Create Interactive Tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
Analysis ID:	780311
MD5:	fb3be4185b968faec0c3ab87fb4b35aa
SHA1:	1178b06bceea6a8ef6d0a7e16d0b0e8fc600f9ce
SHA256:	a0434fdcaec62f8af073f34c580a94cb58d21203f5edf2ccbbcc467b53570d87
Tags:	CoinMinerXMRigexe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Malicious sample detected (through community Yara rule)

Antivirus detection for dropped file

Snort IDS alert for network traffic

Writes to foreign memory regions

Found strings related to Crypto-Mining

Query firmware table information (likely to detect VMs)

Detected Stratum mining protocol

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

DNS related to crypt mining pools

Uses schtasks.exe or at.exe to add and modify task schedules

PE file contains section with special chars

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains an invalid checksum

Drops PE files

Uses cacls to modify the permissions of files

Detected TCP or UDP traffic on non-standard ports

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe (PID: 4620 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe MD5: FB3BE4185B968FAEC0C3AB87FB4B35AA)

schtasks.exe (PID: 1308 cmdline: "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

icacls.exe (PID: 4180 cmdline: C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD) MD5: 2F768115A6D01814354518DE29EE7CFE)

conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

icacls.exe (PID: 3376 cmdline: C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD) MD5: 2F768115A6D01814354518DE29EE7CFE)

conhost.exe (PID: 1952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

icacls.exe (PID: 5036 cmdline: C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD) MD5: 2F768115A6D01814354518DE29EE7CFE)

conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

IntelCacheUpdater.exe (PID: 2736 cmdline: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe MD5: E5D5641CC9E28BC2C2A5FB15FD39249F)

AppLaunch.exe (PID: 5728 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe MD5: 98A8F518B66BA43DF38821C364C3B791)

