Overview

overview

10

Static

static

3

beren.exe

windows10-1703-x64

10

beren.exe

windows7-x64

10

beren.exe

windows10-2004-x64

10

beren.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    2699s
  • max time network
    2695s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11-05-2024 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    beren.exe

  • Size

    5.0MB

  • MD5

    b1ac2ea973651a70ea72597e13a10f0a

  • SHA1

    07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

  • SHA256

    e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

  • SHA512

    02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

  • SSDEEP

    98304:9l68nO7ed9W+WzUU3a7G9kzPupfguX8WpWY/FwWCghYjuFRx20iZGZ1:9UdedpWzUmuPeghvY9wvonVsE

Score
10/10
xmrigevasionexecutionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 12 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\beren.exe
    "C:\Users\Admin\AppData\Local\Temp\beren.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:4404
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:688
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Windows\system32\wusa.exe
        wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
          PID:2236
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:192
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4916
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4444
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3628
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe delete "QHRAJGDI"
        2⤵
        • Launches sc.exe
        PID:1008
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
        2⤵
        • Launches sc.exe
        PID:2320
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop eventlog
        2⤵
        • Launches sc.exe
        PID:1532
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start "QHRAJGDI"
        2⤵
        • Launches sc.exe
        PID:2308
    • C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
      C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
            PID:5024
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2868
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3420
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4992
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2928
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
            PID:2940
          • C:\Windows\system32\conhost.exe
            conhost.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4716

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        System Services

        2
        T1569

        Service Execution

        2
        T1569.002

        Persistence

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Privilege Escalation

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Defense Evasion

        Impair Defenses

        1
        T1562

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Service Stop

        1
        T1489

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
          Filesize

          5.0MB

          MD5

          b1ac2ea973651a70ea72597e13a10f0a

          SHA1

          07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

          SHA256

          e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

          SHA512

          02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzfficyj.jih.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit
        • memory/688-7-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/688-3-0x00007FFC1AAA3000-0x00007FFC1AAA4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/688-10-0x000001B357330000-0x000001B3573A6000-memory.dmp
          Filesize

          472KB

          Download
        • memory/688-6-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/688-39-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/688-46-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/688-49-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/688-5-0x000001B357180000-0x000001B3571A2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1876-75-0x00000239F2300000-0x00000239F231C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1876-81-0x00000239F2620000-0x00000239F26D9000-memory.dmp
          Filesize

          740KB

          Download
        • memory/1876-114-0x00000239F2320000-0x00000239F232A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2940-210-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/2940-206-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/2940-205-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/2940-204-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/2940-203-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/2940-207-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/4716-220-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-215-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-223-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-221-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-222-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-211-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-219-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-218-0x000001D81EAA0000-0x000001D81EAC0000-memory.dmp
          Filesize

          128KB

          Download
        • memory/4716-217-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-212-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-214-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-216-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-213-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-226-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-227-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-228-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-230-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4716-229-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download