Edit tour

Windows Analysis Report
xB6r0wPRyb.exe

Overview

General Information

Sample name:	xB6r0wPRyb.exe renamed because original name is a hash value
Original sample name:	5fcb544f959283c6a069a7525ad0a2058b71245271ffbedfb481a47760821de2.exe
Analysis ID:	1480298
MD5:	16c310c40604c5cd011f47dee2db303a
SHA1:	91199e53743df3a3f9fa50c7f3df2a4f0c84cedb
SHA256:	5fcb544f959283c6a069a7525ad0a2058b71245271ffbedfb481a47760821de2
Tags:	exe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Detected Stratum mining protocol

Found direct / indirect Syscall (likely to bypass EDR)

Found strings related to Crypto-Mining

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Potential thread-based time evasion detected

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Entry point lies outside standard sections

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

xB6r0wPRyb.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\xB6r0wPRyb.exe" MD5: 16C310C40604C5CD011F47DEE2DB303A)

conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 1272 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x134b10:$a1: mining.set_target 0x12bb30:$a2: XMRIG_HOSTNAME 0x131408:$a3: Usage: xmrig [OPTIONS] 0x12bb08:$a4: XMRIG_VERSION
Process Memory Space: xB6r0wPRyb.exe PID: 7040	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: xB6r0wPRyb.exe PID: 7040	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xac06a:$a1: mining.set_target 0xa733f:$a2: XMRIG_HOSTNAME 0xa8d82:$a3: Usage: xmrig [OPTIONS] 0xa7320:$a4: XMRIG_VERSION

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 1272, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO COINMINER XMR CoinMiner Usage - Source IP: 192.168.2.9 - Destination IP: 88.198.117.174

Timestamp:	2024-07-24T17:24:29.727255+0200
SID:	2826930
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	Crypto Currency Mining Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xB6r0wPRyb.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: xB6r0wPRyb.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xB6r0wPRyb.exe PID: 7040, type: MEMORYSTR

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.9:49706 -> 88.198.117.174:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 38 42 66 78 69 52 50 59 31 67 71 32 6b 45 67 53 47 47 4c 31 75 51 4e 75 6f 59 47 51 42 58 54 6d 54 31 65 46 62 38 76 42 56 34 31 62 45 6f 43 43 58 58 41 61 66 61 6f 52 51 59 74 52 58 66 70 6b 6f 7a 4b 6e 41 54 67 48 38 7a 76 36 39 36 67 59 70 45 68 4b 64 6e 32 71 38 68 45 70 69 4b 77 22 2c 22 70 61 73 73 22 3a 22 35 2e 36 73 70 31 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 32 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 31 2e 30 20 6d 73 76 63 2f 32 30 31 37 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 72 78 2f 30 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"8bfxirpy1gq2kegsggl1uqnuoygqbxtmt1efb8vbv41beoccxxaafaorqytrxfpkozknatgh8zv696gypehkdn2q8hepikw","pass":"5.6sp1","agent":"xmrig/6.19.2 (windows nt 10.0; win64; x64) libuv/1.31.0 msvc/2017","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}

Found strings related to Crypto-Mining

Source: xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+ssl://
Source: xB6r0wPRyb.exe, 00000000.00000002.3785891804.000001AE85C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: monerohash.com:80
Source: xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: XMRig 6.19.2

Source: xB6r0wPRyb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: auto.c3pool.org

Source: xB6r0wPRyb.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07
Source: xB6r0wPRyb.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: xB6r0wPRyb.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: ~DF467384F1F2B8A484.TMP.0.dr	String found in binary or memory: http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-171672228BIM
Source: xB6r0wPRyb.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: xB6r0wPRyb.exe	String found in binary or memory: http://s.symcd.com06
Source: xB6r0wPRyb.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: xB6r0wPRyb.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: xB6r0wPRyb.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: xB6r0wPRyb.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: xB6r0wPRyb.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: xB6r0wPRyb.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: xB6r0wPRyb.exe PID: 7040, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

PE file contains section with special chars

Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

Process Stats: CPU usage > 49%

Source: xB6r0wPRyb.exe

Static PE information: Number of sections : 16 > 10

Source: xB6r0wPRyb.exe, 00000000.00000003.1380894419.000001AE85850000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamejava.exeP. vs xB6r0wPRyb.exe
Source: xB6r0wPRyb.exe, 00000000.00000000.1337892916.00007FF779A08000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejava.exeP. vs xB6r0wPRyb.exe
Source: xB6r0wPRyb.exe	Binary or memory string: OriginalFilenamejava.exeP. vs xB6r0wPRyb.exe

