Overview

overview

10

Static

static

3

beren.exe

windows10-1703-x64

10

beren.exe

windows7-x64

10

beren.exe

windows10-2004-x64

10

beren.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    2698s
  • max time network
    2690s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-05-2024 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    beren.exe

  • Size

    5.0MB

  • MD5

    b1ac2ea973651a70ea72597e13a10f0a

  • SHA1

    07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

  • SHA256

    e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

  • SHA512

    02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

  • SSDEEP

    98304:9l68nO7ed9W+WzUU3a7G9kzPupfguX8WpWY/FwWCghYjuFRx20iZGZ1:9UdedpWzUmuPeghvY9wvonVsE

Score
10/10
xmrigevasionexecutionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 18 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 1 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\beren.exe
    "C:\Users\Admin\AppData\Local\Temp\beren.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2468
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Windows\system32\wusa.exe
        wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
          PID:2212
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3644
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4964
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe delete "QHRAJGDI"
        2⤵
        • Launches sc.exe
        PID:3068
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
        2⤵
        • Launches sc.exe
        PID:4012
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop eventlog
        2⤵
        • Launches sc.exe
        PID:4932
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start "QHRAJGDI"
        2⤵
        • Launches sc.exe
        PID:1708
    • C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
      C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4624
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
            PID:3012
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:800
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2224
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4980
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1028
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
            PID:4040
          • C:\Windows\system32\conhost.exe
            conhost.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2576

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        System Services

        2
        T1569

        Service Execution

        2
        T1569.002

        Persistence

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Privilege Escalation

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Defense Evasion

        Impair Defenses

        1
        T1562

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Service Stop

        1
        T1489

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
          Filesize

          5.0MB

          MD5

          b1ac2ea973651a70ea72597e13a10f0a

          SHA1

          07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

          SHA256

          e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

          SHA512

          02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3ie5lft.gt5.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • memory/1868-38-0x000001986F990000-0x000001986F99A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1868-44-0x000001986FF10000-0x000001986FF1A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1868-43-0x000001986F9C0000-0x000001986F9C6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1868-42-0x000001986F9B0000-0x000001986F9B8000-memory.dmp
          Filesize

          32KB

          Download
        • memory/1868-41-0x000001986FAF0000-0x000001986FB0A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/1868-40-0x000001986F9A0000-0x000001986F9AA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1868-39-0x000001986FAD0000-0x000001986FAEC000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1868-36-0x000001986F8B0000-0x000001986F8CC000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1868-37-0x000001986F8D0000-0x000001986F983000-memory.dmp
          Filesize

          716KB

          Download
        • memory/2576-60-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-70-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-79-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-80-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-78-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-77-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-76-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-74-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-71-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-72-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-69-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-68-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-55-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-56-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-62-0x0000018450250000-0x0000018450270000-memory.dmp
          Filesize

          128KB

          Download
        • memory/2576-61-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-66-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-67-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-65-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-63-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-64-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-59-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-58-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/2576-57-0x0000000140000000-0x0000000140848000-memory.dmp
          Filesize

          8.3MB

          Download
        • memory/4040-50-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/4040-54-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/4040-47-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/4040-48-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/4040-49-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/4040-51-0x0000000140000000-0x000000014000E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/4440-16-0x00007FFEDA370000-0x00007FFEDAE32000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4440-0-0x00007FFEDA373000-0x00007FFEDA375000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4440-3-0x0000016A5AE10000-0x0000016A5AE32000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4440-10-0x00007FFEDA370000-0x00007FFEDAE32000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4440-11-0x00007FFEDA370000-0x00007FFEDAE32000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4440-12-0x00007FFEDA370000-0x00007FFEDAE32000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4440-13-0x00007FFEDA370000-0x00007FFEDAE32000-memory.dmp
          Filesize

          10.8MB

          Download