Overview

overview

10

Static

static

10

adivina.exe

windows10-2004-x64

10

adivina.exe

windows10-ltsc 2021-x64

10

Resubmissions

30-01-2025 23:28

250130-3gcyzaxpcn 10

30-01-2025 23:25

250130-3ejzhavrcz 10

Analysis

  • max time kernel
    32s
  • max time network
    35s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    30-01-2025 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adivina.exe

  • Size

    1.1MB

  • MD5

    4684d0fd885740ddae797397145c6d7c

  • SHA1

    16e8e03bfc090be20370a4d2195aca10121fd30f

  • SHA256

    70ecc116b12f58e2d2816f968a253935214d489c059a598196013c7d14258c71

  • SHA512

    10d23c576e56668cb2323bb3ba29c5987ecdfd3ce28639b6bbbf437da64252d475eb7f9226fbc0d121285ad704cfbecd22beb2fef48ff44882275df459052a67

  • SSDEEP

    24576:L5WSWbZuFbWHS8Zti1tauerlxK+sf0N8zHM/F0GBP87xaVUhffp10NwyG8:LUSQZuFai3aLrHK+fN8zHM2hf70NwyG8

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • XMRig Miner payload 1 IoCs
    miner
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adivina.exe
    "C:\Users\Admin\AppData\Local\Temp\adivina.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming/Microsoft/Windows/Start Menu/Programs/Startup\temp.ps1" -Verb RunAs
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iik0ssin.2ux.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.ps1
    Filesize

    2KB

    MD5

    4c59dccd5e94fa645fbae1d5e1d8ae2e

    SHA1

    63e020ad387e5aed855f933644dcfa1f3a4a270f

    SHA256

    453ad2634b5f8097b3535b59cbcd5e8819df842066d6f3d4ddc441cf491309e4

    SHA512

    45fec6758fffc8b89729da0eec11e841ea4a10012aec6214c9fc70be22709fb3a382a34ca7fadd376b7fe51b024e88de05c06d185637fd33a1d663b9852b7744

    Download Submit

  • memory/1588-2-0x00007FF83B503000-0x00007FF83B505000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1588-3-0x0000017EE2A00000-0x0000017EE2A22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1588-13-0x00007FF83B500000-0x00007FF83BFC2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1588-15-0x00007FF83B500000-0x00007FF83BFC2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1588-16-0x00007FF83B500000-0x00007FF83BFC2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1588-17-0x00007FF83B503000-0x00007FF83B505000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1588-18-0x00007FF83B500000-0x00007FF83BFC2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1588-19-0x00007FF83B500000-0x00007FF83BFC2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1588-21-0x00007FF83B500000-0x00007FF83BFC2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3544-1-0x00007FF6336D0000-0x00007FF6337AF000-memory.dmp

    Filesize

    892KB

    Download