Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1574031 |
| MD5: | 53e3f2baca38239bd6025b9e18e5f202 |
| SHA1: | c8d0d5d1fcce95e253ad60d639f418ab3d98f094 |
| SHA256: | 012789b93b6d8186346fd774b7e428a8982c409b59fa845ba196ae89ac6706cb |
| Tags: | exeuser-Bitsight |
| Infos: |   |
 | |
Detection
Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
file.exe (PID: 1536 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 53E3F2BACA38239BD6025B9E18E5F202) 
powershell.exe (PID: 6696 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAFU AcwBlAHIAc wBcAGEAbAB mAG8AbgBzA FwARABlAHM AawB0AG8Ac ABcAGYAaQB sAGUALgBlA HgAZQA7ACA AQQBkAGQAL QBNAHAAUAB yAGUAZgBlA HIAZQBuAGM AZQAgAC0AR QB4AGMAbAB 1AHMAaQBvA G4AUAByAG8 AYwBlAHMAc wAgAEMAOgB cAFUAcwBlA HIAcwBcAGE AbABmAG8Ab gBzAFwARAB lAHMAawB0A G8AcABcAGY AaQBsAGUAL gBlAHgAZQA 7AEEAZABkA C0ATQBwAFA AcgBlAGYAZ QByAGUAbgB jAGUAIAAtA EUAeABjAGw AdQBzAGkAb wBuAFAAYQB 0AGgAIABDA DoAXABVAHM AZQByAHMAX ABhAGwAZgB vAG4AcwBcA EEAcABwAEQ AYQB0AGEAX ABSAG8AYQB tAGkAbgBnA FwAVwBpAG4 AZABvAHMAQ wBQAFUAcwB 5AHMAdABlA G0ALgBlAHg AZQA7ACAAQ QBkAGQALQB NAHAAUAByA GUAZgBlAHI AZQBuAGMAZ QAgAC0ARQB 4AGMAbAB1A HMAaQBvAG4 AUAByAG8AY wBlAHMAcwA gAEMAOgBcA FUAcwBlAHI AcwBcAGEAb ABmAG8AbgB zAFwAQQBwA HAARABhAHQ AYQBcAFIAb wBhAG0AaQB uAGcAXABXA GkAbgBkAG8 AcwBDAFAAV QBzAHkAcwB 0AGUAbQAuA GUAeABlAA= = MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 2300 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 4308 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - aspnet_compiler.exe (PID: 1012 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\a spnet_comp iler.exe" MD5: DF5419B32657D2896514B6A1D041FE08) 
explorer.exe (PID: 6760 cmdline: explorer.e xe MD5: 662F4F92FDE3557E86D110526BB578D5) - aspnet_compiler.exe (PID: 5628 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\a spnet_comp iler.exe" MD5: DF5419B32657D2896514B6A1D041FE08) 
wscript.exe (PID: 1012 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \WindosCPU system.vbs " MD5: A47CBE969EA935BDD3AB568BB126BC80) - WindosCPUsystem.exe (PID: 6600 cmdline:
"C:\Users\ user\AppDa ta\Roaming \WindosCPU system.exe " MD5: 53E3F2BACA38239BD6025B9E18E5F202)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
| MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
| MALWARE_Win_CoinMiner02 | Detects coinmining malware | ditekSHen |
| |
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||