Overview

overview

10

Static

static

3

a2af48a018...97.exe

windows7-x64

10

a2af48a018...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2af48a018c65d34b445bd35bdd1b597.exe

  • Size

    9.0MB

  • MD5

    a2af48a018c65d34b445bd35bdd1b597

  • SHA1

    76daedc184a0cb9a717fc49f86a57b5baed0a35c

  • SHA256

    d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60

  • SHA512

    d8def07a8accdb65b6b9dfc3168981b600a78310ec06cb626fcd000e7bcc4627ff5be7fc9f26992838226d84982ddd470d9ac89e041727e72b738a61bec61319

  • SSDEEP

    196608:rhHMBGC3PtXtT+Was8ywq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G0jwuwasMdJOnZKVSaaNZOn

Score
10/10
xmrigminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 17 IoCs
    miner
  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 8 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2af48a018c65d34b445bd35bdd1b597.exe
    "C:\Users\Admin\AppData\Local\Temp\a2af48a018c65d34b445bd35bdd1b597.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\a2af48a018c65d34b445bd35bdd1b597.exe /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\a2af48a018c65d34b445bd35bdd1b597.exe /F
        3⤵
        • Creates scheduled task(s)
        PID:2952
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 2HIf.exe&&exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 2HIf.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2956
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /flushdns
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • Gathers network information
        PID:2792
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      PID:2664
    • C:\ProgramData\SMB.exe
      C:\ProgramData\SMB.exe
      2⤵
      • Executes dropped EXE
      PID:844
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 2HIf.exe&&exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 2HIf.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      PID:3048
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 2HIf.exe&&exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 2HIf.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /flushdns
      2⤵
        PID:2060
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /flushdns
          3⤵
          • Gathers network information
          PID:2400
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /f /im 2HIf.exe&&exit
        2⤵
          PID:576
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im 2HIf.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1184
        • C:\ProgramData\2HIf.exe
          C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1592
        • C:\ProgramData\2HIf.exe
          C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2828
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c taskkill /f /im 2HIf.exe&&exit
          2⤵
            PID:1520
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im 2HIf.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:900
          • C:\ProgramData\2HIf.exe
            C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
            2⤵
            • Executes dropped EXE
            PID:2284
          • C:\ProgramData\2HIf.exe
            C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1120
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ipconfig /flushdns
            2⤵
              PID:284
              • C:\Windows\SysWOW64\ipconfig.exe
                ipconfig /flushdns
                3⤵
                • Gathers network information
                PID:2660
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c taskkill /f /im 2HIf.exe&&exit
              2⤵
                PID:1264
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im 2HIf.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2168
              • C:\ProgramData\2HIf.exe
                C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                2⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1100
              • C:\ProgramData\2HIf.exe
                C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                2⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2848
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c taskkill /f /im 2HIf.exe&&exit
                2⤵
                  PID:2136
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im 2HIf.exe
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1732
                • C:\ProgramData\2HIf.exe
                  C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                  2⤵
                  • Executes dropped EXE
                  PID:2692
                • C:\ProgramData\2HIf.exe
                  C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2420
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ipconfig /flushdns
                  2⤵
                    PID:948
                    • C:\Windows\SysWOW64\ipconfig.exe
                      ipconfig /flushdns
                      3⤵
                      • Gathers network information
                      PID:1084
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c taskkill /f /im 2HIf.exe&&exit
                    2⤵
                      PID:112
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im 2HIf.exe
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1104
                    • C:\ProgramData\2HIf.exe
                      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:280
                    • C:\ProgramData\2HIf.exe
                      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2616
                  • C:\Windows\system32\taskeng.exe
                    taskeng.exe {738D03BD-1FF5-412B-AA42-897DE913CCD0} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
                    1⤵
                      PID:2984
                      • C:\Users\Admin\AppData\Local\Temp\a2af48a018c65d34b445bd35bdd1b597.exe
                        C:\Users\Admin\AppData\Local\Temp\a2af48a018c65d34b445bd35bdd1b597.exe
                        2⤵
                        • Executes dropped EXE
                        • Checks for VirtualBox DLLs, possible anti-VM trick
                        PID:956

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\X64.dll
                      Filesize

                      85KB

                      MD5

                      7f02e899ac73039aa7ca769fe3ad2c85

                      SHA1

                      2eb6aad092d94b43e54a567b7276dbae2836292b

                      SHA256

                      48b7c15bb140e3b928a99fe00313df0688a12fccf27d4f1b08d0af8c33e48a70

                      SHA512

                      686ae5e3a6d35018fc7cc81a478c4b5d40c27977e59cb8892cdd4754676a572cfadf7ffa321acf7c7501f95ad10ee17b0f592fa8dbabe038eae76c4b3f0fa5af

