Overview

overview

10

Static

static

3

quarantine...zX.exe

windows7-x64

10

quarantine...zX.exe

windows10-2004-x64

10

quarantine...LN.exe

windows7-x64

1

quarantine...LN.exe

windows10-2004-x64

10

quarantine...xj.exe

windows7-x64

10

quarantine...xj.exe

windows10-2004-x64

10

quarantine...uj.exe

windows7-x64

3

quarantine...uj.exe

windows10-2004-x64

3

quarantine...9F.exe

windows7-x64

8

quarantine...9F.exe

windows10-2004-x64

8

quarantine...LB.exe

windows7-x64

10

quarantine...LB.exe

windows10-2004-x64

10

quarantine...ty.exe

windows7-x64

10

quarantine...ty.exe

windows10-2004-x64

10

quarantine...Qw.exe

windows7-x64

3

quarantine...Qw.exe

windows10-2004-x64

7

quarantine...ff.exe

windows7-x64

10

quarantine...ff.exe

windows10-2004-x64

10

quarantine...nc.exe

windows7-x64

9

quarantine...nc.exe

windows10-2004-x64

9

quarantine...Ws.exe

windows7-x64

7

quarantine...Ws.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2025, 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    quarantine/7UlMpzX.exe

  • Size

    7.2MB

  • MD5

    e0a1a022d91e3dae3a9c14bbb4541a01

  • SHA1

    2d98ea30dd016810f927ec71fa42bef317570248

  • SHA256

    daa5a2f0707c44c65277c13161e7016e028fb77f87765ecc12203700b92742eb

  • SHA512

    4bc7dc56d2700bad42b1a57830240b8008a1c25e28683d5fe6714fb18d0c6debe68912797975c0ff391cd95e8828ff6fa9fb99ed4fe0a60a317cb2f39d3fb4ba

  • SSDEEP

    98304:Bh7bxT9owDrvzsex+ZX2vkPPAKMjOntYRmyzETNcsK:HJ3vzsA+kcwKZntYRmyzETK7

Score
10/10
xmrigminer

Malware Config

Signatures

  • XMRig Miner payload 2 IoCs
    miner
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\quarantine\7UlMpzX.exe
    "C:\Users\Admin\AppData\Local\Temp\quarantine\7UlMpzX.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe
          "C:/Users/Admin/AppData/Local/Microsoft/ShellKernelBridge.exe"
          4⤵
          • Executes dropped EXE
          • Modifies system certificate store
          PID:1336
        • C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe
          "C:/Users/Admin/AppData/Roaming/Oracle/VirtualBoxNetworkBridge.exe"
          4⤵
          • Executes dropped EXE
          • Modifies system certificate store
          PID:3096
        • C:\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe
          "C:/Users/Admin/AppData/Local/DriverStore/winDriverChipsetService.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Users\Admin\AppData\Local\NhNotifSys\yn7B9ZD53.bin
            "C:\Users\Admin\AppData\Local\NhNotifSys\yn7B9ZD53.bin"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe
    Filesize

    7.2MB

    MD5

    264b039e4b1a2357945ef11b21d8e0e2

    SHA1

    048ac96891a2c27606b020c48a48f3af1691f95a

    SHA256

    a265f252b49514cfeadbe0b707ca2bb49147040b1893f9b8ddc81d2746bb6c9b

    SHA512

    4fa9d3a02d0d893e5de9f1661be0e759f4c57dce479d0126050c4baf24f9bd0cc5de6cb297a11668fdbb6801bdf90293402eac7027c228f5ba09f4f25f75a517

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
    Filesize

    27KB

    MD5

    37af0a4faa5b323e4cb04bdbd8cca117

    SHA1

    4aaa6e6994e4ef5f55a155a6c561a3873c2b8e84

    SHA256

    61a30d43b723b8b2921bc7016325b45b0c055cb28ba83b1364164a4a3df6206f

    SHA512

    0a6e993e51fd9383c9e813145e8004892618156d45b94741dcf7cf9814214d7c8f8fca295dc639431098758dbd5e241980502f18ca2838c505cce4d0c4c32422

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\libcrypto-3-x64.dll
    Filesize

    6.3MB

    MD5

    8d9dc42ffefe2b3443add056784c98fb

    SHA1

    c2a97d2a372e4badacac196a1f6bcbecdcd35940

    SHA256

    d45ff6fdb2911d07efc3d47a2e0298534eab617d63e9eebd358d1686ed0992aa

    SHA512

    e04e07e7c7a8f9b9b98ca0e94767a64808295290a936b50786e06f6a65207dd6ee4fd423bc3e1639186005767e0522c3dd7ba23ac0cbe50116249717fd6c3b83

