28c665278cb244896fb360cc5d2a773b0b75c4a334075ec6462e426a5ab91908

Analysis

max time kernel
29s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2024, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xr miner.exe
Size

29.8MB
MD5

8c6ef23e59af6beccf80a34d46d352e4
SHA1

51db51ccb62843de50d22726f75be98742f166d4
SHA256

28c665278cb244896fb360cc5d2a773b0b75c4a334075ec6462e426a5ab91908
SHA512

3e1fc68353dbef2c073bb146df16aebfb1b180754e4af30c21b846e77739f298458d84c7e180680b9d6e95f2d8c9f3517d609efca2c8f8fd0e619106c72d03f8
SSDEEP

393216:dUhODqcltF1nEyaT+lYiUoxvC36/9xIyADAm+dfy5vN1fJhxUXpFWZ6Pys9HaF+X:dDqstzNs+SihxLQA+vN1CXKUDiSlUTa

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
804	powershell.exe
2256	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2360	services64.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4912	conhost.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	conhost.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeIncreaseQuotaPrivilege	804	powershell.exe
Token: SeSecurityPrivilege	804	powershell.exe
Token: SeTakeOwnershipPrivilege	804	powershell.exe
Token: SeLoadDriverPrivilege	804	powershell.exe
Token: SeSystemProfilePrivilege	804	powershell.exe
Token: SeSystemtimePrivilege	804	powershell.exe
Token: SeProfSingleProcessPrivilege	804	powershell.exe
Token: SeIncBasePriorityPrivilege	804	powershell.exe
Token: SeCreatePagefilePrivilege	804	powershell.exe
Token: SeBackupPrivilege	804	powershell.exe
Token: SeRestorePrivilege	804	powershell.exe
Token: SeShutdownPrivilege	804	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeSystemEnvironmentPrivilege	804	powershell.exe
Token: SeRemoteShutdownPrivilege	804	powershell.exe
Token: SeUndockPrivilege	804	powershell.exe
Token: SeManageVolumePrivilege	804	powershell.exe
Token: 33	804	powershell.exe
Token: 34	804	powershell.exe
Token: 35	804	powershell.exe
Token: 36	804	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeIncreaseQuotaPrivilege	2256	powershell.exe
Token: SeSecurityPrivilege	2256	powershell.exe
Token: SeTakeOwnershipPrivilege	2256	powershell.exe
Token: SeLoadDriverPrivilege	2256	powershell.exe
Token: SeSystemProfilePrivilege	2256	powershell.exe
Token: SeSystemtimePrivilege	2256	powershell.exe
Token: SeProfSingleProcessPrivilege	2256	powershell.exe
Token: SeIncBasePriorityPrivilege	2256	powershell.exe
Token: SeCreatePagefilePrivilege	2256	powershell.exe
Token: SeBackupPrivilege	2256	powershell.exe
Token: SeRestorePrivilege	2256	powershell.exe
Token: SeShutdownPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeSystemEnvironmentPrivilege	2256	powershell.exe
Token: SeRemoteShutdownPrivilege	2256	powershell.exe
Token: SeUndockPrivilege	2256	powershell.exe
Token: SeManageVolumePrivilege	2256	powershell.exe
Token: 33	2256	powershell.exe
Token: 34	2256	powershell.exe
Token: 35	2256	powershell.exe
Token: 36	2256	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 4912	1452	xr miner.exe	72
PID 1452 wrote to memory of 4912	1452	xr miner.exe	72
PID 1452 wrote to memory of 4912	1452	xr miner.exe	72
PID 4912 wrote to memory of 4340	4912	conhost.exe	73
PID 4912 wrote to memory of 4340	4912	conhost.exe	73
PID 4340 wrote to memory of 804	4340	cmd.exe	75
PID 4340 wrote to memory of 804	4340	cmd.exe	75
PID 4912 wrote to memory of 3116	4912	conhost.exe	77
PID 4912 wrote to memory of 3116	4912	conhost.exe	77
PID 3116 wrote to memory of 1776	3116	cmd.exe	79
PID 3116 wrote to memory of 1776	3116	cmd.exe	79
PID 4340 wrote to memory of 2256	4340	cmd.exe	81
PID 4340 wrote to memory of 2256	4340	cmd.exe	81
PID 4912 wrote to memory of 3364	4912	conhost.exe	82
PID 4912 wrote to memory of 3364	4912	conhost.exe	82
PID 3364 wrote to memory of 2360	3364	cmd.exe	84
PID 3364 wrote to memory of 2360	3364	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\xr miner.exe
"C:\Users\Admin\AppData\Local\Temp\xr miner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\xr miner.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2256
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1776
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\system32\services64.exe
      C:\Windows\system32\services64.exe
      4⤵
      Executes dropped EXE
      PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc355d8b2a713e9a3a9b233e769008be