                      Download Submit

                    • C:\ProgramData\X86.dll
                      Filesize

                      71KB

                      MD5

                      40ea36d2902af17dff3fe4ab905b9454

                      SHA1

                      7e8248fbbca2a55f68f683c5388110569ca83392

                      SHA256

                      adee071dc55a2d2def17d4a145662f5331b174eaafa77ca4be6ed65ad0ae5173

                      SHA512

                      520fee6e81c69117bcb856dd40f479bec9625d62e7632f64b59ddc1a83c0becdcd7591fc9fa3d24e8e3d2743cc6ee0c560163e2f2b2fbcba21eddc5b0a76f5a2

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\a2af48a018c65d34b445bd35bdd1b597.exe
                      Filesize

                      9.0MB

                      MD5

                      a2af48a018c65d34b445bd35bdd1b597

                      SHA1

                      76daedc184a0cb9a717fc49f86a57b5baed0a35c

                      SHA256

                      d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60

                      SHA512

                      d8def07a8accdb65b6b9dfc3168981b600a78310ec06cb626fcd000e7bcc4627ff5be7fc9f26992838226d84982ddd470d9ac89e041727e72b738a61bec61319

                      Download Submit

                    • \ProgramData\2HIf.exe
                      Filesize

                      1.3MB

                      MD5

                      23d84a7ed2e8e76d0a13197b74913654

                      SHA1

                      23d04ba674bafbad225243dc81ce7eccd744a35a

                      SHA256

                      ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

                      SHA512

                      aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

                      Download Submit

                    • \ProgramData\SMB.exe
                      Filesize

                      3.1MB

                      MD5

                      7b2f170698522cd844e0423252ad36c1

                      SHA1

                      303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5

                      SHA256

                      5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

                      SHA512

                      7155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa

                      Download Submit

                    • memory/280-218-0x000000013F490000-0x000000013FAD4000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/1100-197-0x000000013F470000-0x000000013FAB4000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/1100-194-0x000000013F470000-0x000000013FAB4000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/1120-191-0x000000013FCE0000-0x0000000140324000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/1120-189-0x000000013FCE0000-0x0000000140324000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/1120-187-0x000000013FCE0000-0x0000000140324000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/1592-173-0x000000013F800000-0x000000013FE44000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/1592-172-0x000000013F800000-0x000000013FE44000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/1632-168-0x000000013F920000-0x000000013FF64000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/1632-166-0x000000013F920000-0x000000013FF64000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2036-158-0x000000013F840000-0x000000013FE84000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2036-148-0x000000013F840000-0x000000013FE84000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2036-156-0x000000013F840000-0x000000013FE84000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2284-183-0x000000013FB40000-0x0000000140184000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2284-184-0x000000013FB40000-0x0000000140184000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2420-211-0x000000013F0C0000-0x000000013F704000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2420-214-0x000000013F0C0000-0x000000013F704000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2560-155-0x00000000046E0000-0x0000000004D24000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2560-12-0x00000000046E0000-0x0000000004D24000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2560-154-0x00000000046E0000-0x0000000004D24000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2664-17-0x000000013F340000-0x000000013F984000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2692-206-0x000000013F450000-0x000000013FA94000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2692-208-0x000000013F450000-0x000000013FA94000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2820-141-0x000000013F340000-0x000000013F984000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2820-14-0x00000000000F0000-0x0000000000104000-memory.dmp

                      Filesize

                      80KB

                      Download

                    • memory/2820-13-0x000000013F340000-0x000000013F984000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2828-180-0x000000013FBE0000-0x0000000140224000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2828-179-0x000000013FBE0000-0x0000000140224000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2828-176-0x000000013FBE0000-0x0000000140224000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2848-200-0x000000013F260000-0x000000013F8A4000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2848-203-0x000000013F260000-0x000000013F8A4000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2888-163-0x000000013FD60000-0x00000001403A4000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/2888-161-0x000000013FD60000-0x00000001403A4000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/3048-144-0x000000013FD00000-0x0000000140344000-memory.dmp

                      Filesize

                      6.3MB

                      Download

                    • memory/3048-145-0x000000013FD00000-0x0000000140344000-memory.dmp

                      Filesize

                      6.3MB

                      Download