Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.Inject4.56087.24588.10142.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Trojan.Inject4.56087.24588.10142.exe |
| Analysis ID: | 1546576 |
| MD5: | 11b29218685a3c58cab85c9d39d52dce |
| SHA1: | 45eafe726262c18df3ac8d96ec8ecad979d3f9ca |
| SHA256: | 29c2b7c56ba64de00927c8aa2a4b41cead21000b709cb7470b6de6f2370c9178 |
| Tags: | exe |
| Infos: |   |
 | |
Detection
Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PersistenceViaHiddenTask
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
SecuriteInfo.com.Trojan.Inject4.56087.24588.10142.exe (PID: 6256 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.Inj ect4.56087 .24588.101 42.exe" MD5: 11B29218685A3C58CAB85C9D39D52DCE)
powershell.exe (PID: 6496 cmdline: powershell .exe -Exec utionPolic y Bypass - WindowStyl e Hidden - NoProfile -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAFU AcwBlAHIAc wBcAGoAbwB uAGUAcwBcA EEAcABwAEQ AYQB0AGEAX ABSAG8AYQB tAGkAbgBnA FwAWABzAGQ AVAB5AHAAZ QBcAFQAYQB yAGcAZQB0A C4AZQB4AGU ALABDADoAX ABXAGkAbgB kAG8AdwBzA FwATQBpAGM AcgBvAHMAb wBmAHQALgB OAEUAVABcA EYAcgBhAG0 AZQB3AG8Ac gBrADYANAB cAHYANAAuA DAALgAzADA AMwAxADkAX ABBAGQAZAB JAG4AUAByA G8AYwBlAHM AcwAuAGUAe ABlACwAQwA 6AFwAVQBzA GUAcgBzAFw AagBvAG4AZ QBzAFwAQQB wAHAARABhA HQAYQBcAEw AbwBjAGEAb ABcAFQAZQB tAHAAXAAgA C0ARgBvAHI AYwBlADsAI ABBAGQAZAA tAE0AcABQA HIAZQBmAGU AcgBlAG4AY wBlACAALQB FAHgAYwBsA HUAcwBpAG8 AbgBQAHIAb wBjAGUAcwB zACAAQwA6A FwAVwBpAG4 AZABvAHcAc wBcAE0AaQB jAHIAbwBzA G8AZgB0AC4 ATgBFAFQAX ABGAHIAYQB tAGUAdwBvA HIAawA2ADQ AXAB2ADQAL gAwAC4AMwA wADMAMQA5A FwAQQBkAGQ ASQBuAFAAc gBvAGMAZQB zAHMALgBlA HgAZQAsAEM AOgBcAFUAc wBlAHIAcwB cAGoAbwBuA GUAcwBcAEE AcABwAEQAY QB0AGEAXAB SAG8AYQBtA GkAbgBnAFw AWABzAGQAV AB5AHAAZQB cAFQAYQByA GcAZQB0AC4 AZQB4AGUA MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 6524 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 1368 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
- Target.exe (PID: 6616 cmdline:
C:\Users\u ser\AppDat a\Roaming\ XsdType\Ta rget.exe MD5: 11B29218685A3C58CAB85C9D39D52DCE) - RegAsm.exe (PID: 7008 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Re gAsm.exe MD5: A4EB36BAE72C5CB7392F2B85609D4A7E)
- Target.exe (PID: 1544 cmdline:
C:\Users\u ser\AppDat a\Roaming\ XsdType\Ta rget.exe MD5: 11B29218685A3C58CAB85C9D39D52DCE)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| Click to see the 19 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| Click to see the 10 entries | ||||
System Summary |   |
|---|
| Source: | Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||