Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2024 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.5MB

  • MD5

    f44f200e7d7f8ae6035b382a2a4240dd

  • SHA1

    8f11e6d44050813db4aa6ba0971ab873cc3ad797

  • SHA256

    a8ae29395e8234f4d2a35a88ff8d34b353c716d81d0d7e05eacc5d4e2a2aacc8

  • SHA512

    193781602d1768e170dd9ed149fd07fe72f84789a7d25fe59ad62555f381e7470b4d30866609cf4a387834ed7fda7a2a552d8654117c5dea5cf3288b58c68a39

  • SSDEEP

    49152:3hU0Vy41dosEvIMf9FhcBYFUjeCnfDCvNb2aeP4mN:RU0zPoTvIYnh8vIlq

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2232
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "XGRXZRAP"
      2⤵
      • Launches sc.exe
      PID:1904
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "XGRXZRAP" binpath= "C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2264
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:2276
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "XGRXZRAP"
      2⤵
      • Launches sc.exe
      PID:2836
  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\explorer.exe
      explorer.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    2.1MB

    MD5

    03e4cbdcfe5a4665c7a341a383000a4b

    SHA1

    89256e5f8946fe69f364187aa2371c6781de152a

    SHA256

    3050659ac9a8a276b1076292d9b4fb2829e1637945478db0c75765de5a563c59

    SHA512

    27c9473794e21b1b17deb252eaab2fedbc11f9cbffed794fdd77e5c8bab5a5c059e363f6047cd4c775bc1de73e7707878a13aa246a0d3f37be006ec445b42f42

    Download Submit

  • \ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    2.5MB

    MD5

    f44f200e7d7f8ae6035b382a2a4240dd

    SHA1

    8f11e6d44050813db4aa6ba0971ab873cc3ad797

    SHA256

    a8ae29395e8234f4d2a35a88ff8d34b353c716d81d0d7e05eacc5d4e2a2aacc8

    SHA512

    193781602d1768e170dd9ed149fd07fe72f84789a7d25fe59ad62555f381e7470b4d30866609cf4a387834ed7fda7a2a552d8654117c5dea5cf3288b58c68a39

    Download Submit

  • \ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    2.2MB

    MD5

    fbbcfbf9661324432be04b370fbbba2a

    SHA1

    4491d4ffc656c613dddb6b1f8fa1e66f969c5d6c

    SHA256

    6124d4bac036e3a2f0a51f6b28f8f0ad8b89c678544d91981910a8a79a9d0cd9

    SHA512

    bd934feec127a481c5434a3e3d4337febcdeb617e681b7a336542b56f8820e9aaa1f4d4eab18d3b7bcb4083b7bfca077d19f665fc35d8c5378f5ad2fa92cdae0

    Download Submit

  • memory/2688-12-0x00000000002F0000-0x0000000000310000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2688-14-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-7-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-8-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-9-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-10-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-11-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-5-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-13-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-6-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-15-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-16-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-17-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-18-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-19-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2688-20-0x00000000007C0000-0x00000000007E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2688-21-0x0000000000860000-0x0000000000880000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2688-22-0x00000000007C0000-0x00000000007E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2688-23-0x0000000000860000-0x0000000000880000-memory.dmp

    Filesize

    128KB

    Download