Play interactive tour

Edit tour

Analysis Report serviced.tdi

Overview

General Information

Sample Name:	serviced.tdi (renamed file extension from tdi to exe)
Analysis ID:	405856
MD5:	bd6b3af64183f135aa4b1b0c5f621c40
SHA1:	1e0206606744cc0aa4e502868f96a4bfc322589d
SHA256:	296bd876cf3ea030ac7c168bb0bd1c1cc42cbf364c63193face2fd3c2ab304db
Infos:
Most interesting Screenshot:

Detection

Xmrig

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Found strings related to Crypto-Mining

Potential time zone aware malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Startup

System is w10x64

serviced.exe (PID: 5720 cmdline: 'C:\Users\user\Desktop\serviced.exe' MD5: BD6B3AF64183F135AA4B1B0C5F621C40)

conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
serviced.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x234851:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
serviced.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.232451855.00007FF6933B0000.00000002.00020000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.234457207.00007FF6933B0000.00000002.00020000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: serviced.exe PID: 5720	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.serviced.exe.7ff6931f0000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x234851:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
0.2.serviced.exe.7ff6931f0000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.0.serviced.exe.7ff6931f0000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x234851:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
0.0.serviced.exe.7ff6931f0000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: serviced.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: serviced.exe	Virustotal: Detection: 63%	Perma Link
Source: serviced.exe	Metadefender: Detection: 42%	Perma Link
Source: serviced.exe	ReversingLabs: Detection: 68%

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: serviced.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.232451855.00007FF6933B0000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234457207.00007FF6933B0000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: serviced.exe PID: 5720, type: MEMORY
Source: Yara match	File source: 0.2.serviced.exe.7ff6931f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.serviced.exe.7ff6931f0000.0.unpack, type: UNPACKEDPE

Found strings related to Crypto-Mining

Show sources

Source: serviced.exe, 00000000.00000000.232451855.00007FF6933B0000.00000002.00020000.sdmp	String found in binary or memory: stratum+tcp://
Source: serviced.exe, 00000000.00000000.232451855.00007FF6933B0000.00000002.00020000.sdmp	String found in binary or memory: cryptonight/0
Source: serviced.exe, 00000000.00000000.232451855.00007FF6933B0000.00000002.00020000.sdmp	String found in binary or memory: stratum+tcp://
Source: serviced.exe, 00000000.00000000.232451855.00007FF6933B0000.00000002.00020000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: serviced.exe, 00000000.00000000.232451855.00007FF6933B0000.00000002.00020000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: serviced.exe, 00000000.00000000.232451855.00007FF6933B0000.00000002.00020000.sdmp	String found in binary or memory: XMRig 6.3.0

Source: serviced.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: serviced.exe	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: serviced.exe, ConDrv.0.dr	String found in binary or memory: https://xmrig.com/wizard
Source: serviced.exe	String found in binary or memory: https://xmrig.com/wizard%s

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: serviced.exe, type: SAMPLE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.2.serviced.exe.7ff6931f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.0.serviced.exe.7ff6931f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth

Source: serviced.exe

Static PE information: Number of sections : 11 > 10

Source: serviced.exe	Binary or memory string: OriginalFilename vs serviced.exe
Source: serviced.exe, 00000000.00000000.232596826.00007FF693780000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameserviced.tdi0 vs serviced.exe
Source: serviced.exe	Binary or memory string: OriginalFilenameserviced.tdi0 vs serviced.exe

Source: serviced.exe, type: SAMPLE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0.2.serviced.exe.7ff6931f0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0.0.serviced.exe.7ff6931f0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc

Source: classification engine

Classification label: mal80.evad.mine.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_01

Source: C:\Users\user\Desktop\serviced.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: serviced.exe	Virustotal: Detection: 63%
Source: serviced.exe	Metadefender: Detection: 42%
Source: serviced.exe	ReversingLabs: Detection: 68%

Source: serviced.exe	String found in binary or memory: if(p-start_p>size_limit)
Source: serviced.exe	String found in binary or memory: -h, --help display this help and exit
Source: serviced.exe	String found in binary or memory: -h, --help display this help and exit
Source: serviced.exe	String found in binary or memory: --help
Source: serviced.exe	String found in binary or memory: --help
Source: serviced.exe	String found in binary or memory: --help--version--export-topology--print-platforms%s
Source: serviced.exe	String found in binary or memory: --help--version--export-topology--print-platforms%s

