Malware Analysis Report

2024-12-07 09:54

Sample ID 241113-qmrm4asele
Target 99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe
SHA256 99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837b
Tags
metasploit xmrig backdoor discovery miner trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837b

Threat Level: Known bad

The file 99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe was found to be: Known bad.

Malicious Activity Summary

metasploit xmrig backdoor discovery miner trojan

Metasploit family

Xmrig family

XMRig Miner payload

xmrig

MetaSploit

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 13:23

Signatures

Metasploit family

metasploit

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 13:23

Reported

2024-11-13 13:25

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Metasploit family

metasploit

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

xmrig

miner xmrig

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe C:\Users\Admin\AppData\Local\Temp\getter.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\getter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\windows\Temp\golang-updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\windows\Temp\golang-updater.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\windows\Temp\golang-updater.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe

"C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe"

C:\Users\Admin\AppData\Local\Temp\getter.exe

getter.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe"

C:\windows\Temp\golang-updater.exe

C:/windows/Temp/golang-updater.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 fi.salvium.herominers.com udp
FI 37.27.63.70:1230 fi.salvium.herominers.com tcp
US 8.8.8.8:53 70.63.27.37.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4904-0-0x0000000000550000-0x0000000000551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\getter.exe

MD5 29b9a3177286d75c54c2b5e47c9eae0a
SHA1 bd9e461f79fa739d9ec4882fba0ad970d990dca6
SHA256 0b73f3f47424d3a84d8fe9eda96b3e860d8004d60070a328d22ab82d0b68a3ef
SHA512 76fd106fe9ea66841f66b1e85301f922635f69af3c03ac4a3b62a4b94fbf07058129dc8488cc333e30b1b8e6ae1426be5c55980d8ae96cce542ebed286251f68

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe

MD5 201127bcc5d2c9c80506f3a764854aad
SHA1 94732cf4b8506b7d4c915123103017c16b82be6b
SHA256 4256c72eabdc5e2e4619ab42a4a7e9e638477a5507555971376e0ca1b2a3779b
SHA512 adfe60f72e89317381347f7f7ff963c7f4a4eb881e54a7baa78a86a5440db7f0c1e74b50e8e4111332891833befbdc4a4906ba3364287789bfca90f0f3074e19

C:\Windows\Temp\golang-updater.exe

MD5 4055c2f21690a86aa71ddd9ce4aa5112
SHA1 5346ee531ae5b75651a3bdc3a26b5434a1894faa
SHA256 aff7e5faf63d3d1571b7b166e2423dcd287ca8f6c3afffa68c74be148981115e
SHA512 f60eaf7d27a62fe6a5b0acf53551e0c4d71ff01f1aa43f3256430e72ec85d2c255539679e58b334cfc5a2319b6420ddeb73597a4e9f7ffc083d393a3a8fe40bb

memory/4040-14-0x000001C06CB40000-0x000001C06CB60000-memory.dmp

memory/4040-17-0x000001C06CB90000-0x000001C06CBB0000-memory.dmp

memory/4040-18-0x000001C06CBB0000-0x000001C06CBD0000-memory.dmp

memory/4040-19-0x000001C06CBD0000-0x000001C06CBF0000-memory.dmp

memory/4040-20-0x000001C06CBB0000-0x000001C06CBD0000-memory.dmp

memory/4040-21-0x000001C06CBD0000-0x000001C06CBF0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 13:23

Reported

2024-11-13 13:25

Platform

win7-20240729-en

Max time kernel

16s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Metasploit family

metasploit

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\getter.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe

"C:\Users\Admin\AppData\Local\Temp\99d8695eee60a5a2aa4834e8292d3020bc4b15b48161ed9c03dd735c21f1837bN.exe"

C:\Users\Admin\AppData\Local\Temp\getter.exe

getter.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

memory/2904-0-0x0000000000030000-0x0000000000031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1D52.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1D65.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Local\Temp\getter.exe

MD5 29b9a3177286d75c54c2b5e47c9eae0a
SHA1 bd9e461f79fa739d9ec4882fba0ad970d990dca6
SHA256 0b73f3f47424d3a84d8fe9eda96b3e860d8004d60070a328d22ab82d0b68a3ef
SHA512 76fd106fe9ea66841f66b1e85301f922635f69af3c03ac4a3b62a4b94fbf07058129dc8488cc333e30b1b8e6ae1426be5c55980d8ae96cce542ebed286251f68