Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    287s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe

  • Size

    6.4MB

  • MD5

    2eafb4926d78feb0b61d5b995d0fe6ee

  • SHA1

    f6e75678f1dafcb18408452ea948b9ad51b5d83e

  • SHA256

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

  • SHA512

    1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

  • SSDEEP

    196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score
10/10
xmrigevasionminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 19 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
    "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2108
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2696
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2816
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:2804
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:2800
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:2728
  • C:\Windows\system32\conhost.exe
    conhost.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3028
  • C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe
    1⤵
      PID:2596
    • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
      C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
      1⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2860
    • C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      1⤵
        PID:2716

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        381KB

        MD5

        8d48869090dc094963a41a18bfdb90e0

        SHA1

        9972690a0d57608caf5ad5ff9f605917cd683557

        SHA256

        1dc8b5d373e935383e698048a47f12225d99fa171e41f592d921533878a610cc

        SHA512

        9d4228d1b12f30d6a8fc70eaaafe015b354bc1bee21b9879041935f4948cd40d09d3b993d1265c2a2705879bb2baa1be9a6058f68eb4088b207d5d720e8b993a

        Download Submit

      • \ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        385KB

        MD5

        96f74b1f1366f7eb54b7907dfcdde738

        SHA1

        73df985f5a0555224c3a2c1d89daf6009ede56fd

        SHA256

        f7b1ef5cfacbf0eeb63038878a7c662c8e93aa193545e2b7bfa79c7f5c2d3160

        SHA512

        8589ccb11932b21598e7ce1706162e195a65a82108fb9b0976c08b9604d2180c762d7b148ae935ea8f7004d886d9d0230e70afd32ed5e977b93970de05c0d275

        Download Submit

      • \ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        94KB

        MD5

        0dc2dc03053c72f7e92a9457e895a14f

        SHA1

        15763ffdd575aec69cf2a1abf376cbd38e00e6b3

        SHA256

        6c8605662fe00c0d4d9df0cdfcc37a4e36f65a09192ba1e311e9731cd85ebb04

        SHA512

        e931314206cb3edab85e5394961d36a44b3dd018b256d383ee9f83356d318c6aaba6c3cd713248c7e91177e76d5757fdad14073eda7ceda639e05fc22650bbce

        Download Submit

      • memory/2108-0-0x000000013F300000-0x000000013FD3D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2108-2-0x000000013F300000-0x000000013FD3D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2596-9-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2596-7-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2596-8-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2596-13-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2596-10-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2596-11-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2860-6-0x000000013FE00000-0x000000014083D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2860-26-0x000000013FE00000-0x000000014083D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/3028-32-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-20-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-27-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-22-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-21-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-19-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-16-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-31-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-33-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-30-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-28-0x00000000000B0000-0x00000000000D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3028-24-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-23-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-29-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-18-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-17-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-35-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-36-0x00000000003C0000-0x00000000003E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3028-34-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-37-0x00000000003C0000-0x00000000003E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3028-38-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-40-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-39-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3028-42-0x00000000003C0000-0x00000000003E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3028-43-0x0000000000500000-0x0000000000520000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3028-44-0x00000000003C0000-0x00000000003E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3028-45-0x0000000000500000-0x0000000000520000-memory.dmp

        Filesize

        128KB

        Download