Overview

overview

10

Static

static

3

66944b456b...54.exe

windows7-x64

10

66944b456b...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe

  • Size

    104KB

  • MD5

    9a24a00438a4d06d64fe4820061a1b45

  • SHA1

    6e59989652dff276a6dfa0f287b6c468a2f04842

  • SHA256

    66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54

  • SHA512

    80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629

  • SSDEEP

    1536:KlULHCIFmav82fkJMTZ0imzS6ussgExLXCxnbKG:wUDeO9TZH6SngYsbKG

Score
10/10
xmrigevasionminerpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Downloads MZ/PE file
  • Executes dropped EXE 23 IoCs
  • Loads dropped DLL 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe
        "C:\Users\Admin\AppData\Local\Temp\66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54.exe"
        2⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\Windows\sysblardsv.exe
          C:\Windows\sysblardsv.exe
          3⤵
          • Modifies security service
          • Windows security bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Suspicious use of WriteProcessMemory
          PID:1272
          • C:\Users\Admin\AppData\Local\Temp\1745425556.exe
            C:\Users\Admin\AppData\Local\Temp\1745425556.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:2428
            • C:\Windows\syslmgrsvc.exe
              C:\Windows\syslmgrsvc.exe
              5⤵
              • Modifies security service
              • Windows security bypass
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Suspicious behavior: SetClipboardViewer
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Users\Admin\AppData\Local\Temp\118785565.exe
                C:\Users\Admin\AppData\Local\Temp\118785565.exe
                6⤵
                • Executes dropped EXE
                PID:2340
              • C:\Users\Admin\AppData\Local\Temp\153030322.exe
                C:\Users\Admin\AppData\Local\Temp\153030322.exe
                6⤵
                • Executes dropped EXE
                PID:2120
              • C:\Users\Admin\AppData\Local\Temp\2911621804.exe
                C:\Users\Admin\AppData\Local\Temp\2911621804.exe
                6⤵
                • Executes dropped EXE
                PID:2844
              • C:\Users\Admin\AppData\Local\Temp\1027913133.exe
                C:\Users\Admin\AppData\Local\Temp\1027913133.exe
                6⤵
                • Executes dropped EXE
                PID:1724
              • C:\Users\Admin\AppData\Local\Temp\26095480.exe
                C:\Users\Admin\AppData\Local\Temp\26095480.exe
                6⤵
                • Executes dropped EXE
                PID:2468
              • C:\Users\Admin\AppData\Local\Temp\2751829371.exe
                C:\Users\Admin\AppData\Local\Temp\2751829371.exe
                6⤵
                • Executes dropped EXE
                PID:3012
          • C:\Users\Admin\AppData\Local\Temp\972017496.exe
            C:\Users\Admin\AppData\Local\Temp\972017496.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:2460
            • C:\Windows\winqlsdrvcs.exe
              C:\Windows\winqlsdrvcs.exe
              5⤵
              • Windows security bypass
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Suspicious use of WriteProcessMemory
              PID:540
              • C:\Users\Admin\AppData\Local\Temp\3060431781.exe
                C:\Users\Admin\AppData\Local\Temp\3060431781.exe
                6⤵
                • Executes dropped EXE
                PID:1752
              • C:\Users\Admin\AppData\Local\Temp\1438123061.exe
                C:\Users\Admin\AppData\Local\Temp\1438123061.exe
                6⤵
                • Executes dropped EXE
                PID:2948
              • C:\Users\Admin\AppData\Local\Temp\3383214491.exe
                C:\Users\Admin\AppData\Local\Temp\3383214491.exe
                6⤵
                • Executes dropped EXE
                PID:1584
          • C:\Users\Admin\AppData\Local\Temp\317868877.exe
            C:\Users\Admin\AppData\Local\Temp\317868877.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1268
            • C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
              "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
              5⤵
              • Executes dropped EXE
              PID:2700
            • C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
              "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
              5⤵
              • Executes dropped EXE
              PID:2936
            • C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
              "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
              5⤵
              • Executes dropped EXE
              PID:2636
          • C:\Users\Admin\AppData\Local\Temp\220032970.exe
            C:\Users\Admin\AppData\Local\Temp\220032970.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2236
            • C:\Users\Admin\AppData\Local\Temp\2615426320.exe
              C:\Users\Admin\AppData\Local\Temp\2615426320.exe
              5⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2880
          • C:\Users\Admin\AppData\Local\Temp\509024096.exe
            C:\Users\Admin\AppData\Local\Temp\509024096.exe
            4⤵
            • Executes dropped EXE
            PID:2796
          • C:\Users\Admin\AppData\Local\Temp\536515272.exe
            C:\Users\Admin\AppData\Local\Temp\536515272.exe
            4⤵
            • Executes dropped EXE
            PID:2884
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:2656
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
        2⤵
          PID:2744
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:324
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
            3⤵
            • Creates scheduled task(s)
            PID:560
        • C:\Windows\System32\notepad.exe
          C:\Windows\System32\notepad.exe
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2164
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {C7A4CC25-066E-498A-BC76-D807B042730F} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
        1⤵
        • Loads dropped DLL
        PID:1504
        • C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
          "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          PID:2552

