Overview

overview

10

Static

static

3

e2cbf15446...fb.exe

windows7-x64

10

e2cbf15446...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 15:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e2cbf154467a2592dfa9e86d6563f0d0d07ac148140ab2eac81790e916b1c4fb.exe

  • Size

    5.8MB

  • MD5

    6c5765152f9720727f9693288b34a8b6

  • SHA1

    eabde5cbe6cd8de622dab56e892cd5f7a7373143

  • SHA256

    e2cbf154467a2592dfa9e86d6563f0d0d07ac148140ab2eac81790e916b1c4fb

  • SHA512

    9ecedd98e13dd27a92025e6e58cebfdc4f578cc97a2fc0daa3d2e4b13de08bf1f36f00cdee8c0ffb7de203a116f915e5d5cd067d8d3954c00a8a4b8c6378ccf4

  • SSDEEP

    98304:/YknE60QvK2disEKWIAN9rDUQ60m+E+3syUSIkJEhxfAF8p4ucb0hCH2:/xnh0sbErIYeQ3nEIsyU2Y48CSi

Score
10/10
xmrigevasionexecutionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2cbf154467a2592dfa9e86d6563f0d0d07ac148140ab2eac81790e916b1c4fb.exe
    "C:\Users\Admin\AppData\Local\Temp\e2cbf154467a2592dfa9e86d6563f0d0d07ac148140ab2eac81790e916b1c4fb.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2364
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\system32\wusa.exe
        wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Drops file in Windows directory
        PID:2224
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      2⤵
      • Launches sc.exe
      PID:2176
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      2⤵
      • Launches sc.exe
      PID:2172
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      2⤵
      • Launches sc.exe
      PID:1632
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      2⤵
      • Launches sc.exe
      PID:2572
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      2⤵
      • Launches sc.exe
      PID:2076
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:1212
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2956
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
      2⤵
      • Launches sc.exe
      PID:2908
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:2536
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:3004
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
      2⤵
      • Launches sc.exe
      PID:2380
  • C:\ProgramData\GoogleUP\Chrome\Updater.exe
    C:\ProgramData\GoogleUP\Chrome\Updater.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\system32\wusa.exe
        wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Drops file in Windows directory
        PID:2460
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      2⤵
      • Launches sc.exe
      PID:2208
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      2⤵
      • Launches sc.exe
      PID:1512
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      2⤵
      • Launches sc.exe
      PID:1868
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      2⤵
      • Launches sc.exe
      PID:2008
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      2⤵
      • Launches sc.exe
      PID:2808
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:556
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:532
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:776
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:2228
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2252

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            2KB

            MD5

            3e9af076957c5b2f9c9ce5ec994bea05

            SHA1

            a8c7326f6bceffaeed1c2bb8d7165e56497965fe

            SHA256

            e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

            SHA512

            933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

            Download Submit

          • \ProgramData\GoogleUP\Chrome\Updater.exe
            Filesize

            5.8MB

            MD5

            6c5765152f9720727f9693288b34a8b6

            SHA1

            eabde5cbe6cd8de622dab56e892cd5f7a7373143

            SHA256

            e2cbf154467a2592dfa9e86d6563f0d0d07ac148140ab2eac81790e916b1c4fb

            SHA512

            9ecedd98e13dd27a92025e6e58cebfdc4f578cc97a2fc0daa3d2e4b13de08bf1f36f00cdee8c0ffb7de203a116f915e5d5cd067d8d3954c00a8a4b8c6378ccf4

            Download Submit

          • memory/2228-25-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2228-26-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2228-27-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2228-28-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2228-29-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2228-32-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2252-39-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-41-0x00000000000B0000-0x00000000000D0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2252-48-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-47-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-38-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-34-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-40-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-45-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-35-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-37-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-42-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-43-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-44-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-36-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2252-46-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/2364-0-0x000000013FF60000-0x0000000140B5D000-memory.dmp

            Filesize

            12.0MB

            Download

          • memory/2384-20-0x000000013F720000-0x000000014031D000-memory.dmp

            Filesize

            12.0MB

            Download

          • memory/2680-6-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2680-8-0x000000001B590000-0x000000001B872000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2680-7-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2680-14-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2680-9-0x0000000001CD0000-0x0000000001CD8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2680-10-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2680-11-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2680-12-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2680-13-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/3068-22-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3068-21-0x0000000019EA0000-0x000000001A182000-memory.dmp

            Filesize

            2.9MB

            Download