Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    301s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    08-01-2024 04:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe

  • Size

    6.4MB

  • MD5

    2eafb4926d78feb0b61d5b995d0fe6ee

  • SHA1

    f6e75678f1dafcb18408452ea948b9ad51b5d83e

  • SHA256

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

  • SHA512

    1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

  • SSDEEP

    196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score
10/10
xmrigevasionminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 20 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
    "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:1096
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2948
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:2716
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:3060
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:2324
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:2724
  • C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    1⤵
      PID:2856
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      1⤵
        PID:2240
      • C:\Windows\system32\conhost.exe
        conhost.exe
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1984
      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        1⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2084

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        200KB

        MD5

        af8731dbd6a485a9f59afb65c84e2366

        SHA1

        476998a063e24db7fd98dbb67c55d16a76d6a16a

        SHA256

        65a5b4e30e8beb761315597fc1c3b6d7d8685bafb2a2ac6033ca7615dc7d3c39

        SHA512

        fa1c10d79319726fa6825a08a6b169edd6df021809455b4d8cd80e0ff97e7e78a3730a3cfce4d94752769eba3e94a09b11d8714f776d45b60395a4344f8a5482

        Download Submit

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        565KB

        MD5

        03a547f632dddc8d0590b172f6110791

        SHA1

        f9ca6b0293355e229404dfbc2b5b907df9344b41

        SHA256

        f905538c59d146f205ec237261c1d22b3d9402b2134a81435f654dedd83c64a8

        SHA512

        4adcdff92b7d231824744f29fc3035631572d521035f6aae8f3bce8cc1560d5379f0a1cdb5c0c262aa4d0d448394ac1c3ccd99362c4794c04218920f57cb3407

        Download Submit

      • \ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        761KB

        MD5

        0f99021c328f60aec0519a75221ba113

        SHA1

        55060f4a45731d08778144f34e3fc10fcfa04e9b

        SHA256

        e708c0d4d13d388accf1145859abd2ac3199b47bcdebefbee57d2c1734c582f0

        SHA512

        60d1d5a692dad5a7b4873799a4015d377986a3625e77da2ee4f2e8b072115434f64d3447a83f601baf3101880c3dc5a6577bdd870d02fe134e74930583b683c5

        Download Submit

      • \ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        704KB

        MD5

        7fda452987baf3e39cc17d18bbb79055

        SHA1

        79b6375eef535ea345dab830bcf25ee5b70dd8f7

        SHA256

        b3701eb6fecc5afdd6f22dc6995318b87991ccdf978d5c7393978741a272ab33

        SHA512

        577cd1b5c0d453e9fe19052e79f4da8d5f2f5fef4d50c1ffdba467026df99b5c84a39904d64adc19619916dba072e75e5ac5d49ee076dd07e7f8a27dda8e95f1

        Download Submit

      • memory/1096-2-0x000000013FB80000-0x00000001405BD000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/1096-0-0x000000013FB80000-0x00000001405BD000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/1984-34-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-35-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-16-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-17-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-18-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-19-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-45-0x0000000000380000-0x00000000003A0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1984-20-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-21-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-22-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-44-0x0000000000350000-0x0000000000370000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1984-43-0x0000000000380000-0x00000000003A0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1984-42-0x0000000000350000-0x0000000000370000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1984-23-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-41-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-24-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-26-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-40-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-28-0x0000000000040000-0x0000000000060000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1984-29-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-30-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-31-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-32-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-33-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-39-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-38-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1984-36-0x0000000000350000-0x0000000000370000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1984-37-0x0000000000350000-0x0000000000370000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2084-6-0x000000013F2C0000-0x000000013FCFD000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2084-27-0x000000013F2C0000-0x000000013FCFD000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2240-7-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2240-8-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2240-9-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2240-10-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2240-11-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/2240-13-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download