Analysis

  • max time kernel
    117s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2024 14:20

General

  • Target

    1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe

  • Size

    1.8MB

  • MD5

    7b7f4f390ecafc124ac298f5f58f46ae

  • SHA1

    ed19d12269c86117897865ebc3e6e79d11d485a6

  • SHA256

    1be33e42910515d58685e4cee83c4c9b7de4e6a155a6fd936922682a9922d42d

  • SHA512

    fc37474112152bc9ea1d3671b445fc59995e868bac2203147854824ea94e5d171a5b1e29474403377b504ac778f04b3290628383758ec428f6838e0271eb7545

  • SSDEEP

    49152:VEVUcg1LD3L+nIrBQfLdKiDRB1X8wcWynn:VE3g1RkAiDrmwchnn

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
    "C:\Users\Admin\AppData\Local\Temp\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Google\Chrome\Update\Chrome.exe
      C:\Google\Chrome\Update\Chrome.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" -c "C:\ProgramData\ExxprQSiUG\cfgi"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe" "Chrome.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:2928

Network

  • flag-us
    DNS
    chromeupdate.linkpc.net
    notepad.exe
    Remote address:
    8.8.8.8:53
    Request
    chromeupdate.linkpc.net
    IN A
    Response
    chromeupdate.linkpc.net
    IN A
    178.238.184.127
  • 178.238.184.127:2222
    chromeupdate.linkpc.net
    notepad.exe
    950 B
    2.1kB
    9
    7
  • 8.8.8.8:53
    chromeupdate.linkpc.net
    dns
    notepad.exe
    69 B
    85 B
    1
    1

    DNS Request

    chromeupdate.linkpc.net

    DNS Response

    178.238.184.127

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Google\Chrome\Update\Chrome.exe

    Filesize

    1.5MB

    MD5

    94f3e40ceba94f6d85d5731c2a5d380d

    SHA1

    a378f737bfea085b152744c2761e16e9be2007eb

    SHA256

    5159fa4d7cce05595f252d37924546906020526e0d4509768f71c0f3f778235b

    SHA512

    3f1151b17290b53bdf1024fc5059fe8f95b5afa06576b389587f9abe85ab69c02f88d2b45dc736ff6b7dcd6a383453b7a0d3673b23704774da8a485c806c1154

  • C:\ProgramData\ExxprQSiUG\cfgi

    Filesize

    1KB

    MD5

    ad944040de134ef4ef9bbd7b59eec818

    SHA1

    541be6a2f3001bd98898d1d9b23c625f6b1d338b

    SHA256

    e54f48a66e6124b152b37d8092a9505039bb49a6e984d52dd75a4139603dbbfb

    SHA512

    0e73ee9489d18e0d4fbdfb29e2b0555f8b8c9ca919d268873b307ade7b7b2353e850b4725303ecbd066bb892050ebd69994f1c623f56f938756e1fce4bedd30b

  • memory/1696-7-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1696-0-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1696-28-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2696-31-0x00000000003B0000-0x00000000003C0000-memory.dmp

    Filesize

    64KB

  • memory/2696-32-0x00000000003E0000-0x00000000003F0000-memory.dmp

    Filesize

    64KB

  • memory/2696-24-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

  • memory/2696-26-0x0000000000370000-0x0000000000380000-memory.dmp

    Filesize

    64KB

  • memory/2696-21-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

  • memory/2696-25-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

  • memory/2696-20-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

  • memory/2696-29-0x00000000003A0000-0x00000000003B0000-memory.dmp

    Filesize

    64KB

  • memory/2696-30-0x00000000003C0000-0x00000000003D0000-memory.dmp

    Filesize

    64KB

  • memory/2696-18-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

  • memory/2696-33-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

  • memory/2696-23-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

  • memory/2696-34-0x0000000001E40000-0x0000000001E50000-memory.dmp

    Filesize

    64KB

  • memory/2696-35-0x0000000001E50000-0x0000000001E60000-memory.dmp

    Filesize

    64KB

  • memory/2696-36-0x00000000003D0000-0x00000000003E0000-memory.dmp

    Filesize

    64KB

  • memory/2696-37-0x0000000001E30000-0x0000000001E40000-memory.dmp

    Filesize

    64KB

  • memory/2696-38-0x00000000003C0000-0x00000000003D0000-memory.dmp

    Filesize

    64KB

  • memory/2696-39-0x00000000003B0000-0x00000000003C0000-memory.dmp

    Filesize

    64KB

  • memory/2696-40-0x00000000003E0000-0x00000000003F0000-memory.dmp

    Filesize

    64KB

  • memory/2696-41-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

  • memory/2696-42-0x0000000001E40000-0x0000000001E50000-memory.dmp

    Filesize

    64KB

  • memory/2696-43-0x0000000001E50000-0x0000000001E60000-memory.dmp

    Filesize

    64KB

  • memory/2696-45-0x0000000001E30000-0x0000000001E40000-memory.dmp

    Filesize

    64KB

  • memory/2696-44-0x00000000003D0000-0x00000000003E0000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.