Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 14:01
Behavioral task
behavioral1
Sample
78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe
Resource
win7-20241023-en
General
-
Target
78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe
-
Size
784KB
-
MD5
df7640853bdebbf07e75982fbaae9380
-
SHA1
7d3d7ff33c05a78a568a2d7e16fceb79f3c93ac6
-
SHA256
78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165
-
SHA512
175005f460036ffeb7a494acae330b5ee30d2cbd59963bcd9297c560e0db6d4d848b554398807369c8a1ba518c18228f7e92682908b3c16cd2a8fac77e8eb7c5
-
SSDEEP
24576:zmQq1PwUDdqVAfgjQZxeUA+an6ihZlb8eq0L495DQ6:q1PKjQZxt9an6kR8eq0E9
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/2160-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2160-15-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2476-18-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2476-33-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig behavioral1/memory/2476-34-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2476-23-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2476-32-0x0000000003000000-0x0000000003193000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2476 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe -
Executes dropped EXE 1 IoCs
pid Process 2476 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe -
Loads dropped DLL 1 IoCs
pid Process 2160 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe -
resource yara_rule behavioral1/memory/2160-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000c000000012281-16.dat upx behavioral1/memory/2160-14-0x00000000032C0000-0x00000000035D2000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2160 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2160 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe 2476 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2476 2160 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe 31 PID 2160 wrote to memory of 2476 2160 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe 31 PID 2160 wrote to memory of 2476 2160 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe 31 PID 2160 wrote to memory of 2476 2160 78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe"C:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exeC:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe
Filesize784KB
MD592271f4a695cee1fa3e792c5f99595bd
SHA115c774ba7b56d2230e3c1ea207508d1e90f71abd
SHA256ea7c53daad6f0d39611270c9b72dddcd4f38907a2a71e58f735ad8b75521dfb0
SHA512394d5115f2c9a72ed37f6a75a868ec34af11b5ef877668988c1156f62d208b179c4be6692ab3c677fc2f0a34df0d7140ac3e2d9e6d6ba15ee5551f56a5aca4cf