Overview

overview

10

Static

static

10

2ea5e2feaf...8a.exe

windows7-x64

10

2ea5e2feaf...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ea5e2feaf74e9ea6d7760ae2a20742a8861157607584e566e32b1ba329d378a.exe

  • Size

    19.8MB

  • MD5

    74595855031cc4eb18b48346f876cd2e

  • SHA1

    24bf72be8f93f2da8defe6c47004ecde786458ef

  • SHA256

    2ea5e2feaf74e9ea6d7760ae2a20742a8861157607584e566e32b1ba329d378a

  • SHA512

    33227d3e36a95fd4b9fcee533997bab9080a735c52417a10114a01d81c15eebcccca1cb99c6cfaf70691fc5149a41f8cffd4ee5fd54e0a593aaeb1ca6438b240

  • SSDEEP

    393216:xao4ZbKh+7uRQSn44pfrovhexQ0s0kl1X5+twDyClkzmv7PXVTpa:xaoAW+qpf6hKQJ+tcH6zmv7Xa

Score
10/10
xmrigevasionminerthemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detects executables packed with Themida 46 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Themida packer 46 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • AutoIT Executable 41 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ea5e2feaf74e9ea6d7760ae2a20742a8861157607584e566e32b1ba329d378a.exe
    "C:\Users\Admin\AppData\Local\Temp\2ea5e2feaf74e9ea6d7760ae2a20742a8861157607584e566e32b1ba329d378a.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /flushdns
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\system32\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • Gathers network information
        PID:3080
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c gpupdate /force
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\system32\gpupdate.exe
        gpupdate /force
        3⤵
          PID:4244
      • C:\ProgramData\Setup\Packs.exe
        C:\ProgramData\Setup\Packs.exe -ppidar
        2⤵
        • Executes dropped EXE
        PID:2740
      • C:\ProgramData\WindowsTask\audiodg.exe
        C:\ProgramData\WindowsTask\audiodg.exe
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:408
      • C:\ProgramData\WindowsTask\MicrosoftHost.exe
        C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://185.139.69.167:3333 -u RandomX_CPU --donate-level=1 -k --cpu-priority=0 -t4
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:64

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\WindowsTask\MicrosoftHost.exe
      Filesize

      5.2MB

      MD5

      1ee4321c311d7e58208c61630fa3f278

      SHA1

      67ef36cf785ec0d4602eb35a98c23420beba2e2a

      SHA256

      463ce847b6f7b32d1f4f49dfaaa2ce4a1061b6dfca1fb6a1bf39f7f40117266d

      SHA512

      f0bbf219926d7316bce936e4c362f2b5195420b7ee14538dd61d8a362921351cdde80705fcff8249773284a10067149f5a60291fa965aaaaca65fc535a5a8ffd

      Download Submit
    • C:\ProgramData\WindowsTask\WinRing0x64.sys
      Filesize

      14KB

      MD5

      0c0195c48b6b8582fa6f6373032118da

      SHA1

      d25340ae8e92a6d29f599fef426a2bc1b5217299

      SHA256

      11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

      SHA512

      ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

      Download Submit
    • C:\ProgramData\WindowsTask\audiodg.exe
      Filesize

      5.7MB

      MD5

      5bda5e3354916c14aeef5e9c1589ea99

      SHA1

      a9bf3059461f569a290fbbfe0e59d9629f5749ec

      SHA256

      7fa2c88d0732f4f432320d0b8cdc8a024b5efcae99da74dcd06dc91089ffd101

      SHA512

      5a9b55bf1124002e67468f133f47008426f19f1acb7de76eb001fc94ff4e9170142fa8b394bc8cee8d805a8484724135ef0251f029bd1304954b0aa2a2f8a987

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\aut8CDF.tmp
      Filesize

      7.8MB

      MD5

      2c478377002d8f8c188252f338e10d17

      SHA1

      71c3b3154ae57c9e692c32653ab8859c23680b30

      SHA256

      bda32a05036ce8fabd53f41509c114c5bf2c9d8343fb7725b6b21903ca44a89c

      SHA512

      fd183050382e834dadec658d0f9673607049a605c5c7dafe997d74b3921dafca0b677b8cfba9733cfd1d9c80581133281778f6be46f7080c5d743ea2c6f99dde

      Download Submit
    • memory/64-56-0x000001DB6BD50000-0x000001DB6BD70000-memory.dmp
      Filesize

      128KB

      Download
    • memory/408-53-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-57-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-126-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-121-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-115-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-110-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-105-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-100-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-94-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-89-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-84-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-46-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-49-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-47-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-48-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-51-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-79-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-52-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-78-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-50-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/408-71-0x00007FF639730000-0x00007FF63A5FB000-memory.dmp
      Filesize

      14.8MB

      Download
    • memory/996-123-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-96-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-6-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-54-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-74-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-1-0x00007FF807DD0000-0x00007FF807DD2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/996-0-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-81-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-44-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-86-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-3-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-92-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-4-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-2-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-34-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-102-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-5-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-107-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-15-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-113-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-9-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-117-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-8-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-65-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download
    • memory/996-7-0x00007FF602AF0000-0x00007FF60479F000-memory.dmp
      Filesize

      28.7MB

      Download