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\msvcp140.dll
    Filesize

    569KB

    MD5

    d424100821374848f3c22d0acd55ad69

    SHA1

    8e4f879faece2d5171b3d398202c74b7286c50b1

    SHA256

    a6e45d08e347eddc955e5074354fc9e98a48ee75587b73a18d01943527cf05a8

    SHA512

    f78085cbba49c4c2c4441d1483e63e9222ec5b4282b89c1e0c1ea0790972e5de452f82e61ceae7324c7466d33b9a5fc6224594cf574068c69bf949e94fb86ae6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140.dll
    Filesize

    126KB

    MD5

    7af17bfd24be72d5376c9c5ce86bef54

    SHA1

    23bf5fa4c467f28990cc878ef945f9f5db616b75

    SHA256

    bf28f4d89ea74cb5cecbf42b951bf0629d71efa6525cc58aee71aa5e06f1198a

    SHA512

    0783c5dae87f110cc9bb61355c92c4ef3a96f484bbce6354d7f4130bb92ffb655974fcac4fe11c8923dd81ddade7fa92c8e3d9c43d0a3d0a24dd3d30e626fb5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140_1.dll
    Filesize

    58KB

    MD5

    e2520906be67a9bde01ebe9e0a53aab5

    SHA1

    9a9e445a47508ba5e1126791a863107060d258a1

    SHA256

    fd8ee0936d0380962830e9c1a132b8b7bf25084cb342bb064f699a2daa343bc4

    SHA512

    6616df46da37f656ac3e1fe7b371792b249e3ff97f2cbcefc19e7854e384aba88f63e7afc7c81ba14d3d15d309146986b23e25c071f4d0150429009de110e9c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
    Filesize

    7.1MB

    MD5

    73913f6963f89dbf98c4f716ee545b8f

    SHA1

    c343d9b82c0680131ded13626029b65092276486

    SHA256

    fadbefdced9db4132541cca2fdb0a8da8d35757900150404c626cae9ab81d61a

    SHA512

    ccd744dad29ff8e98e7370cbb5f23b2a2f3b6c51f6afb12c2f84e85a1b71a7393ece650d26862569b0190d71a2e53a49f3b85b386fa3214fc4fa03300be80df2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe
    Filesize

    7.2MB

    MD5

    190087de930ce9c533c4604443f5cabd

    SHA1

    55d528b565c618d85498ad3fd985dedcb2ed69ae

    SHA256

    48ce94f595dd7a5749abac13bc30acc30c7136aa315f227dafd99d659bb04d36

    SHA512

    264bf65deba869e179035eb19d7da6127a718c50a2d70f90b3f03de1167b82d27549811dc0a6cd4947fae8107d94de0a9e32685e3735208e6005576c641e073e

    Download Submit

  • C:\Users\Admin\AppData\Local\NhNotifSys\config.json
    Filesize

    259B

    MD5

    93fd8b513a142f97037826e300804f60

    SHA1

    07f061d4748e7daf66ae37e8503bfe5db598af0e

    SHA256

    f87865e5bd6b4419f4c8ea682bcbbbabcc029eefad1381b181e79324f202aea4

    SHA512

    f7511023530e1466b50b98a8f21ff0f23af94be3c5c6d23ab00ed1de618ef255eda3eee59165d7e2f1474dcf650a2bbac7592860202a6389d0971d322b8b64e3

    Download Submit

  • C:\Users\Admin\AppData\Local\NhNotifSys\yn7B9ZD53.bin
    Filesize

    7.1MB

    MD5

    7e34d2d140ef1a30edc86f38740ac4dc

    SHA1

    c24ebc49edc449c1d13654af4250ba068a02e40c

    SHA256

    6f4c245f3f7f2b591f8e8ef254e017b99a6b6c9381bfe0b16e2bde0170d242be

    SHA512

    d26fc00bf161127d9ce83708b18a2dee1d85f94ca7f4cd065a2153ab9c7754926851211ca643e0cd330dece4c86ca4ac01abfac26bd72933d84b51f51c3f4ec9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe
    Filesize

    8.1MB

    MD5

    71fab897d51e93631b6f713dc0bc2c1d

    SHA1

    bff7f15042cb21d985fa128bf64406b755b8a2ae

    SHA256

    6a3764bee4d71c38181689ebc31fa2e78c268b43aff50bd07d0002429a4f49d9

    SHA512

    40b1de1a05ab68aea8bf83fe2f46ee795add6d788dc6fb4a8628481f22db7fa200729c002eca6c08b496ed747e8f96380e8f3b7f843f4ec915d1a669bba9a8e7

    Download Submit

  • memory/4120-58-0x0000028EE7240000-0x0000028EE7260000-memory.dmp

    Filesize

    128KB

    Download