Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 05:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe
Resource
win7-20240903-en
8 signatures
120 seconds
General
-
Target
1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe
-
Size
2.5MB
-
MD5
4901050cbc77596c29e2d911d56692a0
-
SHA1
edaacbec28fbb64c1f8f2cdf615abac380b6572f
-
SHA256
1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5d
-
SHA512
9beda4f0a83f2abda7c962629a5e6573636dfe78b79ee919d3fedf6407bcff6a049b5e8c9c722e46c9a449c7241a89656ff96bbe32fbf1e5310b351510c14120
-
SSDEEP
49152:vj0PvsQVITAdmKuoGHkW/Y312Q2Q94clBP0Iahv5YisS5CTfCRM5k:vg3sQmZ/HTwMQfBPSv5okCY
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/2660-7-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2660-6-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2660-13-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2660-12-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2660-11-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2660-10-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2660-9-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2660-14-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2392 set thread context of 2660 2392 1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe 31 -
resource yara_rule behavioral1/memory/2660-1-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-4-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-7-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-6-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-3-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-5-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-2-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-13-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-12-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-11-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-10-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-9-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2660-14-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2392 1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe 2660 notepad.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2660 notepad.exe Token: SeLockMemoryPrivilege 2660 notepad.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2660 2392 1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe 31 PID 2392 wrote to memory of 2660 2392 1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe 31 PID 2392 wrote to memory of 2660 2392 1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe 31 PID 2392 wrote to memory of 2660 2392 1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe 31 PID 2392 wrote to memory of 2660 2392 1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe"C:\Users\Admin\AppData\Local\Temp\1d4ae926a81595c2b7ab308f8e1ab31da4f5aad9912415ae41fb05c8d1c37d5dN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\notepad.exenotepad.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-