Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2024 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.5MB

  • MD5

    f44f200e7d7f8ae6035b382a2a4240dd

  • SHA1

    8f11e6d44050813db4aa6ba0971ab873cc3ad797

  • SHA256

    a8ae29395e8234f4d2a35a88ff8d34b353c716d81d0d7e05eacc5d4e2a2aacc8

  • SHA512

    193781602d1768e170dd9ed149fd07fe72f84789a7d25fe59ad62555f381e7470b4d30866609cf4a387834ed7fda7a2a552d8654117c5dea5cf3288b58c68a39

  • SSDEEP

    49152:3hU0Vy41dosEvIMf9FhcBYFUjeCnfDCvNb2aeP4mN:RU0zPoTvIYnh8vIlq

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2516
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "XGRXZRAP"
      2⤵
      • Launches sc.exe
      PID:1728
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "XGRXZRAP" binpath= "C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2112
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "XGRXZRAP"
      2⤵
      • Launches sc.exe
      PID:2656
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:2372
  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\explorer.exe
      explorer.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    506KB

    MD5

    583e1ec0f81b676b16ecd01e1ebb2784

    SHA1

    389cb06fea8460e141ffd206fc044e86c4889760

    SHA256

    0b98ac5787d5a27eab2f3518ab64dfb3de4582f625fc8f64e53bec896791cba2

    SHA512

    c9d78c5079359c879e101128146485281790fe37895fb78e4faacbe72591458080a8d949351bc1af5a9d9a367269749772db5bd0954f256a6501e0ecaa7e48d1

    Download Submit

  • \ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    553KB

    MD5

    31f3cd2acd72b191a71880fcba081e93

    SHA1

    6823fc38e02e1c5bdaf45e0474a193b8b6593974

    SHA256

    263c6c9a2f7d4e6ef5dd888de673d8e6ca5b2bdd1933ea4d5e86a4e2d62c26b0

    SHA512

    c9647188361bd54277add2074d070197535e7bfff3608bc015a4986446c904cd5e1e598b965b45d549d75d18ce34c516c05cb32281a55248213420d5f27ca6ba

    Download Submit

  • \ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    419KB

    MD5

    0042c0a6e60200e6807e8475e57a2f8b

    SHA1

    fb7ac7dfc67913347717c972bc106d1d7a3027d9

    SHA256

    6e10a4bb94b15ae4adefd98dda7a5cfe764a896a5d536068240ac4a3ccc4b283

    SHA512

    d1aaa4cbf4be10922b5147d4529a17f0df6e91101ba44d444f1733a0af983550c28fe6a0c7fddcb2305e3d1d8dd68cc63109880fd863d0b4662f1dfe82e0c347

    Download Submit

  • memory/2996-7-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-14-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-9-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-8-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-10-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-12-0x00000000001B0000-0x00000000001D0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2996-11-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-5-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-13-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-6-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-16-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-17-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-15-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-18-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-19-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2996-20-0x0000000001050000-0x0000000001070000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2996-21-0x0000000001070000-0x0000000001090000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2996-22-0x0000000001050000-0x0000000001070000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2996-23-0x0000000001070000-0x0000000001090000-memory.dmp

    Filesize

    128KB

    Download