IntelCacheUpdater.exe (PID: 6096 cmdline: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe MD5: E5D5641CC9E28BC2C2A5FB15FD39249F)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.828300588.000001D7221FD000.00000002.00000400.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000002.829305364.000001D722DB0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000002.828171244.000001D722167000.00000002.00000400.00020000.00000000.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1eb8:$sa1: stratum+tcp://
0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x90eb8:$sa1: stratum+tcp://
0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x129fc5:$s01: --cpu-priority= 0x12991d:$s05: --nicehash
0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x12ca08:$a1: mining.set_target 0x127630:$a2: XMRIG_HOSTNAME 0x129690:$a3: Usage: xmrig [OPTIONS] 0x127608:$a4: XMRIG_VERSION
0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000002.829085456.000001D722D78000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x90eb8:$sa1: stratum+tcp://
00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x129fc5:$s01: --cpu-priority= 0x12991d:$s05: --nicehash
00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x12ca08:$a1: mining.set_target 0x127630:$a2: XMRIG_HOSTNAME 0x129690:$a3: Usage: xmrig [OPTIONS] 0x127608:$a4: XMRIG_VERSION
0000000F.00000002.828946727.000001D722D48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x90eb8:$sa1: stratum+tcp://
00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x129fc5:$s01: --cpu-priority= 0x12991d:$s05: --nicehash
00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x12ca08:$a1: mining.set_target 0x127630:$a2: XMRIG_HOSTNAME 0x129690:$a3: Usage: xmrig [OPTIONS] 0x127608:$a4: XMRIG_VERSION
Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x78279:$sa1: stratum+tcp:// 0x782c1:$sa1: stratum+tcp://
Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0xa3508:$s01: --cpu-priority= 0xa2f09:$s05: --nicehash
Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xa59e9:$a1: mining.set_target 0xa1a36:$a2: XMRIG_HOSTNAME 0xa2cbb:$a3: Usage: xmrig [OPTIONS] 0xa1a17:$a4: XMRIG_VERSION
Process Memory Space: IntelCacheUpdater.exe PID: 2736	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x4fcbf:$sa1: stratum+tcp:// 0x4fd07:$sa1: stratum+tcp://
Process Memory Space: IntelCacheUpdater.exe PID: 2736	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x7af4e:$s01: --cpu-priority= 0x7a94f:$s05: --nicehash
Process Memory Space: IntelCacheUpdater.exe PID: 2736	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: IntelCacheUpdater.exe PID: 2736	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x7d42f:$a1: mining.set_target 0x7947c:$a2: XMRIG_HOSTNAME 0x7a701:$a3: Usage: xmrig [OPTIONS] 0x7945d:$a4: XMRIG_VERSION
Process Memory Space: AppLaunch.exe PID: 5728	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x4a368:$sa1: stratum+tcp:// 0x4a3b0:$sa1: stratum+tcp://
Process Memory Space: AppLaunch.exe PID: 5728	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: IntelCacheUpdater.exe PID: 6096	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x69880:$sa1: stratum+tcp:// 0x698c8:$sa1: stratum+tcp://
Process Memory Space: IntelCacheUpdater.exe PID: 6096	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth	0x94b0f:$s01: --cpu-priority= 0x94510:$s05: --nicehash
Process Memory Space: IntelCacheUpdater.exe PID: 6096	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: IntelCacheUpdater.exe PID: 6096	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x96ff0:$a1: mining.set_target 0x9303d:$a2: XMRIG_HOSTNAME 0x942c2:$a3: Usage: xmrig [OPTIONS] 0x9301e:$a4: XMRIG_VERSION
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4bb338:$s1: %s/%s (Windows NT %lu.%lu 0x4bc448:$s3: \\.\WinRing0_ 0x4b20e0:$s4: pool_wallet 0x4ad800:$s5: cryptonight 0x4ad810:$s5: cryptonight 0x4ad820:$s5: cryptonight 0x4ad830:$s5: cryptonight 0x4ad848:$s5: cryptonight 0x4ad858:$s5: cryptonight 0x4ad868:$s5: cryptonight 0x4ad880:$s5: cryptonight 0x4ad890:$s5: cryptonight 0x4ad8a8:$s5: cryptonight 0x4ad8c0:$s5: cryptonight 0x4ad8d0:$s5: cryptonight 0x4ad8e0:$s5: cryptonight 0x4ad8f0:$s5: cryptonight 0x4ad908:$s5: cryptonight 0x4ad920:$s5: cryptonight 0x4ad930:$s5: cryptonight 0x4ad940:$s5: cryptonight
14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4b3330:$a1: mining.set_target 0x4adf58:$a2: XMRIG_HOSTNAME 0x4affb8:$a3: Usage: xmrig [OPTIONS] 0x4adf30:$a4: XMRIG_VERSION
0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4bb338:$s1: %s/%s (Windows NT %lu.%lu 0x4bc448:$s3: \\.\WinRing0_ 0x4b20e0:$s4: pool_wallet 0x4ad800:$s5: cryptonight 0x4ad810:$s5: cryptonight 0x4ad820:$s5: cryptonight 0x4ad830:$s5: cryptonight 0x4ad848:$s5: cryptonight 0x4ad858:$s5: cryptonight 0x4ad868:$s5: cryptonight 0x4ad880:$s5: cryptonight 0x4ad890:$s5: cryptonight 0x4ad8a8:$s5: cryptonight 0x4ad8c0:$s5: cryptonight 0x4ad8d0:$s5: cryptonight 0x4ad8e0:$s5: cryptonight 0x4ad8f0:$s5: cryptonight 0x4ad908:$s5: cryptonight 0x4ad920:$s5: cryptonight 0x4ad930:$s5: cryptonight 0x4ad940:$s5: cryptonight
0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4b3330:$a1: mining.set_target 0x4adf58:$a2: XMRIG_HOSTNAME 0x4affb8:$a3: Usage: xmrig [OPTIONS] 0x4adf30:$a4: XMRIG_VERSION
16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x4bb338:$s1: %s/%s (Windows NT %lu.%lu 0x4bc448:$s3: \\.\WinRing0_ 0x4b20e0:$s4: pool_wallet 0x4ad800:$s5: cryptonight 0x4ad810:$s5: cryptonight 0x4ad820:$s5: cryptonight 0x4ad830:$s5: cryptonight 0x4ad848:$s5: cryptonight 0x4ad858:$s5: cryptonight 0x4ad868:$s5: cryptonight 0x4ad880:$s5: cryptonight 0x4ad890:$s5: cryptonight 0x4ad8a8:$s5: cryptonight 0x4ad8c0:$s5: cryptonight 0x4ad8d0:$s5: cryptonight 0x4ad8e0:$s5: cryptonight 0x4ad8f0:$s5: cryptonight 0x4ad908:$s5: cryptonight 0x4ad920:$s5: cryptonight 0x4ad930:$s5: cryptonight 0x4ad940:$s5: cryptonight
16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4b3330:$a1: mining.set_target 0x4adf58:$a2: XMRIG_HOSTNAME 0x4affb8:$a3: Usage: xmrig [OPTIONS] 0x4adf30:$a4: XMRIG_VERSION
Click to see the 4 entries

