Analysis
-
max time kernel
2699s -
max time network
2694s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
11-05-2024 11:03
General
-
Target
beren.exe
-
Size
5.0MB
-
MD5
b1ac2ea973651a70ea72597e13a10f0a
-
SHA1
07e7cdedc54067a46b1d42cdf8a2c9050c3d3419
-
SHA256
e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47
-
SHA512
02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0
-
SSDEEP
98304:9l68nO7ed9W+WzUU3a7G9kzPupfguX8WpWY/FwWCghYjuFRx20iZGZ1:9UdedpWzUmuPeghvY9wvonVsE
Score
10/10
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 22 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\beren.exe"C:\Users\Admin\AppData\Local\Temp\beren.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "QHRAJGDI"2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "QHRAJGDI"2⤵
- Launches sc.exe
-
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exeC:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exeFilesize
5.0MB
MD5b1ac2ea973651a70ea72597e13a10f0a
SHA107e7cdedc54067a46b1d42cdf8a2c9050c3d3419
SHA256e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47
SHA51202b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0
-
memory/1996-44-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-46-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-57-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-36-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-56-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-54-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-50-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-52-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-40-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-43-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-38-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-51-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-28-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-49-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-30-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-34-0x00000000000D0000-0x00000000000F0000-memory.dmpFilesize
128KB
-
memory/1996-33-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-35-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-37-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-39-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-47-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-48-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-41-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-32-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-31-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-27-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-29-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1996-42-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2608-17-0x0000000000CF0000-0x0000000000CF8000-memory.dmpFilesize
32KB
-
memory/2608-16-0x0000000019F20000-0x000000001A202000-memory.dmpFilesize
2.9MB
-
memory/2996-22-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2996-20-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2996-18-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2996-19-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2996-21-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2996-24-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/3048-8-0x000007FEF5D00000-0x000007FEF669D000-memory.dmpFilesize
9.6MB
-
memory/3048-4-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmpFilesize
4KB
-
memory/3048-6-0x0000000002720000-0x0000000002728000-memory.dmpFilesize
32KB
-
memory/3048-5-0x000000001B620000-0x000000001B902000-memory.dmpFilesize
2.9MB
-
memory/3048-10-0x000007FEF5D00000-0x000007FEF669D000-memory.dmpFilesize
9.6MB
-
memory/3048-11-0x000007FEF5D00000-0x000007FEF669D000-memory.dmpFilesize
9.6MB
-
memory/3048-9-0x000007FEF5D00000-0x000007FEF669D000-memory.dmpFilesize
9.6MB
-
memory/3048-7-0x000007FEF5D00000-0x000007FEF669D000-memory.dmpFilesize
9.6MB