Source: 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: xB6r0wPRyb.exe PID: 7040, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: xB6r0wPRyb.exe	Static PE information: Section: ZLIB complexity 1.0071754729288975
Source: xB6r0wPRyb.exe	Static PE information: Section: ZLIB complexity 1.0027679919476598
Source: xB6r0wPRyb.exe	Static PE information: Section: ZLIB complexity 0.998359983599836
Source: xB6r0wPRyb.exe	Static PE information: Section: ZLIB complexity 1.001002004008016

Source: classification engine

Classification label: mal100.evad.mine.winEXE@3/1@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

File created: C:\Users\user\AppData\Local\Temp\~DF467384F1F2B8A484.TMP

Jump to behavior

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xB6r0wPRyb.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\xB6r0wPRyb.exe "C:\Users\user\Desktop\xB6r0wPRyb.exe"
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: xB6r0wPRyb.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: xB6r0wPRyb.exe

Static file information: File size 23395348 > 1048576

Source: xB6r0wPRyb.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x17e40b
Source: xB6r0wPRyb.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x140d400

Source: xB6r0wPRyb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name:
Source: xB6r0wPRyb.exe	Static PE information: section name: .imports
Source: xB6r0wPRyb.exe	Static PE information: section name: .themida
Source: xB6r0wPRyb.exe	Static PE information: section name: .boot
Source: xB6r0wPRyb.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Code function: 0_2_0000006E744FC208 push ecx; retf	0_2_0000006E744FC209
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Code function: 0_2_0000006E744FC718 pushad ; retf	0_2_0000006E744FC719
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Code function: 0_2_0000006E744FC1A8 push eax; ret	0_2_0000006E744FC1E1

Source: xB6r0wPRyb.exe	Static PE information: section name: entropy: 7.87743389445135
Source: xB6r0wPRyb.exe	Static PE information: section name: entropy: 7.92555741386833
Source: xB6r0wPRyb.exe	Static PE information: section name: entropy: 7.896548498610584
Source: xB6r0wPRyb.exe	Static PE information: section name: .taggant entropy: 6.835970853038605

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe TID: 1624	Thread sleep time: -112000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe TID: 7060	Thread sleep time: -52172s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

Thread delayed: delay time: 52172

Jump to behavior

Source: xB6r0wPRyb.exe, 00000000.00000003.1383830766.000001AE83DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__#
Source: xB6r0wPRyb.exe, 00000000.00000002.3785891804.000001AE85C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: xB6r0wPRyb.exe, 00000000.00000002.3785891804.000001AE85C98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	Process queried: DebugObjectHandle	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	NtQueryInformationProcess: Indirect: 0x7FF77B79E0E2	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	NtQuerySystemInformation: Indirect: 0x7FF77B77BADF	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	NtQueryInformationProcess: Indirect: 0x7FF77B7A4170	Jump to behavior
Source: C:\Users\user\Desktop\xB6r0wPRyb.exe	NtSetInformationThread: Indirect: 0x7FF77B7AAC24	Jump to behavior

Source: conhost.exe, 00000002.00000002.3785700837.000002540A221000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: conhost.exe, 00000002.00000002.3785700837.000002540A221000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000002.00000002.3785700837.000002540A221000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000002.00000002.3785700837.000002540A221000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	331 Virtualization/Sandbox Evasion	OS Credential Dumping	621 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	2 Software Packing	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	331 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
xB6r0wPRyb.exe	39%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
xB6r0wPRyb.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	0%	URL Reputation	safe
http://pki-ocsp.symauth.com0	0%	URL Reputation	safe
https://xmrig.com/benchmark/%s	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	Avira URL Cloud	safe
http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07	0%	Avira URL Cloud	safe
http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-171672228BIM	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
auto.c3pool.org	5.75.158.61	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://xmrig.com/benchmark/%s	xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	xB6r0wPRyb.exe	false	URL Reputation: safe	unknown
https://xmrig.com/wizard	xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pro.corbis.com/search/searchresults.asp?txt=42-17167222&openImage=42-171672228BIM	~DF467384F1F2B8A484.TMP.0.dr	false	Avira URL Cloud: safe	unknown
http://pki-ocsp.symauth.com0	xB6r0wPRyb.exe	false	URL Reputation: safe	unknown
http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07	xB6r0wPRyb.exe	false	Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	xB6r0wPRyb.exe, 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.198.117.174	unknown	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480298
Start date and time:	2024-07-24 17:21:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xB6r0wPRyb.exe renamed because original name is a hash value
Original Sample Name:	5fcb544f959283c6a069a7525ad0a2058b71245271ffbedfb481a47760821de2.exe
Detection:	MAL
Classification:	mal100.evad.mine.winEXE@3/1@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target xB6r0wPRyb.exe, PID 7040 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: xB6r0wPRyb.exe

