Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2025 03:21
Behavioral task
behavioral1
Sample
70ecc116b12f58e2d2816f968a253935214d489c059a598196013c7d14258c71.exe
Resource
win7-20240903-en
General
-
Target
70ecc116b12f58e2d2816f968a253935214d489c059a598196013c7d14258c71.exe
-
Size
1.1MB
-
MD5
4684d0fd885740ddae797397145c6d7c
-
SHA1
16e8e03bfc090be20370a4d2195aca10121fd30f
-
SHA256
70ecc116b12f58e2d2816f968a253935214d489c059a598196013c7d14258c71
-
SHA512
10d23c576e56668cb2323bb3ba29c5987ecdfd3ce28639b6bbbf437da64252d475eb7f9226fbc0d121285ad704cfbecd22beb2fef48ff44882275df459052a67
-
SSDEEP
24576:L5WSWbZuFbWHS8Zti1tauerlxK+sf0N8zHM/F0GBP87xaVUhffp10NwyG8:LUSQZuFai3aLrHK+fN8zHM2hf70NwyG8
Malware Config
Signatures
-
XMRig Miner payload 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023b62-14.dat family_xmrig_powershell_dropper -
Xmrig family
-
Blocklisted process makes network request 4 IoCs
flow pid Process 17 4852 powershell.exe 19 4852 powershell.exe 43 4852 powershell.exe 44 4852 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 4852 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.ps1 70ecc116b12f58e2d2816f968a253935214d489c059a598196013c7d14258c71.exe -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\benchmark_10M.cmd powershell.exe File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\config.json powershell.exe File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\pool_mine_example.cmd powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\rtm_ghostrider_example.cmd powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\start.cmd powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\WinRing0x64.sys powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\xmrig.exe powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\benchmark_10M.cmd powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\pool_mine_example.cmd powershell.exe File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\SHA256SUMS powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\benchmark_1M.cmd powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\SHA256SUMS powershell.exe File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\WinRing0x64.sys powershell.exe File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\xmrig.exe powershell.exe File created C:\Windows\System32\xmrig.zip powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\config.json powershell.exe File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\rtm_ghostrider_example.cmd powershell.exe File created C:\Windows\System32\WindowUpdate\xmrig-6.19.2\solo_mine_example.cmd powershell.exe File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\solo_mine_example.cmd powershell.exe File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\start.cmd powershell.exe File opened for modification C:\Windows\System32\xmrig.zip powershell.exe File created C:\Windows\System32\WindowUpdate\WindowUpdate\cuda.zip powershell.exe File opened for modification C:\Windows\System32\WindowUpdate\xmrig-6.19.2\benchmark_1M.cmd powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4852 powershell.exe 4852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4852 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1064 wrote to memory of 4852 1064 70ecc116b12f58e2d2816f968a253935214d489c059a598196013c7d14258c71.exe 84 PID 1064 wrote to memory of 4852 1064 70ecc116b12f58e2d2816f968a253935214d489c059a598196013c7d14258c71.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\70ecc116b12f58e2d2816f968a253935214d489c059a598196013c7d14258c71.exe"C:\Users\Admin\AppData\Local\Temp\70ecc116b12f58e2d2816f968a253935214d489c059a598196013c7d14258c71.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming/Microsoft/Windows/Start Menu/Programs/Startup\temp.ps1" -Verb RunAs2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD54c59dccd5e94fa645fbae1d5e1d8ae2e
SHA163e020ad387e5aed855f933644dcfa1f3a4a270f
SHA256453ad2634b5f8097b3535b59cbcd5e8819df842066d6f3d4ddc441cf491309e4
SHA51245fec6758fffc8b89729da0eec11e841ea4a10012aec6214c9fc70be22709fb3a382a34ca7fadd376b7fe51b024e88de05c06d185637fd33a1d663b9852b7744