Overview

overview

10

Static

static

3

4543499b6e...dN.exe

windows7-x64

10

4543499b6e...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe

  • Size

    2.8MB

  • MD5

    696933093026a17b449aad7f37c53f50

  • SHA1

    e76ea1f3b5f5b6c6fcdd6a1e75be1b2ee586188e

  • SHA256

    4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158d

  • SHA512

    db13f7aac7089701757dff507f4670e64de264637bfae549397838db4b1e5020bafbdeea154b798a01e64a8eecbabdc37e45505ddadf36cfa832a5ea258fdcd8

  • SSDEEP

    49152:hYnbuqL/W+N5ql4Ix+I410WhPP+a/SLAY0c4PFqwXuqT75VSU8rL/FyVbfUfe:hYnfL/W+NUl4Ix+IKHv/S0Y0nqcN8rrQ

Score
10/10
xmrigdiscoveryminer

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe
    "C:\Users\Admin\AppData\Local\Temp\4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\system32\updatessm.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c startupdate.cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3132
        • C:\Windows\system32\taskkill.exe
          Taskkill /IM svchost.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:976
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\system32\updatemssm.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c startmupdate.cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Users\Admin\AppData\Roaming\system32\gcc-win32.exe
          gcc-win32.exe -p123
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Users\Admin\AppData\Roaming\system32\svchost.exe
            "C:\Users\Admin\AppData\Roaming\system32\svchost.exe"
            5⤵
              PID:4912
          • C:\Windows\system32\taskkill.exe
            Taskkill /IM odbcad32.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3036
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\system32\exitg.vbs"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c startgc.cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\system32\taskkill.exe
            Taskkill /F /IM gcc-win32.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
      • C:\Windows\regedit.exe
        "regedit.exe" "C:\Users\Admin\AppData\Roaming\system32\Register.reg"
        2⤵
        • Runs .reg file with regedit
        PID:1472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\system32\Register.reg
      Filesize

      628B

      MD5

      84a9659cb9564afc6791eca70c066422

      SHA1

      d5d7e32f76d75cc57d83e123f033fa00558f05cd

      SHA256

      c966ecadcbcbb2c0d5bf976d289d889b539ad894bd7bae8ad014fde087244af7

      SHA512

      115feba3cce086044b3ce837e6dd4c14c1a2d925eb21c8237be75a75969bc33d5c7fa1fdccf30045ce4a99e5d2f654562ed3d1f04b633d9489fafc5e6b074141

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\exitg.vbs
      Filesize

      142B

      MD5

      028636276bf1231239637b92c3f17135

      SHA1

      ba73b5d0bbee1fa9f28e37169a9d9033763d1292

      SHA256

      888c29b7635b31109fb5f05970aa5d3ad617a6aed9a5d82a652ecaccba89b419

      SHA512

      941fed68c0cdc46eedc3616428fc9811c52d5f34890ffa2e51e9b4e6d269657c38701ea18bcf539a4b4f0d89891e556896e3ce1fd79743eaf11c954b455d50b0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\gcc-win32.exe
      Filesize

      2.3MB

      MD5

      b8302ee6be78a9a6698a57c6f045ccdb

      SHA1

      16341b63d0ad84a2b8804029ff0ba5fbe268cbae

      SHA256

      d7a350b4de0cbc0168cbd53c5530e1a8d77fee4649017158e5ded7fc40f59d15

      SHA512

      139877898912767ad68a69ea80da66f41ea53829624ba79311a59f0ebb366ca945122fe6903bad31277996d46aee4cf8fafe816352ab76d5d8949cafe57fc72e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\startgc.cmd
      Filesize

      29B

      MD5

      cd14f4b9e63b1c9a707444a94c73fe68

      SHA1

      4ae31292aedb09f6b0e779954ee4b351590ab7ef

      SHA256

      dc6dbbfbc949b385d506735df2c4c3a261a11f79deec90b66fa5d114f9795eeb

      SHA512

      3fa1c64f7385a20770b03260837b86d6a13459ac241ac0aa4e11c716923b8ed196f23682064dd548a8647ff70015c1ee8baeafb7a78b6bdc4748379eeb72bd69

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\startmupdate.cmd
      Filesize

      46B

      MD5

      074bead13aaaa43e90ba2a47b598f9f2

      SHA1

      deb20a175247957ca6e8a7753e2a5ef90f4aa15e

      SHA256

      847bbdd96e6e60b2e5404ab2e68daa6c7d6d903f357858eb71be17d2e1dfdf0f

      SHA512

      c7685aa7b594d3ffffded9537c4822d7919ae1a603950b4f33d6727902d4807eb1ad879b271da65268423a7de359b3b4ce5d78582035b6fb1b12120486c08447

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\startupdate.cmd
      Filesize

      26B

      MD5

      d431bd74740daf8f8ebfde0353001ec0

      SHA1

      a99342840dc82ea8a2e38511217c65b0993bc977

      SHA256

      d975ba98edbdebac625fb9263026a4467fbf2050939dac9ca196e71b33339682

      SHA512

      55a141a3e0e3d8b3f534711b35ba7a1d6aa804b79d5598cad3600e47766061ce8e4da13f3dcc2211973524aa350e96e5474a9be3b402d62a660f203fea9d3404

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\svchost.exe
      Filesize

      6.0MB

      MD5

      530ae05c71d23d6433da64d4ca16e2b6

      SHA1

      705cc0c314ab3fd16ff19b31c4503e4fb3ec252d

      SHA256

      c030b525aeaac97878fad878c50028efbaf160d7a0fa35d7d9a381c38a105d5a

      SHA512

      3285829c5bb69c6b15426904f57880cad2388380ae096dd6930cced08595ccae94352dbb951aba5737b5d46dd881900a590a65c70d5d212d3f3370889cbdb7b5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\updatemssm.vbs
      Filesize

      147B

      MD5

      9a1254894c7df70b648538b8b25cbfac

      SHA1

      8edf34fab610b54a0da74bd4ca6de86f5688b54c

      SHA256

      2949dc7e32bece4017eaa9198a6dfdfe1edc19222007c350b771d646e2855143

      SHA512

      bf3b75038da35ce62aa22c441d9eb60ee546cc9900eea537852d14cf198fb4892af19060c260d59df040ea27dc90744fced5a6462674c96fc5caf4a94541aba3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\updatessm.vbs
      Filesize

      144B

      MD5

      ab001f69d685ec36982e3cb4b4b07441

      SHA1

      05afae7d51f76a85199b63663d20a48640ed8d36

      SHA256

      89a974d23b45ef34df5a4559a71aa967bca1e9deb82bb42ef81ec74e3f2e133f

      SHA512

      279de2639652d49e232b8d131c590728e12fa51461eccba4330599f7af030e6df608056cd8913b4aea7639d6cc087fc3dc542855374748cf98ab11a48d4f10a5

      Download Submit