Simulations

Behavior and APIs

Time	Type	Description
11:22:30	API Interceptor	1x Sleep call for process: xB6r0wPRyb.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
88.198.117.174	c3p.exe	Get hash	malicious	Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
auto.c3pool.org	K4gsPJGEi4.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	x00zm3KVwb.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	4xHN38uqxB.exe	Get hash	malicious	DoublePulsar, ETERNALBLUE, Xmrig	Browse	5.161.70.189
	UO2z4n1Sxx.exe	Get hash	malicious	Unknown	Browse	88.198.117.174
	4xHN38uqxB.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	c3p.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	SecuriteInfo.com.FileRepMalware.25283.7828.exe	Get hash	malicious	BlackMoon	Browse	5.161.70.189
	pg_ctlk.exe	Get hash	malicious	Xmrig	Browse	188.34.196.123
	logor.elf	Get hash	malicious	Xmrig	Browse	5.161.70.189
	qk6CviFPOs.exe	Get hash	malicious	Xmrig	Browse	5.161.70.189

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	5AECB2A5BC5447DC736C29882193FEF4F2B007299A1817C664E1BA6A028363CF.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	58BB54DE7A3ED504F85202B0CD55AC2DA9FC821B5695AA854703F885CD80B044.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	weH771UOWv.exe	Get hash	malicious	Sality	Browse	78.46.2.155
	54E3EE54FAC434E25C03DED56A4680F1EA40A245D657440AC9C51BE7F27EF656.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	483E.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	3B830041B11819A0FDF72F85D27C1C9D7327ED8264D414E1F996D774FD843BBF.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	353F5750A1B5537C368E78DF89E95E9A470E139FAC957DEF3C709C7D2C74F4CE.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	21E24220AA645B202184B2B6C637DAFFB1EBF14ADE9A24D5DE09B0E342FAD6E4.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	170B781D322D51B572EB6CCF8598281A5E3C9828FF2750184BF6C841A9DEC2D3.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	10B720B3E88249833192B82D80DF7FD4FB9CDFA75E01F812925CAAFEA6E7C2AB.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211

Process:	C:\Users\user\Desktop\xB6r0wPRyb.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	901120
Entropy (8bit):	7.918798349397588
Encrypted:	false
SSDEEP:	24576:2x5cyLzoy4z5LPrMcs5dmYOYFQn1s97QJv8wB:2zbL0zzJsKJS1QJv8wB
MD5:	6DE502CDFAD448559A118D514AAC5330
SHA1:	1BE69DECA1924590B2739956F1A5BAB203C73AB4
SHA-256:	1A254CD8A09B66710CBF518F4CE13E2C30C826883DC5E7EDCB00BF1CF7C89C7C
SHA-512:	2B2F86C32A0233477058888CD737937F989F1240A3B960B0D4543FB7AF8388EBBF491C341B28E874D386C119936384EAC0A12FBC657F09205C934E6AE5A65436
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.965517847824391
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xB6r0wPRyb.exe
File size:	23'395'348 bytes
MD5:	16c310c40604c5cd011f47dee2db303a
SHA1:	91199e53743df3a3f9fa50c7f3df2a4f0c84cedb
SHA256:	5fcb544f959283c6a069a7525ad0a2058b71245271ffbedfb481a47760821de2
SHA512:	e39f7f00b907fe6370c5d44ad3fb10c5dec1f2fe8f3cc5c93ce36a3e25316512a887f481e376baf4dec04ca12eb7d6106f521ab3ecccc631b600db49ef228692
SSDEEP:	393216:s4Tg6yjP+ZSJVKCi6Iq4Vw+lGNeII1Kke/+DCNaNzJdPT5:s4Tg6y7JJVKvpq41lGcIyq/+DZNPN
TLSH:	1D3733B7A9C5B890C5DE41B12A988985B713EAD5ED23092D343F771B8D7320FDB8B610
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........}\w..\w..\w....U.Qw....W..w....V.}w....c.Xw...../Uw...../.w...../zw....j.]w...../Nw....o.Kw..\w..6v...../hu...../zv...../_w.

