Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe

  • Size

    6.4MB

  • MD5

    2eafb4926d78feb0b61d5b995d0fe6ee

  • SHA1

    f6e75678f1dafcb18408452ea948b9ad51b5d83e

  • SHA256

    50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

  • SHA512

    1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

  • SSDEEP

    196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score
10/10
xmrigevasionminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 16 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
    "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2208
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:3160
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2884
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:4900
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "FLWCUERA"
      2⤵
      • Launches sc.exe
      PID:3348
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:2744
    • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
      C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
      1⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\system32\conhost.exe
        C:\Windows\system32\conhost.exe
        2⤵
          PID:4272
        • C:\Windows\system32\conhost.exe
          conhost.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1324

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        640KB

        MD5

        11109385eaeaf4734af0c8860a1f69f9

        SHA1

        1f22017efe44086768924574dc59263551233afb

        SHA256

        b9bb1fc8be1237292bac9a69b37f9edd01f975be99845d4c615575af261227fc

        SHA512

        4f996ec71d439038a238cce7813e0bf6940f46365e74cc398538eed9ba0676a4d7d4fdf2314aceb59ddb1d6eb0fb31eab1ae36e03c36c15f54f11373f9580db3

        Download Submit

      • C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
        Filesize

        125KB

        MD5

        faaf4d69139a71e7dee4b56c913689b1

        SHA1

        f0451919983568cf889ef03f10c1f5f9e21b7d5c

        SHA256

        2633fad496bab47ee37c4131b4fd30d903d66217cfbd65ceca80bc2810144e55

        SHA512

        8fed2a7b7d19b2b45d3a7e0369be6222e6ba31f4adc5b27a6801b56dcf956865044670f3993fe1ffdcb344fc176da1cbbc9ca0a714f871ee94df8d13862bf465

        Download Submit

      • memory/1324-28-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-16-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-19-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-20-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-35-0x000001CC17040000-0x000001CC17060000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1324-34-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-33-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-32-0x000001CC17000000-0x000001CC17040000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1324-31-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-14-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-15-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-29-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-17-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-18-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-30-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-36-0x000001CC17040000-0x000001CC17060000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1324-21-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-22-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-25-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-27-0x0000000140000000-0x0000000140840000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/1324-26-0x000001CC06920000-0x000001CC06940000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1584-24-0x00007FF631C30000-0x00007FF63266D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/1584-4-0x00007FF631C30000-0x00007FF63266D000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2208-0-0x00007FF7F94B0000-0x00007FF7F9EED000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/2208-2-0x00007FF7F94B0000-0x00007FF7F9EED000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/4272-6-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4272-7-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4272-8-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4272-10-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4272-13-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download

      • memory/4272-9-0x0000000140000000-0x000000014000D000-memory.dmp

        Filesize

        52KB

        Download