Source: unknown	Process created: C:\Users\user\Desktop\serviced.exe 'C:\Users\user\Desktop\serviced.exe'
Source: C:\Users\user\Desktop\serviced.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: serviced.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: serviced.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: serviced.exe

Static file information: File size 2599936 > 1048576

Source: serviced.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bf000

Source: serviced.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: serviced.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: serviced.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: serviced.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: serviced.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: serviced.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: serviced.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: serviced.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: serviced.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: serviced.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: serviced.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: serviced.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: serviced.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: serviced.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: serviced.exe	Static PE information: section name: _RANDOMX
Source: serviced.exe	Static PE information: section name: _SHA3_25
Source: serviced.exe	Static PE information: section name: _TEXT_CN
Source: serviced.exe	Static PE information: section name: _TEXT_CN
Source: serviced.exe	Static PE information: section name: _RDATA

Malware Analysis System Evasion:

Potential time zone aware malware

Show sources

Source: C:\Users\user\Desktop\serviced.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\serviced.exe

Code function: 0_2_00007FF69335D928 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF69335D928

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	System Time Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
serviced.exe	63%	Virustotal		Browse
serviced.exe	45%	Metadefender		Browse
serviced.exe	69%	ReversingLabs	Win64.Trojan.Ulise
serviced.exe	100%	Avira	HEUR/AGEN.1134782

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.serviced.exe.7ff6931f0000.0.unpack	100%	Avira	HEUR/AGEN.1134782		Download File
0.2.serviced.exe.7ff6931f0000.0.unpack	100%	Avira	HEUR/AGEN.1134782		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/wizard%s	0%	Virustotal		Browse
https://xmrig.com/wizard%s	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://xmrig.com/wizard	serviced.exe, ConDrv.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://xmrig.com/wizard%s	serviced.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	serviced.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	405856
Start date:	06.05.2021
Start time:	13:38:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	serviced.tdi (renamed file extension from tdi to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.evad.mine.winEXE@2/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 50%) Quality average: 50% Quality standard deviation: 50%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Execution Graph export aborted for target serviced.exe, PID 5720 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\serviced.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	169
Entropy (8bit):	5.243194763075152
Encrypted:	false
SSDEEP:	3:oVXUNI5hWdfmtqLMTOUWJRWGKLQCSKzcovo9UNI5hWdfmJ6EJAFd8CQIMQDKeBJB:o9UajU4wMCNJAG25zZvvajUs6g6QIR/p
MD5:	CCDAAE85568646FAF86030D3D901DE79
SHA1:	F28A7A8DFB7EBB3CDD1B3E7FE7B89061EB49D044
SHA-256:	02873C2063667944FD2ED43C6A6672C74D5A97C3458D8BAAC5D213A771C94543
SHA-512:	1C197605B6BED326D5FA2CFE13FB6011AF7CC933F7D7CB2DA5EDE07C2B09292FC1C02FD2242826CBEFE4AB0B51EAD2829F62F7294BB55836D54EF1BAAE96B594
Malicious:	false
Reputation:	low
Preview:	[2021-05-06 13:38:59.215] unable to open "C:\Users\user\Desktop\config.json"....[2021-05-06 13:38:59.219] no valid configuration found, try https://xmrig.com/wizard...

Static File Info

General
File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.6510485626614315
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	serviced.exe
File size:	2599936
MD5:	bd6b3af64183f135aa4b1b0c5f621c40
SHA1:	1e0206606744cc0aa4e502868f96a4bfc322589d
SHA256:	296bd876cf3ea030ac7c168bb0bd1c1cc42cbf364c63193face2fd3c2ab304db
SHA512:	ee094bcc839898f965b89e175a70afaeaf0aa7cbf3b31a3e7fc751d332c3b27f2a9b533d3c20e02b9f78c419d5812cdf22d805518b6e20b1fe189971039ee749
SSDEEP:	49152:nUq/xA8CVUbPZtkReB150kkWpQ040nkMXVDEFPfUpd0svTmXWEeE/NqKb1V5icYs:I8Cf0nkMXVDE1fUpd8GDEVbU5o1
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$..........].l`..l`..l`...d..l`...c..l`...e.<l`.e....l`.0.d..l`.0.c..l`.0.e.ml`.}.d..l`...a..l`..la..m`.~.d..l`.}.i.!l`.}.c..l`.}....l`

