Analysis
-
max time kernel
3595s -
max time network
3600s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 15:31
Static task
static1
Behavioral task
behavioral1
Sample
miner-100%.exe
Resource
win7-20240708-en
General
-
Target
miner-100%.exe
-
Size
2.5MB
-
MD5
0f03098ba3c106a018592bf8b4142cdc
-
SHA1
1e5ea6614b07148173da9efaa4bfe87f978c6874
-
SHA256
38e4ff6cd8509ed0b208a435067e5d4130e1febe786086769d46818ac8ab2657
-
SHA512
cb5d2ce1fe41bd5f2994b15de2bdec3a48b0c98647794a84853ee2a95e8466bb8db2b1da22ed3dd51c0e77de818e206947fb069917480d562d0d293d9a8cd1ae
-
SSDEEP
49152:Z07rDD13GoljEHtRoY+2HSeN4DMcV0jOG0YRyvVB:ZoDD12oaC2HSE4oC0jODYRyv
Malware Config
Signatures
-
XMRig Miner payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1808-19-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1808-18-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1808-24-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1808-25-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1808-23-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1808-22-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1808-21-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/1808-26-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
qmigminowdmj.exepid process 472 2928 qmigminowdmj.exe -
Loads dropped DLL 1 IoCs
Processes:
pid process 472 -
Suspicious use of SetThreadContext 2 IoCs
Processes:
qmigminowdmj.exedescription pid process target process PID 2928 set thread context of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 set thread context of 1808 2928 qmigminowdmj.exe explorer.exe -
Processes:
resource yara_rule behavioral1/memory/1808-13-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-16-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-19-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-17-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-15-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-18-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-14-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-24-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-25-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-23-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-22-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-21-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/1808-26-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2252 sc.exe 2936 sc.exe 2752 sc.exe 2744 sc.exe 2828 sc.exe 2624 sc.exe 2400 sc.exe 2900 sc.exe 2684 sc.exe 2344 sc.exe 2932 sc.exe 2656 sc.exe 2764 sc.exe 1956 sc.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
miner-100%.exeqmigminowdmj.exepid process 1724 miner-100%.exe 1724 miner-100%.exe 1724 miner-100%.exe 1724 miner-100%.exe 1724 miner-100%.exe 1724 miner-100%.exe 1724 miner-100%.exe 1724 miner-100%.exe 1724 miner-100%.exe 2928 qmigminowdmj.exe 2928 qmigminowdmj.exe 2928 qmigminowdmj.exe 2928 qmigminowdmj.exe 2928 qmigminowdmj.exe 2928 qmigminowdmj.exe 2928 qmigminowdmj.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
miner-100%.exeqmigminowdmj.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1724 miner-100%.exe Token: SeDebugPrivilege 2928 qmigminowdmj.exe Token: SeLockMemoryPrivilege 1808 explorer.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
qmigminowdmj.exedescription pid process target process PID 2928 wrote to memory of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 wrote to memory of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 wrote to memory of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 wrote to memory of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 wrote to memory of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 wrote to memory of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 wrote to memory of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 wrote to memory of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 wrote to memory of 2244 2928 qmigminowdmj.exe conhost.exe PID 2928 wrote to memory of 1808 2928 qmigminowdmj.exe explorer.exe PID 2928 wrote to memory of 1808 2928 qmigminowdmj.exe explorer.exe PID 2928 wrote to memory of 1808 2928 qmigminowdmj.exe explorer.exe PID 2928 wrote to memory of 1808 2928 qmigminowdmj.exe explorer.exe PID 2928 wrote to memory of 1808 2928 qmigminowdmj.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\miner-100%.exe"C:\Users\Admin\AppData\Local\Temp\miner-100%.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2400 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2252 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2936 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2344 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2752 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UOLNUFYN"2⤵
- Launches sc.exe
PID:2900 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UOLNUFYN" binpath= "C:\ProgramData\yprnrjbhkkgo\qmigminowdmj.exe" start= "auto"2⤵
- Launches sc.exe
PID:2764 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:2932 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UOLNUFYN"2⤵
- Launches sc.exe
PID:2744
-
C:\ProgramData\yprnrjbhkkgo\qmigminowdmj.exeC:\ProgramData\yprnrjbhkkgo\qmigminowdmj.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2828 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1956 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2656 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2624 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2684 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2244
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD50f03098ba3c106a018592bf8b4142cdc
SHA11e5ea6614b07148173da9efaa4bfe87f978c6874
SHA25638e4ff6cd8509ed0b208a435067e5d4130e1febe786086769d46818ac8ab2657
SHA512cb5d2ce1fe41bd5f2994b15de2bdec3a48b0c98647794a84853ee2a95e8466bb8db2b1da22ed3dd51c0e77de818e206947fb069917480d562d0d293d9a8cd1ae