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\_3[1]
        Filesize

        9KB

        MD5

        4c12165bc335a32cb559c828484a86a6

        SHA1

        c2e78c57f15a1a3a190be415aac3d1e3209ce785

        SHA256

        4831bd83c39ec9d898ccc1023858c81a03326b7c1c5dd8e24fdf9b2171707d1a

        SHA512

        f44df78b6f16255496b2fa35e28c185011c2bebf47730a68fd1369abf87f390684a8786a167319319d14a12da3768c1edef8e36037cde339a1ffe8c62c3ea87b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3060431781.exe
        Filesize

        8KB

        MD5

        9b8a3fb66b93c24c52e9c68633b00f37

        SHA1

        2a9290e32d1582217eac32b977961ada243ada9a

        SHA256

        8a169cf165f635ecb6c55cacecb2c202c5fc6ef5fa82ec9cdb7d4b0300f35293

        SHA512

        117da1ec9850212e4cafce6669c2cfffc8078627f5c3ccdfd6a1bf3bee2d351290071087a4c206578d23852fa5e69c2ebefd71905c85b1eaed4220932bb71a39

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\536515272.exe
        Filesize

        11KB

        MD5

        cafd277c4132f5d0f202e7ea07a27d5c

        SHA1

        72c8c16a94cce56a3e01d91bc1276dafc65b351d

        SHA256

        e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

        SHA512

        7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        bf66d6b7dd626bce38d8fabe4451a440

        SHA1

        916a82a7da2491bb9a902056d1819edebae0fadb

        SHA256

        c88f58853a0de61db535931d3c57f82233939181d9c7751b885e0746ace55310

        SHA512

        4993ca263d3735af77667e74e636f3df36e3c10cd668d34f03c38fe26f29f78fd68bd43a99e5f3e1035a9dd0d6b817032fb39a1b094db2c7bad6c3c84f3b8ea5

        Download Submit

      • C:\Users\Admin\tbtnds.dat
        Filesize

        4KB

        MD5

        def8a24f7c6410eba94010f328eb3bb9

        SHA1

        2cca73524ce2d73373dbe4f58de4e8ce82bf3124

        SHA256

        bc3a99b25fcea60dbc2f5e0377fe6965cef34b8fe645bc210ce4b3f9f01874ab

        SHA512

        5cb20a1c01d09cc5cef3e1a18b0ee93bbb08d93812b1eba696b48210557010677efa5628cdf29b355c567c2cb62add409fba3c19129dba6dc3932ba1fcd944ca

        Download Submit

      • C:\Users\Admin\tbtnds.dat
        Filesize

        4KB

        MD5

        2d2685f1951b8e64beaa9895f7f325b7

        SHA1

        d6fafbb8e5ea4f39716de272505d8c79fc08cb5a

        SHA256

        5a6846a31c8018803efabd524ac38823f0bf0dd9648bf829ddcd3af220e41167

        SHA512

        e2190de15e732695bbc928b30812ad3f2946f563941913fa537f787fc5c42d173af11b3f660962f0b0d00e21b7e95d51eee6c73b125117dabba64c4bacba81b9

