Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    86s
  • max time network
    306s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-01-2024 04:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe

  • Size

    6.4MB

  • MD5

    2eafb4926d78feb0b61d5b995d0fe6ee

  • SHA1

    f6e75678f1dafcb18408452ea948b9ad51b5d83e

  • SHA256

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

  • SHA512

    1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

  • SSDEEP

    196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score
10/10
xmrigevasionminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 20 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
    "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:4100
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:2880
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:4152
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:3520
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:4172
  • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    1⤵
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\system32\conhost.exe
      conhost.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4668
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:1632
    • C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      1⤵
        PID:2208

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        60KB

        MD5

        7ad418f22cf00f66c163a8091cd5a3d9

        SHA1

        84b308cefa29024f2c3d8d48204c8e64cd32913c

        SHA256

        d922ebf190396b1fcce3f1a640092f7a8662ae7e3c9d6d13fab41fba874b85c9

        SHA512

        81fa186a8f8cf2712016aa93f1f6ce8c8e2acfe103369fcfdf947c8bdf7b295c22af405cacb6ad04db0ab57a7e617a1de72752d10de59d4494ab28ab7e509ad0

        Download Submit

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        104KB

        MD5

        646a42cb638d1daec42b1b9af551ba0f

        SHA1

        90ff1be7d50d7deafd09291b5fd34b4a58e6cdc3

        SHA256

        474c05d76f058bdc07c7618066ab117f8ac4ea8589aa69fbd85dec421756a5ba

        SHA512

        19deb1b4c6e9a127589eec28016dd78a3595d206d8871523875176c712d250640e078c80afb9a894f2be342f372ff7d3719a3e402565d53c90551ae78fc38579

        Download Submit

      • memory/380-5-0x00007FF686940000-0x00007FF68737D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/380-24-0x00007FF686940000-0x00007FF68737D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/1632-8-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1632-12-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1632-10-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1632-9-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1632-6-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/1632-7-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4100-2-0x00007FF75FFE0000-0x00007FF760A1D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/4100-0-0x00007FF75FFE0000-0x00007FF760A1D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/4668-29-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-14-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-19-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-21-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-22-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-25-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-26-0x000001C6A0CE0000-0x000001C6A0D00000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4668-28-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-18-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-30-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-31-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-27-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-17-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-16-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-15-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-20-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-34-0x000001C6A0E60000-0x000001C6A0EA0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/4668-35-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-36-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-37-0x000001C6A0E30000-0x000001C6A0E50000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4668-38-0x000001C6A0E30000-0x000001C6A0E50000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4668-39-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-40-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-41-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-44-0x000001C6A0EA0000-0x000001C6A0EC0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4668-43-0x000001C6A0E30000-0x000001C6A0E50000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4668-42-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/4668-46-0x000001C6A0EA0000-0x000001C6A0EC0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4668-45-0x000001C6A0E30000-0x000001C6A0E50000-memory.dmp

        Filesize

        128KB

        Download