Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2024 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.5MB

  • MD5

    f44f200e7d7f8ae6035b382a2a4240dd

  • SHA1

    8f11e6d44050813db4aa6ba0971ab873cc3ad797

  • SHA256

    a8ae29395e8234f4d2a35a88ff8d34b353c716d81d0d7e05eacc5d4e2a2aacc8

  • SHA512

    193781602d1768e170dd9ed149fd07fe72f84789a7d25fe59ad62555f381e7470b4d30866609cf4a387834ed7fda7a2a552d8654117c5dea5cf3288b58c68a39

  • SSDEEP

    49152:3hU0Vy41dosEvIMf9FhcBYFUjeCnfDCvNb2aeP4mN:RU0zPoTvIYnh8vIlq

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3572
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "XGRXZRAP"
      2⤵
      • Launches sc.exe
      PID:3924
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "XGRXZRAP" binpath= "C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2264
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:1568
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "XGRXZRAP"
      2⤵
      • Launches sc.exe
      PID:1416
  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\explorer.exe
      explorer.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    1.6MB

    MD5

    b0642494572ed4c71ae9195d39a13eb0

    SHA1

    35f40b959ca42e212e582d2bfabae63a83e261a8

    SHA256

    54dc75777c2e8bb125e843ab907c775ba0bb27e169f4b5ca979a0f5728811c88

    SHA512

    918ad780f3f8c85e7753b11ae27a12d3c40a844d61b8b22dcdacc5535a9a07accde6550813a16d81f07d35036d9647de441c403938305021bc790ec13966ecda

    Download Submit

  • C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
    Filesize

    2.1MB

    MD5

    61bd5a78215ba016d57f2c0f748cb03a

    SHA1

    3a98f63b32fc5cb24ae82e72ae7a2a1cade09e85

    SHA256

    e5be981b44b364ca54176c02e9d19402f05318f599f1ea7fa172cfa1e2285a96

    SHA512

    1feac275531229a07d33e44a0a21beb1adae29c1ea90d6f534f564e5c2faeb3fde68d0ec6995c4ccebf79c9586a07172b0f7bb5b9b50f7a3f235260687abbaee

    Download Submit

  • memory/456-5-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-6-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-4-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-7-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-8-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-9-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-11-0x0000000000DD0000-0x0000000000DF0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/456-12-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-10-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-13-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-14-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-15-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-16-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-18-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-19-0x0000000001440000-0x0000000001460000-memory.dmp

    Filesize

    128KB

    Download

  • memory/456-17-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-20-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-23-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-25-0x0000000001580000-0x00000000015A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/456-24-0x0000000001560000-0x0000000001580000-memory.dmp

    Filesize

    128KB

    Download

  • memory/456-22-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-21-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/456-26-0x0000000001560000-0x0000000001580000-memory.dmp

    Filesize

    128KB

    Download

  • memory/456-27-0x0000000001580000-0x00000000015A0000-memory.dmp

    Filesize

    128KB

    Download