Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    190s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07-02-2024 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe

  • Size

    2.5MB

  • MD5

    5dec9f02f7067194f9928e37ed05c8f6

  • SHA1

    06f13ca068514d08f0595ded4ef140078888235a

  • SHA256

    dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806

  • SHA512

    98f980ab103c54c4b1b344b738bcaccd10a35923749a730dd3386355897156d382f01715d07a056ff7451e876898a76268328f92d1e8203b254bb7a082f18e7c

  • SSDEEP

    49152:A0jhMlqDbsynliN2InCFvy0l2aMEBLWw/3Ry0rP3Fga/EO7xhbAIXdTBpox:QyliNjnCFvxMEWw/hy0bFga/d7vbASB2

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe
    "C:\Users\Admin\AppData\Local\Temp\dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4756
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "ACULXOBT"
      2⤵
      • Launches sc.exe
      PID:200
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2292
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:428
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "ACULXOBT"
      2⤵
      • Launches sc.exe
      PID:2224
  • C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
    C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\explorer.exe
      explorer.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
    Filesize

    760KB

    MD5

    cc3d5d3620b01ff2d3bc8a33edc12682

    SHA1

    53b409d014fd52b85c179b7cd24016684b7c5025

    SHA256

    1cb3b02e6df31e3454ab852af565a08a2b7484086eebd3f0b85ea7f2f8ecf277

    SHA512

    324478248d653103e1170118bf504c7bd78525d5977e64052eaa2429ef4042820c17e5644dd495d51109b32d8c7cb8a31c26350fd42bba72dc938a8d261dde90

    Download Submit

  • C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
    Filesize

    924KB

    MD5

    93452759bd84778c63e16d0ab0d98818

    SHA1

    d642a2cc6e7f8114d193fb2000fe6fb32a958182

    SHA256

    6d9a2ea97280b64c6db65243346ef83c6b7b62cdd68b5d348dd22773aa52b2a5

    SHA512

    3d51444ec62ac22fbf63ed07325aaebbf73e6072154cbe3530a0f03c33bf87d4a639785d76e3ddfe678686e9b7aee9fc04acb9b5899b9f774f076913e7742840

    Download Submit

  • memory/3340-5-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-8-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-7-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-11-0x0000000000A90000-0x0000000000AB0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3340-10-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-13-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-14-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-12-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-16-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-15-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-9-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-6-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-4-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-19-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-21-0x0000000000B50000-0x0000000000B70000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3340-20-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-22-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-24-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-25-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-27-0x00000000013E0000-0x0000000001400000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3340-26-0x00000000013C0000-0x00000000013E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3340-23-0x0000000140000000-0x0000000140848000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/3340-29-0x00000000013E0000-0x0000000001400000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3340-28-0x00000000013C0000-0x00000000013E0000-memory.dmp

    Filesize

    128KB

    Download