Analysis
-
max time kernel
130s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 03:04
Behavioral task
behavioral1
Sample
644e8e8e6ad41a273356cf99df310391.exe
Resource
win7-20231215-en
General
-
Target
644e8e8e6ad41a273356cf99df310391.exe
-
Size
784KB
-
MD5
644e8e8e6ad41a273356cf99df310391
-
SHA1
e36e05efd57abe4d3a41948d3f815201ac0ba414
-
SHA256
cba456b8210d0b899af786076a0de5ab23efae02de4d831d1f8bacd0b72a171a
-
SHA512
880c0d719f0c702ee58c82ce8eb185e50c7af80c0a06a495554ea3575188ae60142687b0b93999439456216c5c7060199649b3517fc4a1709e7c9b1d41c8909b
-
SSDEEP
24576:aQNWf9S/gMTP9NXpx2IOaZvOZhO7lw1LZAg:aQMf93MTPPL9BChuAh
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/4876-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/4876-12-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/3868-20-0x00000000053E0000-0x0000000005573000-memory.dmp xmrig behavioral2/memory/3868-21-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/3868-15-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/3868-30-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 3868 644e8e8e6ad41a273356cf99df310391.exe -
Executes dropped EXE 1 IoCs
pid Process 3868 644e8e8e6ad41a273356cf99df310391.exe -
resource yara_rule behavioral2/memory/4876-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/files/0x00070000000231f2-11.dat upx behavioral2/memory/3868-13-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4876 644e8e8e6ad41a273356cf99df310391.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 2884 svchost.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4876 644e8e8e6ad41a273356cf99df310391.exe 3868 644e8e8e6ad41a273356cf99df310391.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4876 wrote to memory of 3868 4876 644e8e8e6ad41a273356cf99df310391.exe 88 PID 4876 wrote to memory of 3868 4876 644e8e8e6ad41a273356cf99df310391.exe 88 PID 4876 wrote to memory of 3868 4876 644e8e8e6ad41a273356cf99df310391.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exe"C:\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exeC:\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3868
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD5cd4a185e2d5dfdb942c3573e4dca0803
SHA116f03f93d4b6e096382776805e0ebed13856270e
SHA256ed17eb50df7f81c1bec7625e0aae1c1cfed4c9cdf705431e45fc4b3174af4200
SHA512e5780767d9d8786d4f535f7ec983f87b280e5c56cddc40fa39108827edff40b567b49dc8704ea31e3dd8ea0282e8369a45603f2dcf1d5ba760c399e67a3a0705