Overview

overview

10

Static

static

3

be62af2560...8d.exe

windows7-x64

10

be62af2560...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 10:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe

  • Size

    2.5MB

  • MD5

    4c38070e0764c127692cff709fbfa99e

  • SHA1

    36c85d6658eb285b31d0f20fa60e1e935711cc9f

  • SHA256

    be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d

  • SHA512

    b55471879efe435a46297bcd6d21006a03896bba7bbdf6fa39ed694e6aae3651a94e473fef60d50b2964effc05bbb87bc1082ca85872842853dccb2a0df93d7e

  • SSDEEP

    49152:S0+srvwWgzGqpGODg5QQUgbtJHBfHTe3b2UmZZKfCAb:S02GeDgOQUgb9/T67CA

Score
10/10
xmrigevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe
    "C:\Users\Admin\AppData\Local\Temp\be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2668
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "HKQILALP"
      2⤵
      • Launches sc.exe
      PID:2880
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "HKQILALP" binpath= "C:\ProgramData\vrlxsdysequq\hhfnvbwmqfna.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:3928
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:1328
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "HKQILALP"
      2⤵
      • Launches sc.exe
      PID:1692
  • C:\ProgramData\vrlxsdysequq\hhfnvbwmqfna.exe
    C:\ProgramData\vrlxsdysequq\hhfnvbwmqfna.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:1872
      • C:\Windows\system32\svchost.exe
        svchost.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4876

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\vrlxsdysequq\hhfnvbwmqfna.exe
            Filesize

            2.5MB

            MD5

            4c38070e0764c127692cff709fbfa99e

            SHA1

            36c85d6658eb285b31d0f20fa60e1e935711cc9f

            SHA256

            be62af2560409506f5748556a60d25fbc0b42adb0b56fe08bf6039b61cb6c58d

            SHA512

            b55471879efe435a46297bcd6d21006a03896bba7bbdf6fa39ed694e6aae3651a94e473fef60d50b2964effc05bbb87bc1082ca85872842853dccb2a0df93d7e

            Download Submit

          • memory/1872-3-0x0000000140000000-0x000000014000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1872-4-0x0000000140000000-0x000000014000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1872-6-0x0000000140000000-0x000000014000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1872-5-0x0000000140000000-0x000000014000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1872-7-0x0000000140000000-0x000000014000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1872-10-0x0000000140000000-0x000000014000D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/4876-11-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-12-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-13-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-14-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-15-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-16-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-18-0x00000270F4740000-0x00000270F4760000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4876-17-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-19-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-20-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-21-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-22-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-23-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-24-0x00000270F47B0000-0x00000270F47F0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/4876-25-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-26-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4876-27-0x00000270F4E00000-0x00000270F4E20000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4876-28-0x00000270F4E00000-0x00000270F4E20000-memory.dmp

            Filesize

            128KB

            Download