File Icon


Icon Hash:	d08c8e8ea2868a54

Static PE Info

General

Entrypoint:	0x143ac9000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66150D27 [Tue Apr 9 09:40:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	62dc84212c31dc6fad4d7cd91eeaf282

Entrypoint Preview

Instruction
jmp 00007F4D10B30C3Ah
paddusb mm4, qword ptr [ecx+eax+00h]
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
push esp
inc ecx
inc edi
inc edi
add byte ptr [eax], ah
add byte ptr [eax], al
and ebx, dword ptr [ebx]
add byte ptr [eax], al
add dword ptr [eax], eax
xor byte ptr [edx+09061F1Bh], al
sub al, byte ptr [esi+0DF78648h]
add dword ptr [edi], eax
add ah, byte ptr [eax+30101B82h]
sbb byte ptr [ebx], 0000000Ch
add al, byte ptr [ecx]
add dword ptr [ecx], esi
or eax, 09060B30h
pushad
xchg byte ptr [eax+01h], cl
add eax, dword ptr [edx+eax]
add dword ptr [eax], esi
or byte ptr [edi], 00000021h
push es
or dword ptr [edx], ebp
xchg byte ptr [eax-7Ah], cl
test dword ptr [A0010701h], 04120F82h
or byte ptr [edi], 0000000Eh
rol byte ptr [eax], 1
add dword ptr [eax], eax
add al, cl
mov cl, A1h
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add ah, bl
int 50h
pop ecx
xchg eax, ebx
stosd
pushad
dec edi
pushad
into
add edx, edx
pop edx
mov eax, 46C5C0A6h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x806152	0x1a8	.imports
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x808000	0x7c5c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2698564	0x21714	.themida
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3ac8000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x807038	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x390cb0	0x17e40b	74af0aef08cc1e47ffc9b394ce9e5a54	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x392000	0x189ade	0x9b16f	b7c85e8b7165f7cc5b448138e5d3106c	False	0.986779945438546	data	7.9560094161857124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x51c000	0x2b0e40	0x3a67	00a41b63bded68e52e164b1ed927fd1e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x7cd000	0x215f4	0x1352a	65a91d60f65116132fb6339739ddc100	False	0.9566623708083795	data	7.7149869774130675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x7ef000	0xc56	0x5fd	7e4f74255a9f23dbdbae0fd0209c0d81	False	1.0071754729288975	data	7.87743389445135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x7f0000	0x26d1	0xf86	57703862d2060653454bfefb5ef4451d	False	1.0027679919476598	data	7.92555741386833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x7f3000	0x1184	0x987	e07a30e425fe4224101dca12007208dd	False	0.998359983599836	data	7.896548498610584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x7f5000	0x7c59	0x2ae2	a70bd9ac37df4f5ff911a5f3bb14caf2	False	1.001002004008016	data	7.965388009703109	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x7fd000	0x87c0	0x24b5	29571d8cd69c1c3a601258ce1fa069d9	False	0.9480685325103757	data	7.9179432693449865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.imports	0x806000	0x1000	0x400	6cb4797928c34927778345fc13871892	False	0.333984375	data	3.0191147950274106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x807000	0x1000	0x200	7736d593dc1d638a984bfb118305285b	False	0.07421875	data	0.3504830562941642	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x808000	0x7e00	0x7e00	fb3b5197c29938bc016e2580aaec13c6	False	0.34281994047619047	data	5.842637242625163	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida	0x810000	0x1eaa000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x26ba000	0x140d400	0x140d400	40c331f860014e71442c62b4f5d96091	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x3ac8000	0x1000	0x200	c6b0413ede768f62254e448370028915	False	0.056640625	GLS_BINARY_LSB_FIRST	0.2083944074398449	IMAGE_SCN_MEM_READ
.taggant	0x3ac9000	0x2200	0x2014	ee6b011b6023aa550903815d0649fe0d	False	0.597540185094983	DOS executable (COM)	6.835970853038605	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x808260	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.21890243902439024
RT_ICON	0x8088d8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.3400537634408602
RT_ICON	0x808bd0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0	English	United States	0.35450819672131145
RT_ICON	0x808dc8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.46283783783783783
RT_ICON	0x808f00	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.5026652452025586
RT_ICON	0x809db8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.5798736462093863
RT_ICON	0x80a670	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.40264976958525345
RT_ICON	0x80ad48	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.3273121387283237
RT_ICON	0x80b2c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.27344398340248965
RT_ICON	0x80d878	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.37875234521575984
RT_ICON	0x80e930	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.37868852459016394
RT_ICON	0x80f2c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.4796099290780142
RT_GROUP_ICON	0x80f740	0xae	data	English	United States	0.5977011494252874
RT_VERSION	0x80f800	0x2cc	data			0.4720670391061452
RT_MANIFEST	0x80fadc	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
WS2_32.dll	ntohs
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	GetAdaptersAddresses
USERENV.dll	GetUserProfileDirectoryW
CRYPT32.dll	CertOpenStore
USER32.dll	GetProcessWindowStation
SHELL32.dll	SHGetSpecialFolderPathA
ole32.dll	CoInitializeEx
ADVAPI32.dll	GetUserNameW
bcrypt.dll	BCryptGenRandom