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x14016d3d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5F108EA7 [Thu Jul 16 17:30:15 2020 UTC]
TLS Callbacks:	0x4016d100, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3f1f0d4aa47f176f73d27fe9822c5564

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6874DCE6FCh
dec eax
add esp, 28h
jmp 00007F6874DCE027h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F6874DCE1C2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F6874DCE1C5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F6874DCE1BDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F6874DCD4EEh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [eax+eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x257764	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x591000	0x489	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x57a000	0xf228	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x592000	0x2828	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x236f80	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2370d0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x236fa0	0x130	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1c0000	0x888	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1bee74	0x1bf000	False	0.441226011955	data	6.52836893365	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1c0000	0x99448	0x99600	False	0.340080926548	data	6.19521483951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x25a000	0x31f58c	0xbe00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x57a000	0xf228	0xf400	False	0.490666623975	data	6.01051620103	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RANDOMX	0x58a000	0x656	0x800	False	0.462890625	data	5.18245105182	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_SHA3_25	0x58b000	0x940	0xa00	False	0.451953125	data	4.58315867551	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_TEXT_CN	0x58c000	0x18ce	0x1a00	False	0.328575721154	data	6.00096849672	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_TEXT_CN	0x58e000	0x1184	0x1200	False	0.533203125	data	6.04792421687	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x590000	0x94	0x200	False	0.20703125	data	1.4151801171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x591000	0x489	0x600	False	0.373046875	data	3.42711019722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x592000	0x2828	0x2a00	False	0.278738839286	data	5.39571576287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x5910a0	0x26c	data
RT_MANIFEST	0x59130c	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
WS2_32.dll	ntohs, WSASetLastError, WSAStartup, select, WSARecvFrom, WSASocketW, WSASend, WSARecv, WSAIoctl, WSADuplicateSocketW, socket, shutdown, setsockopt, listen, getsockopt, getsockname, getpeername, ioctlsocket, closesocket, bind, FreeAddrInfoW, GetAddrInfoW, WSAGetLastError, gethostname, htonl, htons
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	GetAdaptersAddresses
USERENV.dll	GetUserProfileDirectoryW
KERNEL32.dll	RaiseException, GetCommandLineA, GetCommandLineW, RtlPcToFileHeader, RtlUnwindEx, SetConsoleTitleA, GetStdHandle, SetConsoleMode, GetConsoleMode, SizeofResource, LockResource, LoadResource, FindResourceW, ExpandEnvironmentStringsA, MultiByteToWideChar, SetPriorityClass, GetCurrentProcess, SetThreadPriority, GetCurrentThread, GetProcAddress, GetModuleHandleW, CloseHandle, FreeConsole, GetConsoleWindow, VirtualProtect, VirtualFree, VirtualAlloc, GetLargePageMinimum, LocalAlloc, GetLastError, LocalFree, FlushInstructionCache, DeviceIoControl, GetModuleFileNameW, CreateFileW, GetCurrentThreadId, AddVectoredExceptionHandler, GetFileType, CreateFileA, DuplicateHandle, PostQueuedCompletionStatus, SetEvent, ResetEvent, WaitForSingleObject, CreateEventA, Sleep, QueueUserWorkItem, RegisterWaitForSingleObject, UnregisterWait, WideCharToMultiByte, GetNumberOfConsoleInputEvents, ReadConsoleInputW, ReadConsoleW, WriteConsoleW, FillConsoleOutputCharacterW, FillConsoleOutputAttribute, GetConsoleCursorInfo, SetConsoleCursorInfo, GetConsoleScreenBufferInfo, SetConsoleCursorPosition, SetConsoleTextAttribute, WriteConsoleInputW, VerSetConditionMask, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentVariableW, SetEnvironmentVariableW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetTempPathW, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCurrentProcessId, GlobalMemoryStatusEx, GetSystemInfo, GetSystemTimeAsFileTime, GetVersionExW, VerifyVersionInfoA, FileTimeToSystemTime, ExitThread, CreateDirectoryW, FindClose, FindFirstFileW, FindNextFileW, FlushFileBuffers, GetDiskFreeSpaceW, GetFileAttributesW, GetFileInformationByHandle, GetFileSizeEx, GetFinalPathNameByHandleW, GetFullPathNameW, ReadFile, RemoveDirectoryW, SetFilePointerEx, SetFileTime, WriteFile, MapViewOfFile, FlushViewOfFile, UnmapViewOfFile, CreateFileMappingA, ReOpenFile, CopyFileW, MoveFileExW, CreateHardLinkW, GetFileInformationByHandleEx, CreateSymbolicLinkW, SetConsoleCtrlHandler, GetLongPathNameW, GetShortPathNameW, CreateIoCompletionPort, ReadDirectoryChangesW, RtlUnwind, CancelIo, SetFileCompletionNotificationModes, FreeLibrary, LoadLibraryExW, FormatMessageA, SetErrorMode, GetQueuedCompletionStatus, ConnectNamedPipe, PeekNamedPipe, CreateNamedPipeW, CancelIoEx, CancelSynchronousIo, DeleteCriticalSection, SwitchToThread, TerminateProcess, GetExitCodeProcess, UnregisterWaitEx, LCMapStringW, DebugBreak, TryEnterCriticalSection, InitializeConditionVariable, WakeConditionVariable, SleepConditionVariableCS, ReleaseSemaphore, ResumeThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetNativeSystemInfo, CreateSemaphoreA, GetModuleHandleA, LoadLibraryA, GetStartupInfoW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, LoadLibraryW, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, FreeLibraryAndExitThread, GetThreadTimes, GetNumaHighestNodeNumber, GetModuleHandleExW, SetStdHandle, GetFileAttributesExW, SetFileAttributesW, GetConsoleCP, ExitProcess, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, HeapReAlloc, HeapFree, HeapAlloc, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, HeapSize, SetEndOfFile, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetProcessHeap, SetHandleInformation, WaitForSingleObjectEx, GetExitCodeThread, EncodePointer, DecodePointer, GetCPInfo, InitializeCriticalSectionAndSpinCount, CreateEventW, GetTickCount, CompareStringW, GetLocaleInfoW, GetStringTypeW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, IsDebuggerPresent, InitializeSListHead, CreateTimerQueue, SignalObjectAndWait, CreateThread, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer
USER32.dll	DispatchMessageA, TranslateMessage, MapVirtualKeyW, ShowWindow, GetSystemMetrics, GetMessageA
SHELL32.dll	SHGetSpecialFolderPathA
ADVAPI32.dll	SystemFunction036, GetUserNameW, CreateServiceW, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, QueryServiceConfigA, DeleteService, ControlService, StartServiceW, OpenServiceW, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenProcessToken, LsaOpenPolicy, LsaAddAccountRights, LsaClose, GetTokenInformation

Version Infos

Description	Data
LegalCopyright	Copyright (C) Trustward
FileVersion	2.0.0
CompanyName	Trustward
ProductName	service
ProductVersion	2.0.0
FileDescription	warden
OriginalFilename	serviced.tdi
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• serviced.exe
• conhost.exe

Click to jump to process

Memory Usage

• serviced.exe
• conhost.exe

Click to jump to process

Behavior

• serviced.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: serviced.exe PID: 5720 Parent PID: 5628

Function Logs

General

Start time:	13:38:58
Start date:	06/05/2021
Path:	C:\Users\user\Desktop\serviced.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\serviced.exe'
Imagebase:	0x7ff6931f0000
File size:	2599936 bytes
MD5 hash:	BD6B3AF64183F135AA4B1B0C5F621C40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.232451855.00007FF6933B0000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.234457207.00007FF6933B0000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Written

Show Windows behavior

Section Activities

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 5448 Parent PID: 5720

Function Logs

General

Start time:	13:38:58
Start date:	06/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report serviced.tdi

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Bitcoin Miner:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: serviced.exe PID: 5720 Parent PID: 5628

General

File Activities

File Opened

File Created

File Written

File Attributes Queried