Overview

overview

10

Static

static

1

omega.exe

windows7-x64

10

omega.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    omega.exe

  • Size

    7.9MB

  • MD5

    d57bb0db39ff23571e15c96c1dcf8879

  • SHA1

    2a5e724e9b299355074caff738dcaa90a39ed29d

  • SHA256

    e5a3b411fdbd22fba9c70388f0d123a0630d8c8018c38bd8f5dabed92ce10643

  • SHA512

    4c4cff9187896eb213624d86461ad04d198b8b67b801f6e259dd9612c0e5e1965fc3819aae2e85a85302d5ee5293a7506ea3bc486d1c47c20177c815a2f166b9

  • SSDEEP

    98304:lrhSTW393YQDSve5RopIHrpogsDMxbmY/gcKIeBOQ2w0vSOXHiOoKr2oYDOtKysv:lTfDSW5pSgstMvS0HboKr2oYDO0gU

Score
10/10
xmrigevasionexecutionminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 15 IoCs
    miner
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\omega.exe
    "C:\Users\Admin\AppData\Local\Temp\omega.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:1208
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "XAITRWNX"
      2⤵
      • Launches sc.exe
      PID:4412
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "XAITRWNX" binpath= "C:\ProgramData\fyabgnfhrqvg\xibhhhbnkawc.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:4744
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:1464
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "XAITRWNX"
      2⤵
      • Launches sc.exe
      PID:1784
  • C:\ProgramData\fyabgnfhrqvg\xibhhhbnkawc.exe
    C:\ProgramData\fyabgnfhrqvg\xibhhhbnkawc.exe
    1⤵
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4392
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3752
      • C:\ProgramData\fyabgnfhrqvg\xibhhhbnkawc.exe
        "C:\ProgramData\fyabgnfhrqvg\xibhhhbnkawc.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        PID:5004
    • C:\Windows\system32\conhost.exe
      conhost.exe
      2⤵
      • Checks BIOS information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\fyabgnfhrqvg\xibhhhbnkawc.exe
    Filesize

    7.9MB

    MD5

    d57bb0db39ff23571e15c96c1dcf8879

    SHA1

    2a5e724e9b299355074caff738dcaa90a39ed29d

    SHA256

    e5a3b411fdbd22fba9c70388f0d123a0630d8c8018c38bd8f5dabed92ce10643

    SHA512

    4c4cff9187896eb213624d86461ad04d198b8b67b801f6e259dd9612c0e5e1965fc3819aae2e85a85302d5ee5293a7506ea3bc486d1c47c20177c815a2f166b9

    Download Submit

  • C:\Windows\TEMP\bsvaveruoxir.sys
    Filesize

    14KB

    MD5

    0c0195c48b6b8582fa6f6373032118da

    SHA1

    d25340ae8e92a6d29f599fef426a2bc1b5217299

    SHA256

    11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

    SHA512

    ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

    Download Submit

  • memory/1208-0-0x00007FF6D3400000-0x00007FF6D3DF4000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/1208-1-0x00007FFB3C950000-0x00007FFB3C952000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1208-4-0x00007FF6D3400000-0x00007FF6D3DF4000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/2564-45-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-64-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-78-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-77-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-76-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-75-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2564-74-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-17-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-18-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-25-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-73-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-28-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-35-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-36-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-44-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-48-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-49-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-50-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-52-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-51-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2564-53-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-55-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-58-0x00000184765A0000-0x00000184765C0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2564-57-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-54-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-47-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-46-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-72-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2564-43-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-41-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-39-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-33-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-60-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-37-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-38-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-34-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-42-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-31-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-32-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-63-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-27-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-26-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-24-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-19-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-20-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-56-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-40-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-62-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/2564-65-0x0000000140000000-0x0000000140AB6000-memory.dmp

    Filesize

    10.7MB

    Download

  • memory/3752-15-0x0000000140000000-0x000000014000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3752-10-0x0000000140000000-0x000000014000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3752-12-0x0000000140000000-0x000000014000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3752-8-0x0000000140000000-0x000000014000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3752-9-0x0000000140000000-0x000000014000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3752-11-0x0000000140000000-0x000000014000D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4392-29-0x00007FF7221B0000-0x00007FF722BA4000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/4392-7-0x00007FF7221B0000-0x00007FF722BA4000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/4392-30-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4392-16-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5004-71-0x00007FF68E2B0000-0x00007FF68ECA4000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/5004-69-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5004-66-0x00007FF68E2B0000-0x00007FF68ECA4000-memory.dmp

    Filesize

    10.0MB

    Download