Snort Signatures

ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) - Source IP: 192.168.2.4 - Destination IP: 51.15.54.102

Timestamp:	192.168.2.451.15.54.10249696144442831812 01/08/23-20:38:20.193810
SID:	2831812
Source Port:	49696
Destination Port:	14444
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

• AV Detection
• Bitcoin Miner
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	ReversingLabs: Detection: 43%
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Virustotal: Detection: 55%			Perma Link

Antivirus detection for dropped file

Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe

Avira: detection malicious, Label: TR/Crypt.OPACK.Gen

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.828300588.000001D7221FD000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.829305364.000001D722DB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.829085456.000001D722D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.828946727.000001D722D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: stratum+tcp://
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: cryptonight/0
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: stratum+tcp://
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: XMRig 6.18.1

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.4:49696 -> 51.15.54.102:14444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"46zprqb8ncwy2gxdc29wawbyafrjxkazpkcrwtnzufnhq7stzzcb6dauvdy6gzktmufhfrtvslpj7bglhthlzg1t7mztkaq","pass":"x","agent":"xmrig/6.18.1 (windows nt 10.0; win64; x64) libuv/1.44.1 msvc/2019","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

DNS related to crypt mining pools

Source: unknown

DNS query: name: xmr-eu1.nanopool.org

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.4:49696 -> 51.15.54.102:14444

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: Joe Sandbox View

IP Address: 51.15.54.102 51.15.54.102

Source: global traffic

TCP traffic: 192.168.2.4:49696 -> 51.15.54.102:14444

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown

DNS traffic detected: queries for: xmr-eu1.nanopool.org

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

PE file contains section with special chars

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: S(I))X)(
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: UERMA(FT
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: &#^JUAMN
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: BXPR#EHV
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: M)AVSKGU
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: DJ%Y)WXR
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: $DG*YHKG
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: JMMHMY
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: VWTNI(*)
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: YFSUA$*A
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: IWANMY)R
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: S(I))X)(
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: UERMA(FT
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: &#^JUAMN
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: BXPR#EHV
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: M)AVSKGU
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: DJ%Y)WXR
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: $DG*YHKG
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: JMMHMY
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: VWTNI(*)
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: YFSUA$*A
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: IWANMY)R

Source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 14.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe.7ff757340000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 16.2.IntelCacheUpdater.exe.7ff6b8bc0000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000F.00000002.828171244.000001D722167000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe PID: 4620, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: IntelCacheUpdater.exe PID: 2736, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: AppLaunch.exe PID: 5728, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: IntelCacheUpdater.exe PID: 6096, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process Stats: CPU usage > 98%

Source: IntelCacheUpdater.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: Number of sections : 12 > 10

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	ReversingLabs: Detection: 43%
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Virustotal: Detection: 55%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD)
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
Source: unknown	Process created: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD)	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.evad.mine.winEXE@17/2@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Mutant created: \Sessions\1\BaseNamedObjects\LMKdPJPGHX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\LsGstlmPaf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1952:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Static file information: File size 5866496 > 1048576

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Static PE information: Raw size of YFSUA$*A is bigger than: 0x100000 < 0x596c00

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe

Code function: 15_2_0000006401B8DB98 pushfd ; iretd

15_2_0000006401B8DB99

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: S(I))X)(
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: UERMA(FT
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: &#^JUAMN
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: BXPR#EHV
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: M)AVSKGU
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: DJ%Y)WXR
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: $DG*YHKG
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: JMMHMY
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: VWTNI(*)
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: YFSUA$*A
Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Static PE information: section name: IWANMY)R
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: S(I))X)(
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: UERMA(FT
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: &#^JUAMN
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: BXPR#EHV
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: M)AVSKGU
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: DJ%Y)WXR
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: $DG*YHKG
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: JMMHMY
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: VWTNI(*)
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: YFSUA$*A
Source: IntelCacheUpdater.exe.0.dr	Static PE information: section name: IWANMY)R

Source: initial sample

Static PE information: section where entry point is pointing to: YFSUA$*A

Source: SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Static PE information: real checksum: 0x5a6967 should be: 0x59d958

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

File created: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

File created: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe TID: 5772	Thread sleep count: 2561 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe TID: 5772	Thread sleep count: 141 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Dropped PE file which has not been started: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Window / User API: threadDelayed 2561			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Window / User API: foregroundWindowGot 1775			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe

