Overview

overview

10

Static

static

3

4b8f652ca1...88.exe

windows7-x64

10

4b8f652ca1...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/12/2024, 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b8f652ca183784f370a57243e127fe7e6bfec64bab0f364780f88db00179488.exe

  • Size

    2.5MB

  • MD5

    b4a802912838add056fb0aca7ee3a835

  • SHA1

    6c113b8a01c74594597ae873d12cd88fe2de789e

  • SHA256

    4b8f652ca183784f370a57243e127fe7e6bfec64bab0f364780f88db00179488

  • SHA512

    1b2bfe779d7d16f1349311cab87f564853f70e43de618aabbf75a12a87def3262c3fb5b09533b15881589b98f4bb7fa8886db004e5f2bd0e960cbe87c08c653b

  • SSDEEP

    49152:8dZ1pGrfiTny0UaSLUp1pkrV8+i+wo4gOsOhsxWfFmgCdVn/xwOhhb:+3Tn3Uv4p1pqTi+wLm7gEgCdd/m

Score
10/10
xmrigevasionexecutionminerpersistenceupx

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 8 IoCs
    miner
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b8f652ca183784f370a57243e127fe7e6bfec64bab0f364780f88db00179488.exe
    "C:\Users\Admin\AppData\Local\Temp\4b8f652ca183784f370a57243e127fe7e6bfec64bab0f364780f88db00179488.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:540
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WinMngr"
      2⤵
      • Launches sc.exe
      PID:4312
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WinMngr" binpath= "C:\ProgramData\WinMngr\winmngrsa.exe" start= "auto"
      2⤵
      • Launches sc.exe
      PID:3936
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      2⤵
      • Launches sc.exe
      PID:1636
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WinMngr"
      2⤵
      • Launches sc.exe
      PID:3588
  • C:\ProgramData\WinMngr\winmngrsa.exe
    C:\ProgramData\WinMngr\winmngrsa.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:2648
      • C:\Windows\system32\dwm.exe
        dwm.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1092

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\WinMngr\winmngrsa.exe
      Filesize

      2.5MB

      MD5

      b4a802912838add056fb0aca7ee3a835

      SHA1

      6c113b8a01c74594597ae873d12cd88fe2de789e

      SHA256

      4b8f652ca183784f370a57243e127fe7e6bfec64bab0f364780f88db00179488

      SHA512

      1b2bfe779d7d16f1349311cab87f564853f70e43de618aabbf75a12a87def3262c3fb5b09533b15881589b98f4bb7fa8886db004e5f2bd0e960cbe87c08c653b

      Download Submit

    • memory/1092-21-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-15-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-24-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-19-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-20-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-18-0x0000023B1CC20000-0x0000023B1CC40000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1092-11-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-23-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-17-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-22-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-12-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-13-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-16-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1092-14-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2648-3-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2648-7-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2648-9-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2648-4-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2648-5-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2648-6-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

      Download