Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    88s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.6MB

  • MD5

    34d4591575fdbde20d36469f54b0022f

  • SHA1

    0a938faca18c4733bc5fad3b1ae8c523eebcba86

  • SHA256

    bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

  • SHA512

    daf858837283aa9a7f211ecbad745640070645099cbf84a73bd4a23cd166f86a884e8156fa7e76da3d2866dd8ce8fc0e3fe6d983c90558c9a1ab5ddb29f23643

  • SSDEEP

    49152:CrifRBLHC9vvGmkPqzwhzcVUjEBjALZSIlvPfcM/uW8/ae89VqyJBbtKn7:CrALHC9vGm6hILBjALUIlvPUM2W3e89I

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Blocklisted process makes network request 1 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2316
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:772
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1588
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4976
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1112
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "EUJBTPMK"
      2⤵
      • Launches sc.exe
      PID:3592
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "EUJBTPMK" binpath= "C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:3640
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:4168
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "EUJBTPMK"
      2⤵
      • Launches sc.exe
      PID:2152
  • C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
    C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\system32\cmd.exe
      cmd.exe
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of AdjustPrivilegeToken
      PID:2324
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3232
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3980
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
    Filesize

    1.9MB

    MD5

    cb8bf85607f64f880e4df62db78ddfd5

    SHA1

    33764efdbb343c65c32c2d43cb4accf7809d1e6a

    SHA256

    3faea2818094b8f8224bffbc05cb5156a8a3fe136363b0e0d7a2468aed90aca5

    SHA512

    6d4059429f29019f0c538ca43bbef260f27c0c99f31a573e00828c5fe4c59abf40dcdf016602002e4fb62880c8c3b321ba78118395060886d4e2a9f216145e66

    Download Submit

  • C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
    Filesize

    1.5MB

    MD5

    431231c285632939351851153a35e777

    SHA1

    82ae573b5f4fdd21c428449fde76b92ef94ee727

    SHA256

    c62cded889513f0afbd8e0d292156d1aeba517bdf2da32895ca256f19a12bf0e

    SHA512

    a8dd9869cfd320577b59d10fd69ed03abc481090ec9680256f153849fb507c2c8a8c1cb0782e590bd596a865380cc56a66c1e94248b4e630c113ce7aff1de28c

    Download Submit

  • memory/2324-4-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-5-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-6-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-7-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-8-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-10-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-9-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-11-0x00000286233A0000-0x00000286233C0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2324-12-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-13-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-14-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-15-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-16-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-17-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-18-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-19-0x0000028623510000-0x0000028623530000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2324-20-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-22-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-23-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-25-0x0000028623550000-0x0000028623570000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2324-24-0x0000028623530000-0x0000028623550000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2324-21-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/2324-26-0x0000028623530000-0x0000028623550000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2324-27-0x0000028623550000-0x0000028623570000-memory.dmp

    Filesize

    128KB

    Download