Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2024 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.5MB

  • MD5

    5dec9f02f7067194f9928e37ed05c8f6

  • SHA1

    06f13ca068514d08f0595ded4ef140078888235a

  • SHA256

    dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806

  • SHA512

    98f980ab103c54c4b1b344b738bcaccd10a35923749a730dd3386355897156d382f01715d07a056ff7451e876898a76268328f92d1e8203b254bb7a082f18e7c

  • SSDEEP

    49152:A0jhMlqDbsynliN2InCFvy0l2aMEBLWw/3Ry0rP3Fga/EO7xhbAIXdTBpox:QyliNjnCFvxMEWw/hy0bFga/d7vbASB2

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:920
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "ACULXOBT"
      2⤵
      • Launches sc.exe
      PID:4724
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:4380
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:4068
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "ACULXOBT"
      2⤵
      • Launches sc.exe
      PID:4076
  • C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
    C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\explorer.exe
      explorer.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
    Filesize

    263KB

    MD5

    cd6628749038b0dfc2ede71a98df1f5a

    SHA1

    da56627fbaddfa249ca9d966459795eeef12f86e

    SHA256

    f2724e0e6cd0d17ddc98fd018f06679a136e87be74d7f28f85986c2028d0a2a0

    SHA512

    b43709b0cb2397639acfdae5ff4971fa45e265f8b847b1c3d2aa7863fd4887e429e5db8a454868bdce7212ab58b952d9d71143759f22ddbc6b7c588b1478b339

    Download Submit

  • C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
    Filesize

    2.0MB

    MD5

    4578db7feea613eb8794864a5bbfc0a7

    SHA1

    219e2f2dd5af10804f727b1a6bfecfe379a9e5d0

    SHA256

    1f593517705e5c325dccffcd1eb10db3e234e7edbbe5b68f2e8e445efadffb1a

    SHA512

    3387de844c88c9a969f39dfc834f88929740c2b028945d9a607f67315d4cf9f4455463e4715769b74eff7f120e8c3b33b6a01a36c31511c1207af1a4c41b0091

    Download Submit

  • memory/4120-4-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-6-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-5-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-7-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-8-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-9-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-10-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-11-0x0000000001080000-0x00000000010A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4120-12-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-13-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-14-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-15-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-16-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-17-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-18-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-19-0x0000000011700000-0x0000000011720000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4120-20-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-21-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-22-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-23-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4120-24-0x0000000011820000-0x0000000011840000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4120-25-0x0000000011840000-0x0000000011860000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4120-26-0x0000000011820000-0x0000000011840000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4120-27-0x0000000011840000-0x0000000011860000-memory.dmp

    Filesize

    128KB

    Download