Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 18:17
Behavioral task
behavioral1
Sample
miner (2).TMP/Client.exe
Resource
win11-20240419-en
Behavioral task
behavioral2
Sample
miner (2).TMP/num2.exe
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
miner.TMP/MicrosoftEdgeUpdater.exe
Resource
win11-20240426-en
General
-
Target
miner.TMP/jhi_service.exe
-
Size
2.5MB
-
MD5
1994ad04639f3d12c7bbfa37feb3434f
-
SHA1
4979247e5a9771286a91827851527e5dbfb80c8e
-
SHA256
c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c
-
SHA512
adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43
-
SSDEEP
49152:JeyI4v7SO1chT1kPoGyH22x8wfc3QC/FGQAC8TnWhVpihDHdggjrKCnQPzkwG:JtjehT1kA4wXGMRyk7Kg/nnY
Malware Config
Signatures
-
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral4/memory/4100-17-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/4100-19-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/4100-21-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/4100-22-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/4100-23-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/4100-20-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/4100-16-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/4100-24-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral4/memory/4100-25-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
kanilzbpgdul.exepid process 3828 kanilzbpgdul.exe -
Processes:
resource yara_rule behavioral4/memory/4100-11-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-13-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-15-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-17-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-19-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-21-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-22-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-23-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-20-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-16-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-14-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-12-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-24-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral4/memory/4100-25-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
Processes:
kanilzbpgdul.exedescription pid process target process PID 3828 set thread context of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 set thread context of 4100 3828 kanilzbpgdul.exe svchost.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2796 sc.exe 3736 sc.exe 4936 sc.exe 3088 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jhi_service.exekanilzbpgdul.exesvchost.exepid process 4628 jhi_service.exe 4628 jhi_service.exe 4628 jhi_service.exe 4628 jhi_service.exe 4628 jhi_service.exe 4628 jhi_service.exe 4628 jhi_service.exe 4628 jhi_service.exe 3828 kanilzbpgdul.exe 3828 kanilzbpgdul.exe 3828 kanilzbpgdul.exe 3828 kanilzbpgdul.exe 3828 kanilzbpgdul.exe 3828 kanilzbpgdul.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exedescription pid process Token: SeShutdownPrivilege 944 powercfg.exe Token: SeCreatePagefilePrivilege 944 powercfg.exe Token: SeShutdownPrivilege 4708 powercfg.exe Token: SeCreatePagefilePrivilege 4708 powercfg.exe Token: SeShutdownPrivilege 4928 powercfg.exe Token: SeCreatePagefilePrivilege 4928 powercfg.exe Token: SeShutdownPrivilege 2764 powercfg.exe Token: SeCreatePagefilePrivilege 2764 powercfg.exe Token: SeShutdownPrivilege 1832 powercfg.exe Token: SeCreatePagefilePrivilege 1832 powercfg.exe Token: SeShutdownPrivilege 3108 powercfg.exe Token: SeCreatePagefilePrivilege 3108 powercfg.exe Token: SeShutdownPrivilege 1488 powercfg.exe Token: SeCreatePagefilePrivilege 1488 powercfg.exe Token: SeShutdownPrivilege 3892 powercfg.exe Token: SeCreatePagefilePrivilege 3892 powercfg.exe Token: SeLockMemoryPrivilege 4100 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
kanilzbpgdul.exedescription pid process target process PID 3828 wrote to memory of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 wrote to memory of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 wrote to memory of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 wrote to memory of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 wrote to memory of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 wrote to memory of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 wrote to memory of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 wrote to memory of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 wrote to memory of 4816 3828 kanilzbpgdul.exe conhost.exe PID 3828 wrote to memory of 4100 3828 kanilzbpgdul.exe svchost.exe PID 3828 wrote to memory of 4100 3828 kanilzbpgdul.exe svchost.exe PID 3828 wrote to memory of 4100 3828 kanilzbpgdul.exe svchost.exe PID 3828 wrote to memory of 4100 3828 kanilzbpgdul.exe svchost.exe PID 3828 wrote to memory of 4100 3828 kanilzbpgdul.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\miner.TMP\jhi_service.exe"C:\Users\Admin\AppData\Local\Temp\miner.TMP\jhi_service.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4628 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "HDNFMUHS"2⤵
- Launches sc.exe
PID:2796 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "HDNFMUHS" binpath= "C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe" start= "auto"2⤵
- Launches sc.exe
PID:3736 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:4936 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "HDNFMUHS"2⤵
- Launches sc.exe
PID:3088
-
C:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exeC:\ProgramData\hvforlxxtnuo\kanilzbpgdul.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4816
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD51994ad04639f3d12c7bbfa37feb3434f
SHA14979247e5a9771286a91827851527e5dbfb80c8e
SHA256c75f76cf5b34b4a165ad5705ae5229f67fc081d958239bf0faea58e6c342301c
SHA512adc4eb990fc6721a0a39cf9832f133bde025a31b3ecd4d84e076d8c454b40dd043f1f045f6f989febf2478999a190d116a58192c49d8b878414490e7ce451b43