Overview

overview

10

Static

static

1

Monero3070...xe.exe

windows7-x64

10

Monero3070...xe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2024, 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Monero30705edgeexe.exe

  • Size

    2.6MB

  • MD5

    8665ea7a297abe90559362460f2ce3a0

  • SHA1

    db51d44010a656007628472533c1f052f2aec3e6

  • SHA256

    530d34800b671af8c4164660fb50475fb55acc031c93cd17213c24b4e132efbb

  • SHA512

    55f6ad6d89f314436b169210a2534021d941f1fcd27d58a92a464c8d268fba4d765173aa21c95dedd1cf17c80f79e71de142d98fd0955ed8f9bb5906c9f6c033

  • SSDEEP

    49152:b0oOoSqywDNmGUTCqP3XLn8eN0a2a8JAclbN7rIHIiY5lM3AW6leD8gxf5C73hr3:vOoSqywIaqP378eN0ZAclbN7rIHIRlMg

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Monero30705edgeexe.exe
    "C:\Users\Admin\AppData\Local\Temp\Monero30705edgeexe.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2028
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "EdgeUpdate"
      2⤵
      • Launches sc.exe
      PID:2864
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "EdgeUpdate" binpath= "C:\ProgramData\Microsoft\EdgeUpdate\Log\EdgeUpdate.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:1976
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:1820
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "EdgeUpdate"
      2⤵
      • Launches sc.exe
      PID:2216
  • C:\ProgramData\Microsoft\EdgeUpdate\Log\EdgeUpdate.exe
    C:\ProgramData\Microsoft\EdgeUpdate\Log\EdgeUpdate.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\explorer.exe
      explorer.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:2628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\EdgeUpdate.exe
      Filesize

      92KB

      MD5

      27c5f6b519929b1a4af846f31daa2674

      SHA1

      36b60a8f96a6431635de3f36298cfbd8fe674527

      SHA256

      96572c3361356cf4bbc0f1472611d3c0a134673c6b92de964a9086acae96f17e

      SHA512

      63ce67786a99cd825b6b26fb67c22ddac44d80587f377c5f328f10fb3e090ae4bc126892d43918a657ad248766b75e461350e91d08d686ea208b85cdb9583879

      Download Submit

    • C:\ProgramData\Microsoft\EdgeUpdate\Log\EdgeUpdate.exe
      Filesize

      1.6MB

      MD5

      249daa85fcffde4f300d0c6877b5d4fa

      SHA1

      285e140090168049a092ee86e85da522857071e6

      SHA256

      41e404d6c6a4994b0373f568afd53434598c52766e2e0401bc437a792f98fa14

      SHA512

      dd7c32e3ab5e24b1aaba97d35df9318e347c396c26d4e153f2f5216e227ea21d4412e308353830635a68a173b8b9694e9539a6ea46f7242ba9071b1b0a011bd4

      Download Submit

    • \ProgramData\Microsoft\EdgeUpdate\Log\EdgeUpdate.exe
      Filesize

      1.2MB

      MD5

      96ae3126fddce8f185bf3a0b25eb159c

      SHA1

      99eb05451782e331f14992160f678db660492116

      SHA256

      eb461df8575885fd0cd3c00633a8a7e21b6bfae7ac850b373ed4034e96dbc45a

      SHA512

      d5b29421faa1a0f9de33ed1589015c4e8ce06ea44c9f31b670e5887f5a6fb5eab700c9788e4c67e5d0218623badeee992302af24d82d9a5bbc7fe13e89101380

      Download Submit

    • \ProgramData\Microsoft\EdgeUpdate\Log\EdgeUpdate.exe
      Filesize

      1.2MB

      MD5

      c5bcb0ddd35b73c72bab8e8ce6744812

      SHA1

      7c2b25d9cd96ae6921427d38672fc6728295a336

      SHA256

      88b74a3da556615c98859798630f7396f0ad7cf7c3b7c6196df8f31ee8bf454b

      SHA512

      cc1957ca1db10efd2ad3043c73ee6cfa9d905837bfb1fd30f70c4390e6f53c5a019a5db588b32fe90f846f68fc39a90b5a0080b08aaf42823b448027acf409a2

      Download Submit

    • memory/2628-10-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2628-4-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2628-5-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2628-6-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2628-7-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2628-8-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2736-16-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-19-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-24-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-22-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-20-0x0000000000040000-0x0000000000060000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2736-15-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-23-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-12-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-21-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-25-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-18-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-17-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-14-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-26-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-28-0x0000000000F40000-0x0000000000F60000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2736-27-0x0000000140000000-0x0000000140848000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/2736-29-0x0000000000F40000-0x0000000000F60000-memory.dmp

      Filesize

      128KB

      Download