926d78feb0b61d5b995d0fe6ee

  • SHA1

    f6e75678f1dafcb18408452ea948b9ad51b5d83e

  • SHA256

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

  • SHA512

    1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

  • SSDEEP

    196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score
10/10
xmrigevasionminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 16 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
    "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:1740
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:3048
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2564
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:2604
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:2568
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2744
  • C:\Windows\system32\conhost.exe
    conhost.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2480
  • C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe
    1⤵
      PID:2056
    • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
      C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
      1⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2820
    • C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      1⤵
        PID:2612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        92KB

        MD5

        6ce7a1ee93a7109452657215be98b130

        SHA1

        42dd1e150fa1ca3932d7e1a8f2b3f651fc1d42d0

        SHA256

        aa242b991535f631e0612bb6b53baf2cec51e023d2c7d5fc38a479ef81a38d54

        SHA512

        9d9c3dadde8ec279002f7f3be6dc572c546abfa0bd4b342821e25f6bbeb375450d642a77f108fcead47efe0ef4af6ce9d583f728834de7e301e5eb76ce114aa1

        Download Submit

      • \ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        893KB

        MD5

        38f989de2af5f871b11c8e30e58cfb6f

        SHA1

        bea8f4ad5171c988487b6d5d33c2d2aa6ceb40b5

        SHA256

        95d10419ada00d3c9d308ca2408942eb60d4c2cabfc9dbbb66e16444774fea38

        SHA512

        ed8cfff2dac94e14e63f64152664182d41c06f3eb20e6a4760d87d7e723f5d088cb3045fd6b7fa2155db93dca869d2daa9b2ff52d2d715c8c3898b9e444220af

        Download Submit

      • \ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        384KB

        MD5

        6100cf1c34acb287caa6a7cdc7ec51a5

        SHA1

        0207792e053162a0dda39bb784f8df76f92c7943

        SHA256

        dcb4c821180e7de31a5fef0abc84b85c629e362c5d1951782c5801406e7acad7

        SHA512

        990551e46e4201e51c12e03287dd8600a74f088943eed063622f9191a27808e9d091362991739df6e4f1eb82d22f8783ed9caf0b8792e487655ad7dd0d9fd334

        Download Submit

      • memory/1740-2-0x000000013FF10000-0x000000014094D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/1740-0-0x000000013FF10000-0x000000014094D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2056-13-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2056-7-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2056-8-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2056-9-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2056-10-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2056-11-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2480-33-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-18-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-27-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-44-0x0000000000700000-0x0000000000720000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2480-24-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-21-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-20-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-17-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-32-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-31-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-29-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-28-0x00000000000B0000-0x00000000000D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2480-23-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-22-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-19-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-30-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-16-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-45-0x0000000000F90000-0x0000000000FB0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2480-35-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-36-0x0000000000700000-0x0000000000720000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2480-34-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-37-0x0000000000700000-0x0000000000720000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2480-39-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-40-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-38-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/2480-43-0x0000000000F90000-0x0000000000FB0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2480-42-0x0000000000700000-0x0000000000720000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2820-6-0x000000013F980000-0x00000001403BD000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2820-26-0x000000013F980000-0x00000001403BD000-memory.dmp

        Filesize

        10.2MB

        Download