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T17:24:29.727255+0200	TCP	2826930	ETPRO COINMINER XMR CoinMiner Usage	49706	80	192.168.2.9	88.198.117.174

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 17:22:31.640219927 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:22:31.645510912 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:22:31.645628929 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:22:31.645807028 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:22:31.655133963 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:22:32.452227116 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:22:32.495217085 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:22:52.766968012 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:22:52.772156954 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:22:53.188446999 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:22:53.385832071 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:04.031424999 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:04.040086985 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:04.285531998 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:04.495248079 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:04.978291988 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:04.987255096 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:05.355923891 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:05.479582071 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:15.447870970 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:15.493190050 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:15.854744911 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:15.995332956 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:22.843478918 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:22.848895073 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:23.079660892 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:23.182718992 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:26.339174032 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:26.353221893 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:26.657047987 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:26.792294979 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:34.144223928 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:34.149497032 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:37.122237921 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:37.182760000 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:41.089427948 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:41.182810068 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:42.034167051 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:42.182883978 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:50.459295034 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:50.464509964 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:50.656512022 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:50.662329912 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:50.706053019 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:50.792203903 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:23:50.936367989 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:23:50.995296001 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:19.218815088 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:19.225641966 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:19.495121002 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:19.682998896 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:24.971645117 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:24.976752043 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:29.727255106 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:29.752036095 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:31.260550022 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:31.479777098 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:34.692567110 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:34.694581032 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:34.694679022 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:42.038511038 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:42.089155912 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:46.938905001 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:46.944124937 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:47.228172064 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:47.292382956 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:51.988657951 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:24:52.248099089 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:52.528841972 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:24:52.682890892 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:26:09.705801964 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:26:09.721287012 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:26:16.228357077 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:26:16.292431116 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:26:16.360104084 CEST	49706	80	192.168.2.9	88.198.117.174
Jul 24, 2024 17:26:16.366570950 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:26:24.558083057 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:26:24.681227922 CEST	80	49706	88.198.117.174	192.168.2.9
Jul 24, 2024 17:26:24.681317091 CEST	49706	80	192.168.2.9	88.198.117.174

