Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2024 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.5MB

  • MD5

    f44f200e7d7f8ae6035b382a2a4240dd

  • SHA1

    8f11e6d44050813db4aa6ba0971ab873cc3ad797

  • SHA256

    a8ae29395e8234f4d2a35a88ff8d34b353c716d81d0d7e05eacc5d4e2a2aacc8

  • SHA512

    193781602d1768e170dd9ed149fd07fe72f84789a7d25fe59ad62555f381e7470b4d30866609cf4a387834ed7fda7a2a552d8654117c5dea5cf3288b58c68a39

  • SSDEEP

    49152:3hU0Vy41dosEvIMf9FhcBYFUjeCnfDCvNb2aeP4mN:RU0zPoTvIYnh8vIlq

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:812
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "XGRXZRAP"
      2⤵
      • Launches sc.exe
      PID:1960
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "XGRXZRAP" binpath= "C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:4652
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "XGRXZRAP"
      2⤵
      • Launches sc.exe
      PID:1088
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:4800
  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\explorer.exe
      explorer.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    1.8MB

    MD5

    7245206821acc6d23911633c24a239bb

    SHA1

    d8c466c0da33eef7eeed35e502aff1cdc5431aaa

    SHA256

    7b378351a7361d15d1af1b783d9b35ddc9b77327f2a4bbab3a6951a605783787

    SHA512

    106c0d4a0d9cc34fc038c9d3214d863d7df8f91403de31f3bb9578ebb4c493712ba37ed334752a41572335f019479bb21ae70e66a19cf66ca987935c9a9e12af

    Download Submit

  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    1.7MB

    MD5

    340bb1d43a3dadd32bfa123603a608ee

    SHA1

    2386e5e7abb20130f99334c512f648375ac3853f

    SHA256

    04a3155d5400e07e68c26bda8b7c46a19240452ba777e7c6e581d69c2adc8e8e

    SHA512

    7917b1d8ccf3d14332eb2518c1a7329ccf5966fcab165786bcbb8eb75932653e5e88f8fb582747c478fb8fa12051cf9ed8c4c9308c855b77fbf9968ec4f8cdcd

    Download Submit

  • memory/4028-4-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-5-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-6-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-8-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-7-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-9-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-10-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-12-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-11-0x00000000009B0000-0x00000000009D0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4028-13-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-14-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-15-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-16-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-17-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-18-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-19-0x00000000013B0000-0x00000000013D0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4028-20-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-21-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-22-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-23-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/4028-25-0x0000000011500000-0x0000000011520000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4028-24-0x00000000013D0000-0x00000000013F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4028-26-0x00000000013D0000-0x00000000013F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4028-27-0x0000000011500000-0x0000000011520000-memory.dmp

    Filesize

    128KB

    Download