Overview

overview

10

Static

static

3

5DFCC42914...C4.exe

windows7-x64

10

5DFCC42914...C4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe

  • Size

    22.4MB

  • MD5

    aace2f404b58c132d732cc7c089beb13

  • SHA1

    ad555d52a8e00835c34da7865551f5868eba2494

  • SHA256

    5dfcc42914baca2ba754d7836500439f15f796a2566b415b6ca732311a07a5c4

  • SHA512

    9ea1dca54dc44d8fd980c83e3966dc58e85745cd856599d5a76110b80d1d8dc56a83394d622f98dcfcfcf874e66c3f0690bef9de9be53c5336de685d829ed1a2

  • SSDEEP

    393216:k0/oQErZFiA0BPeKyipOduNmF5j9fU1MuvZfZ+zwAFcNjkrHrjoGXE1sTLB:t/oFc9pGuNm7j1U7ZfZ+rcpkrXlXz3B

Score
10/10
xmrigdiscoveryminer

Malware Config

Signatures

  • XMRig Miner payload 3 IoCs
    miner
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe
    "C:\Users\Admin\AppData\Local\Temp\5DFCC42914BACA2BA754D7836500439F15F796A2566B415B6CA732311A07A5C4.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Users\Admin\AppData\Roaming\xmrig.exe
      "C:\Users\Admin\AppData\Roaming\xmrig.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:3364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\config.json
    Filesize

    5KB

    MD5

    35f276d70858135989a8a3135bea8ef8

    SHA1

    a0337b26583f9be3282a6bce8f4d45b324207325

    SHA256

    a4ca0580fe102fd24de0a40106c90b22a1134948e6a7b78d3f085f9ad8713898

    SHA512

    ed2e2d2a668b1e2fc8c6d9743a72a509a5d87c71072ba785d326fbb9208a3f425207c7717a1eab2821ed3435a758ff64605319be7bd3fd4ea4d2a69abbe6ca43

    Download Submit

  • C:\Users\Admin\AppData\Roaming\xmrig-cuda.dll
    Filesize

    19.2MB

    MD5

    ae366485bc6133ad280340231a2267a3

    SHA1

    759bfb1f8bfde63c0f4bea1d0de2d86b7b7ea7dd

    SHA256

    2849c6b88f80f2f5613bf75595dce4cc69627dde0227c8f96da89617ee810e37

    SHA512

    081e71056e22d58d080edfb551c576e1785646de9e5136582bf7ce8591da227943cd7b3357699a6afd8c1fab5008813289d7b7af813d9ee2ac8c1d53ab9e7bb8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\xmrig.exe
    Filesize

    4.5MB

    MD5

    0b85eae86038116041ecc8d24ba2fadb

    SHA1

    bcfeff8a7b42e8836b7dea9f6d594e14f6b25cec

    SHA256

    cd0dcc3d3aab1dc613cd5b1ea4d3a066ab20768c60babb1a4e79df9da9144218

    SHA512

    ef0b17ae8d533c209491358f09826ea7b0cb5e5d7a435b80f574916624070036d5fcf30eb35c0d5c33b49c134f471734efdaef5154de51b1ce600b4fe51b9744

    Download Submit

  • memory/2576-4-0x0000000006F70000-0x000000000700C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2576-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-5-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2576-3-0x0000000006860000-0x0000000006866000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2576-2-0x000000000E8C0000-0x00000000112AC000-memory.dmp

    Filesize

    41.9MB

    Download

  • memory/2576-1-0x0000000000DA0000-0x0000000002414000-memory.dmp

    Filesize

    22.5MB

    Download

  • memory/2576-32-0x00000000750B0000-0x0000000075860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3364-23-0x000002D22B7B0000-0x000002D22B7D0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3364-33-0x000002D22B920000-0x000002D22B940000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3364-34-0x000002D22B950000-0x000002D22B970000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3364-35-0x000002D22B970000-0x000002D22B990000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3364-36-0x000002D22B950000-0x000002D22B970000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3364-37-0x000002D22B970000-0x000002D22B990000-memory.dmp

    Filesize

    128KB

    Download