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 17:22:31.625720978 CEST	58817	53	192.168.2.9	1.1.1.1
Jul 24, 2024 17:22:31.635876894 CEST	53	58817	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 17:22:31.625720978 CEST	192.168.2.9	1.1.1.1	0x6cb3	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 17:22:31.635876894 CEST	1.1.1.1	192.168.2.9	0x6cb3	No error (0)	auto.c3pool.org		5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 24, 2024 17:22:31.635876894 CEST	1.1.1.1	192.168.2.9	0x6cb3	No error (0)	auto.c3pool.org		88.198.117.174	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	88.198.117.174	80	7040	C:\Users\user\Desktop\xB6r0wPRyb.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 17:22:31.645807028 CEST	565	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 38 42 66 78 69 52 50 59 31 67 71 32 6b 45 67 53 47 47 4c 31 75 51 Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"8BfxiRPY1gq2kEgSGGL1uQNuoYGQBXTmT1eFb8vBV41bEoCCXXAafaoRQYtRXfpkozKnATgH8zv696gYpEhKdn2q8hEpiKw","pass":"5.6sp1","agent":"XMRig/6.19.2 (Windows NT 10.0; Win64; x64) libuv/1.31.0 msvc/
Jul 24, 2024 17:22:32.452227116 CEST	413	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 31 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 34 35 37 30 34 39 32 31 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 30 31 30 31 Data Ascii: {"jsonrpc":"2.0","id":1,"error":null,"result":{"id":"45704921","job":{"blob":"0101cbb784b506514ab40652e8e1070b407c33c5292bb7682449db20d2786073c968e357deb1ba00000000480b3988e047e2630e53448e437ba33c4c45e7fabbab7e6d285641dfd4f4d64301","algo":"rx/
Jul 24, 2024 17:22:52.766968012 CEST	185	OUT	Data Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 34 35 37 30 34 39 32 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 34 35 37 30 Data Ascii: {"id":2,"jsonrpc":"2.0","method":"submit","params":{"id":"45704921","job_id":"45704922","nonce":"f1820000","result":"0a03cb1ed834053b012db99762aa678bd636a96fbf8c03d744f89f1249e00400"}}
Jul 24, 2024 17:22:53.188446999 CEST	63	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 32 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"jsonrpc":"2.0","id":2,"error":null,"result":{"status":"OK"}}
Jul 24, 2024 17:23:04.031424999 CEST	185	OUT	Data Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 34 35 37 30 34 39 32 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 34 35 37 30 Data Ascii: {"id":3,"jsonrpc":"2.0","method":"submit","params":{"id":"45704921","job_id":"45704922","nonce":"08920000","result":"0623fa4d6e35cc0d39c14292a04926e9f509d130e2e3b3205a75438775d80200"}}
Jul 24, 2024 17:23:04.285531998 CEST	63	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 33 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"jsonrpc":"2.0","id":3,"error":null,"result":{"status":"OK"}}
Jul 24, 2024 17:23:04.978291988 CEST	185	OUT	Data Raw: 7b 22 69 64 22 3a 34 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 34 35 37 30 34 39 32 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 34 35 37 30 Data Ascii: {"id":4,"jsonrpc":"2.0","method":"submit","params":{"id":"45704921","job_id":"45704922","nonce":"72930000","result":"e6049458e310da3bbc6a89e63b005cb13541c1ffab500ae0974f44d1c2920b00"}}
Jul 24, 2024 17:23:05.355923891 CEST	63	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 34 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"jsonrpc":"2.0","id":4,"error":null,"result":{"status":"OK"}}
Jul 24, 2024 17:23:15.447870970 CEST	185	OUT	Data Raw: 7b 22 69 64 22 3a 35 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 34 35 37 30 34 39 32 31 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 34 35 37 30 Data Ascii: {"id":5,"jsonrpc":"2.0","method":"submit","params":{"id":"45704921","job_id":"45704922","nonce":"d2a10000","result":"e821bb827ed540d21cf245c495b0efea2f26280a1cfe60aca0b63fa832d60b00"}}
Jul 24, 2024 17:23:15.854744911 CEST	63	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 35 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"jsonrpc":"2.0","id":5,"error":null,"result":{"status":"OK"}}

Target ID:	0
Start time:	11:22:26
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\xB6r0wPRyb.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xB6r0wPRyb.exe"
Imagebase:	0x7ff779200000
File size:	23'395'348 bytes
MD5 hash:	16C310C40604C5CD011F47DEE2DB303A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000003.1380397964.000001AE874E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:22:26
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:23:14
Start date:	24/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 000001AE83DDF093 Relevance: 70.5, Strings: 56, Instructions: 474COMMON