SHA1
a1b27007359b33ee21d82e5d2a7591c7b94da98e

SHA256
67feb23513b3b5d466540f2861d2cde78604a826680d3cd1ae0182f8e8f9338a

SHA512
fdc7cfb1fffe4ac97db7d460d001862ad0e204dc4b198acfab0c14d0a062b61c55f401e891bd14c871d52322db46c1a92a0b866bee9628896644ff5f356873c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cayexxxi.ouf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\System32\services64.exe

Filesize
10.5MB

MD5
09b8581726e3ed193f5319ad114592e8

SHA1
9200f8204419ea76bac7169d0b7e949c426a8ae2

SHA256
900aaa105cfbf1f81efdb50cdf98293f7c3a365c48dfea6a5dd2d8d44c07112e

SHA512
0f42c05590ca0f6d7514b8ef57e2fd15704d483e57bf95b911408a8a638b0cdcc35dd5fea702fa91ea1798eed1c1fe14a059da41daa0df6aa2b8368606167a45

Download Submit
C:\Windows\system32\services64.exe

Filesize
9.1MB

MD5
7517202a5c167e209d19ff78ea113ed4

SHA1
335bcf1c8c92fc9c38e7a34e2ba234e1a1ac4f32

SHA256
8845e4842c2e63aa263c15495d711362bec1a2dbc0e484f174929e34c5520082

SHA512
cd83366ab703da2b7677bb01358a36fefe89763324960535924e41cb49e87a9d81835722a667520d0207e1e2e0b67e252347c80e20ee3f40261c9286701bff30

Download Submit
memory/804-18-0x000001F0D9970000-0x000001F0D9992000-memory.dmp

Filesize
136KB

Download
memory/804-21-0x000001F0D9B40000-0x000001F0D9BB6000-memory.dmp

Filesize
472KB

Download
memory/4912-8-0x000001D41DA40000-0x000001D41DA52000-memory.dmp

Filesize
72KB

Download
memory/4912-0-0x000001D41B910000-0x000001D41D6CF000-memory.dmp

Filesize
29.7MB

Download
memory/4912-13-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

Filesize
9.9MB

Download
memory/4912-11-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

Filesize
9.9MB

Download
memory/4912-9-0x000001D41DA70000-0x000001D41DA7A000-memory.dmp

Filesize
40KB

Download
memory/4912-12-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

Filesize
9.9MB

Download
memory/4912-102-0x00007FFD9C953000-0x00007FFD9C954000-memory.dmp

Filesize
4KB

Download
memory/4912-103-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

Filesize
9.9MB

Download
memory/4912-105-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

Filesize
9.9MB

Download
memory/4912-109-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

Filesize
9.9MB

Download
memory/4912-6-0x000001D43B800000-0x000001D43D5BE000-memory.dmp

Filesize
29.7MB

Download
memory/4912-4-0x00007FFD9C953000-0x00007FFD9C954000-memory.dmp

Filesize
4KB

Download