        Download Submit

      • C:\Windows\sysblardsv.exe
        Filesize

        104KB

        MD5

        9a24a00438a4d06d64fe4820061a1b45

        SHA1

        6e59989652dff276a6dfa0f287b6c468a2f04842

        SHA256

        66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54

        SHA512

        80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629

        Download Submit

      • \Users\Admin\AppData\Local\Temp\1745425556.exe
        Filesize

        93KB

        MD5

        a318cc45e79498b93e40d5e5b9b76be4

        SHA1

        4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

        SHA256

        4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

        SHA512

        3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

        Download Submit

      • \Users\Admin\AppData\Local\Temp\220032970.exe
        Filesize

        10KB

        MD5

        c8cf446ead193a3807472fbd294c5f23

        SHA1

        2162f28c919222f75ce5f52e4bb1155255ae5368

        SHA256

        e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717

        SHA512

        fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1

        Download Submit

      • \Users\Admin\AppData\Local\Temp\2615426320.exe
        Filesize

        5.4MB

        MD5

        41ab08c1955fce44bfd0c76a64d1945a

        SHA1

        2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

        SHA256

        dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

        SHA512

        38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

        Download Submit

      • \Users\Admin\AppData\Local\Temp\317868877.exe
        Filesize

        10KB

        MD5

        47340d40e7f73e62cf09ac60fd16ad68

        SHA1

        effd38f6561155802d3e5090f5714589eae5ce6e

        SHA256

        e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c

        SHA512

        2d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08

        Download Submit

      • \Users\Admin\AppData\Local\Temp\509024096.exe
        Filesize

        8KB

        MD5

        11d2f27fb4f0c424ab696573e79db18c

        SHA1

        d08ece21a657bfa6ea4d2db9b21fbb960d7f4331

        SHA256

        dee9dca027009b7d2885ace7b968d2e9505a41b34756b08343338f8ef259e9be

        SHA512

        a60de41caa6113430ab4ab944b800579f574f9b964c362f9c62bbfc1bd85dccd01b628809367e15cfe6baaba32c1255f8db07e434ff7bcf5e90d9b3d1f6a4cd4

        Download Submit

      • \Users\Admin\AppData\Local\Temp\972017496.exe
        Filesize

        14KB

        MD5

        686899bd841d603551a0429d09cb906c

        SHA1

        c827bc460766c0c39fa9ad27918fb0f409379eb3

        SHA256

        483142a79ce1fce6474da5dcfeea48104eda46a960c7eb9b9581d555dd6cfc77

        SHA512

        850919af70b4b0548fc985b49fa35f5613c31bde6fb46b19753b181c25e0251c52b121a26459c230a969e8ae23fb1dccd547be6a34d2a73dfe4e0d31e6874b76

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        Filesize

        20KB

        MD5

        35dc584405379993ceb29d5314d15d99

        SHA1

        2dbb31a27bf5cee87fd81a9431bb97ca6e07f9bc

        SHA256

        22be0689856c5e26d3b742120386b3895a3749e9a2e76d3b356eed2ea2df5f94

        SHA512

        9ab4a6027b8ecd8fef7af684286a95d15024fb130ac1c924db3345532a91da77e7b12200ea687ba0722756457e4266ee2afcfec4a24aae979e92e341c13dd377

        Download Submit

      • memory/324-172-0x000000001B230000-0x000000001B512000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/324-173-0x00000000022E0000-0x00000000022E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1148-151-0x0000000002000000-0x0000000002008000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1148-146-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2164-191-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/2164-185-0x0000000000330000-0x0000000000350000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2164-192-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/2164-193-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/2164-196-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/2164-197-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/2164-200-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/2164-201-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/2164-202-0x0000000140000000-0x00000001407EF000-memory.dmp

        Filesize

        7.9MB

        Download

      • memory/2552-186-0x000000013F660000-0x000000013FBD6000-memory.dmp

        Filesize

        5.5MB

        Download

      • memory/2880-154-0x000000013FDF0000-0x0000000140366000-memory.dmp

        Filesize

        5.5MB

        Download