Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2024, 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.5MB

  • MD5

    38c0b2afe8b84b4efdb667c28a8b1e7a

  • SHA1

    9280a53dac98d2076398e1d40d185232d456d3b3

  • SHA256

    9151e8f43f29772128e76d48d2cb94a7ad1bd114bf554c47309396a7b1d14e47

  • SHA512

    238a03bdcfde97f86d1494436e856f4ec1aa5299e09be8aff207566deb280c9c516581651bd1d0b5808c7049a43227a368341e646c455f8b361e0d1c0946ea09

  • SSDEEP

    49152:FjLWoR4/RmuZ7KVMxGBJCf0fXyhErbWrZJHsfoGqepCEEbHkN2:JLWS4/RmGK6wzCf0yErb2ZJHYoGqep7j

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2640
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "XVCVACYV"
      2⤵
      • Launches sc.exe
      PID:1408
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "XVCVACYV" binpath= "C:\ProgramData\hclhjvwilkyl\umpyppfqagyv.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2696
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:2768
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "XVCVACYV"
      2⤵
      • Launches sc.exe
      PID:2772
  • C:\ProgramData\hclhjvwilkyl\umpyppfqagyv.exe
    C:\ProgramData\hclhjvwilkyl\umpyppfqagyv.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\explorer.exe
      explorer.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\hclhjvwilkyl\umpyppfqagyv.exe
    Filesize

    902KB

    MD5

    754e4057b7bc7c843f0443ca01f7eeac

    SHA1

    3cbb907265856d6d862ec95dfa3ba8fce35aef36

    SHA256

    7f54c1160e49d81d69e6a5b4f1b48e8f3e2e78d4cd75bd34c301ae16f3a14d7e

    SHA512

    0122fa0f88668486565a9274e9c6ecb1addc60e7561e1593b277344daccaf705d2d8a4c77ed472382fbb86ee10e964d78be0353cc5464af8145df74839abd6cd

    Download Submit

  • \ProgramData\hclhjvwilkyl\umpyppfqagyv.exe
    Filesize

    1.3MB

    MD5

    385fe85d8481dba681b6fc449f3aaa62

    SHA1

    a9992bb076c696cffb48ce4c9e48ff8d2dffc3f4

    SHA256

    25907187966f2d63472b15c8b671c1bc30af3bc7c3fb975ffe7a38e8bc931e34

    SHA512

    86335decad3917b9cb37b7e718f46c9fa01a437354ccf1db5ac207a995f87fcf3b4ef73953e49b8eb0bd96be7d661c8e433b744ecb1f276f5f2cda834ff1980e

    Download Submit

  • \ProgramData\hclhjvwilkyl\umpyppfqagyv.exe
    Filesize

    1.1MB

    MD5

    17cffeaf552cc416c08759873b9031ca

    SHA1

    c66a876ceec380c7214eeb3a09926248e2ad833e

    SHA256

    7863c5df2d8a3cfcf54f544d380b2c35b77785db1bc0e0c67cbfa3e8c8540795

    SHA512

    b25ff5c23063fd32dd4ed91856ebc5fb70879b6c30460b4a996bb8ee7cefa090b0677f630e8fb4758bdf0c2682a6ace1793c23185df1b340ec3fd8348fdc412e

    Download Submit

  • memory/2928-11-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-14-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-8-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-9-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-7-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-10-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-12-0x0000000000130000-0x0000000000150000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2928-5-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-13-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-6-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-15-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-16-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-17-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-18-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-19-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2928-20-0x00000000007C0000-0x00000000007E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2928-21-0x00000000007E0000-0x0000000000800000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2928-22-0x00000000007C0000-0x00000000007E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2928-23-0x00000000007E0000-0x0000000000800000-memory.dmp

    Filesize

    128KB

    Download