Download Yara Rule

Strings

O2 , xrefs: 000001AE83DDF3A2
[O2 , xrefs: 000001AE83DDF212
7O2 , xrefs: 000001AE83DDF292
_O2 , xrefs: 000001AE83DDF182
cO2 , xrefs: 000001AE83DDF1AA
qO2 , xrefs: 000001AE83DDF1FA
O2 , xrefs: 000001AE83DDF3BA
9O2 , xrefs: 000001AE83DDF28A
IO2 , xrefs: 000001AE83DDF25A
KO2 , xrefs: 000001AE83DDF252
WO2 , xrefs: 000001AE83DDF232
1O2 , xrefs: 000001AE83DDF2AA
]O2 , xrefs: 000001AE83DDF18A
O2 , xrefs: 000001AE83DDF33A
EO2 , xrefs: 000001AE83DDF272
-O2 , xrefs: 000001AE83DDF2BA
}O2 , xrefs: 000001AE83DDF1B2
O2 , xrefs: 000001AE83DDF3CA
wO2 , xrefs: 000001AE83DDF1E2
?O2 , xrefs: 000001AE83DDF282
/O2 , xrefs: 000001AE83DDF2B2
SO2 , xrefs: 000001AE83DDF222
CO2 , xrefs: 000001AE83DDF262
uO2 , xrefs: 000001AE83DDF1D2
!O2 , xrefs: 000001AE83DDF2C2
YO2 , xrefs: 000001AE83DDF21A
GO2 , xrefs: 000001AE83DDF27A
mO2 , xrefs: 000001AE83DDF1EA
O2 , xrefs: 000001AE83DDF3AA
yO2 , xrefs: 000001AE83DDF1DA
{O2 , xrefs: 000001AE83DDF1A2
gO2 , xrefs: 000001AE83DDF202
}L2 , xrefs: 000001AE83DDF502
eO2 , xrefs: 000001AE83DDF1CA
5O2 , xrefs: 000001AE83DDF29A
kO2 , xrefs: 000001AE83DDF19A
#O2 , xrefs: 000001AE83DDF2DA
MO2 , xrefs: 000001AE83DDF24A
O2 , xrefs: 000001AE83DDF3C2
OO2 , xrefs: 000001AE83DDF242
3O2 , xrefs: 000001AE83DDF2A2
+O2 , xrefs: 000001AE83DDF2D2
wL2 , xrefs: 000001AE83DDF512
sO2 , xrefs: 000001AE83DDF20A
QO2 , xrefs: 000001AE83DDF23A
UO2 , xrefs: 000001AE83DDF22A
O2 , xrefs: 000001AE83DDF372
O2 , xrefs: 000001AE83DDF3D2
iO2 , xrefs: 000001AE83DDF192
oO2 , xrefs: 000001AE83DDF1F2
aO2 , xrefs: 000001AE83DDF1C2
AO2 , xrefs: 000001AE83DDF26A
O2 , xrefs: 000001AE83DDF32A
O2 , xrefs: 000001AE83DDF3B2
%O2 , xrefs: 000001AE83DDF2CA
{L2 , xrefs: 000001AE83DDF50A

Memory Dump Source

Source File: 00000000.00000002.3785503683.000001AE83DCC000.00000004.00000020.00020000.00000000.sdmp, Offset: 000001AE83DCC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1ae83dcc000_xB6r0wPRyb.jbxd

Similarity

API ID:
String ID: O2 $O2 $!O2 $#O2 $%O2 $+O2 $-O2 $/O2 $1O2 $3O2 $5O2 $7O2 $9O2 $?O2 $AO2 $CO2 $EO2 $GO2 $IO2 $KO2 $MO2 $OO2 $QO2 $SO2 $UO2 $WO2 $YO2 $[O2 $]O2 $_O2 $aO2 $cO2 $eO2 $gO2 $iO2 $kO2 $mO2 $oO2 $qO2 $sO2 $uO2 $wL2 $wO2 $yO2 ${L2 ${O2 $}L2 $}O2 $O2 $O2 $O2 $O2 $O2 $O2 $O2 $O2
API String ID: 0-889748398
Opcode ID: 654fb4c60f2bf33f97953797408f74fff1b08d9ef19a32e0c92aea847fa2bdea
Instruction ID: 40e544a498bee0741ed747139f861bf238530bbb219f69d69bb7dc81e074dd4a
Opcode Fuzzy Hash: 654fb4c60f2bf33f97953797408f74fff1b08d9ef19a32e0c92aea847fa2bdea
Instruction Fuzzy Hash: 11F10A2D606D82FFD71517E3A65884DF665FFF5310729C38788609AB998634CC4FC2A2

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xB6r0wPRyb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF467384F1F2B8A484.TMP

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
xB6r0wPRyb.exe