Analysis Overview
SHA256
99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837b
Threat Level: Known bad
The file 99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe was found to be: Known bad.
Malicious Activity Summary
Metasploit family
Xmrig family
XMRig Miner payload
xmrig
MetaSploit
Downloads MZ/PE file
Executes dropped EXE
Drops startup file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:23
Signatures
Metasploit family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:23
Reported
2024-11-13 13:25
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
102s
Command Line
Signatures
MetaSploit
Metasploit family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
xmrig
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe | C:\Users\Admin\AppData\Local\Temp\getter.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\getter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe | N/A |
| N/A | N/A | C:\windows\Temp\golang-updater.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\getter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\windows\Temp\golang-updater.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\windows\Temp\golang-updater.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\Temp\golang-updater.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe
"C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe"
C:\Users\Admin\AppData\Local\Temp\getter.exe
getter.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe"
C:\windows\Temp\golang-updater.exe
C:/windows/Temp/golang-updater.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | fi.salvium.herominers.com | udp |
| FI | 37.27.63.70:1230 | fi.salvium.herominers.com | tcp |
| US | 8.8.8.8:53 | 70.63.27.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4904-0-0x0000000000550000-0x0000000000551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\getter.exe
| MD5 | 29b9a3177286d75c54c2b5e47c9eae0a |
| SHA1 | bd9e461f79fa739d9ec4882fba0ad970d990dca6 |
| SHA256 | 0b73f3f47424d3a84d8fe9eda96b3e860d8004d60070a328d22ab82d0b68a3ef |
| SHA512 | 76fd106fe9ea66841f66b1e85301f922635f69af3c03ac4a3b62a4b94fbf07058129dc8488cc333e30b1b8e6ae1426be5c55980d8ae96cce542ebed286251f68 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe
| MD5 | 201127bcc5d2c9c80506f3a764854aad |
| SHA1 | 94732cf4b8506b7d4c915123103017c16b82be6b |
| SHA256 | 4256c72eabdc5e2e4619ab42a4a7e9e638477a5507555971376e0ca1b2a3779b |
| SHA512 | adfe60f72e89317381347f7f7ff963c7f4a4eb881e54a7baa78a86a5440db7f0c1e74b50e8e4111332891833befbdc4a4906ba3364287789bfca90f0f3074e19 |
C:\Windows\Temp\golang-updater.exe
| MD5 | 4055c2f21690a86aa71ddd9ce4aa5112 |
| SHA1 | 5346ee531ae5b75651a3bdc3a26b5434a1894faa |
| SHA256 | aff7e5faf63d3d1571b7b166e2423dcd287ca8f6c3afffa68c74be148981115e |
| SHA512 | f60eaf7d27a62fe6a5b0acf53551e0c4d71ff01f1aa43f3256430e72ec85d2c255539679e58b334cfc5a2319b6420ddeb73597a4e9f7ffc083d393a3a8fe40bb |
memory/4040-14-0x000001C06CB40000-0x000001C06CB60000-memory.dmp
memory/4040-17-0x000001C06CB90000-0x000001C06CBB0000-memory.dmp
memory/4040-18-0x000001C06CBB0000-0x000001C06CBD0000-memory.dmp
memory/4040-19-0x000001C06CBD0000-0x000001C06CBF0000-memory.dmp
memory/4040-20-0x000001C06CBB0000-0x000001C06CBD0000-memory.dmp
memory/4040-21-0x000001C06CBD0000-0x000001C06CBF0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:23
Reported
2024-11-13 13:25
Platform
win7-20240729-en
Max time kernel
16s
Max time network
20s
Command Line
Signatures
MetaSploit
Metasploit family
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\getter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2904 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe | C:\Users\Admin\AppData\Local\Temp\getter.exe |
| PID 2904 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe | C:\Users\Admin\AppData\Local\Temp\getter.exe |
| PID 2904 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe | C:\Users\Admin\AppData\Local\Temp\getter.exe |
| PID 2904 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe | C:\Users\Admin\AppData\Local\Temp\getter.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe
"C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe"
C:\Users\Admin\AppData\Local\Temp\getter.exe
getter.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2904-0-0x0000000000030000-0x0000000000031000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1D52.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1D65.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
\Users\Admin\AppData\Local\Temp\getter.exe
| MD5 | 29b9a3177286d75c54c2b5e47c9eae0a |
| SHA1 | bd9e461f79fa739d9ec4882fba0ad970d990dca6 |
| SHA256 | 0b73f3f47424d3a84d8fe9eda96b3e860d8004d60070a328d22ab82d0b68a3ef |
| SHA512 | 76fd106fe9ea66841f66b1e85301f922635f69af3c03ac4a3b62a4b94fbf07058129dc8488cc333e30b1b8e6ae1426be5c55980d8ae96cce542ebed286251f68 |