Process information queried: ProcessInformation

Jump to behavior

Source: AppLaunch.exe, 0000000F.00000002.829085456.000001D722D78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW =
Source: AppLaunch.exe, 0000000F.00000002.829085456.000001D722D78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D721D50000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D721D51000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7220D8000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722245000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7224F6000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722516000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722517000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D72251A000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D72251C000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D72251D000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7226FC000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7226FD000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C94000	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C1281	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3DE0	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3DE8	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3DF0	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3DF8	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3E08	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D7227C3E10	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722B97F6D	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722B9800C	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BACD24	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BACD95	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BB52C9	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BB5357	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BEACAB	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BEAD1E	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722BECC00	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C147A6	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C14830	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C267BD	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C2688D	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C2E091	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C2E11A	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C400AE	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C5301A	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C530AF	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C66582	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C6661E	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C73618	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C73630	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C73638	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736C0	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736D8	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736E0	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736E8	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D722C736F0	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 6401DA0010	Jump to behavior

Allocates memory in foreign processes

Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D721D50000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe base: 1D721D50000 value starts with: 4D5A

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe

Thread register set: target process: 5728

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	Process created: C:\Windows\System32\icacls.exe C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD)	Jump to behavior
Source: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: AppLaunch.exe, 0000000F.00000002.826986346.00000064022FD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: dProgram Manager
Source: IntelCacheUpdater.exe, 00000010.00000002.827251631.000001F1D6CD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: AppLaunch.exe, 0000000F.00000002.826986346.00000064022FD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: IntelCacheUpdater.exe, 00000010.00000002.827251631.000001F1D6CD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: IntelCacheUpdater.exe, 00000010.00000002.827251631.000001F1D6CD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: AppLaunch.exe, 0000000F.00000002.826986346.00000064022FD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: perfmon.exe?Taskmgr.exeProgram Manager
Source: IntelCacheUpdater.exe, 00000010.00000002.827251631.000001F1D6CD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 Services File Permissions Weakness	1 Scheduled Task/Job	412 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Services File Permissions Weakness	1 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Services File Permissions Weakness	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	44%	ReversingLabs	Win64.Trojan.Tasker
SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	56%	Virustotal		Browse
SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe	100%	Avira	TR/Crypt.OPACK.Gen

Source	Detection	Scanner	Label
https://xmrig.com/benchmark/%s	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
https://xmrig.com/wizard%s	0%	URL Reputation	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xmr-eu1.nanopool.org	135.125.238.108	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://xmrig.com/benchmark/%s	SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	false	URL Reputation: safe	unknown
https://xmrig.com/wizard	SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	false	URL Reputation: safe	unknown
https://xmrig.com/wizard%s	SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, AppLaunch.exe, 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	false	URL Reputation: safe	unknown
https://xmrig.com/docs/algorithms	SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe, 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, IntelCacheUpdater.exe, 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, IntelCacheUpdater.exe, 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.15.54.102	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	780311
Start date and time:	2023-01-08 20:35:13 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.mine.winEXE@17/2@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Execution Graph export aborted for target AppLaunch.exe, PID 5728 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:36:09	Task Scheduler	Run new task: IntelUpdaterTask path: C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
51.15.54.102	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	WinUpdate.bin.exe	Get hash	malicious	Browse
	mofcomp.exe	Get hash	malicious	Browse
	mtOre6QlR1.exe	Get hash	malicious	Browse
	GsszZ7R99d.exe	Get hash	malicious	Browse
	YbobbV8n9S.exe	Get hash	malicious	Browse
	q1loKHVGJ6.exe	Get hash	malicious	Browse
	UW5ylDoXLs.exe	Get hash	malicious	Browse
	2mdb3OG6FM.exe	Get hash	malicious	Browse
	dllhost.exe	Get hash	malicious	Browse
	wJtL8lkk83.exe	Get hash	malicious	Browse
	YbVuzaXA3o.exe	Get hash	malicious	Browse
	tSXyqrumfM.exe	Get hash	malicious	Browse
	LAcZLfYrj5.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
xmr-eu1.nanopool.org	file.exe	Get hash	malicious	Browse	51.15.54.102
	file.exe	Get hash	malicious	Browse	51.15.54.102
	file.exe	Get hash	malicious	Browse	51.15.78.68
	file.exe	Get hash	malicious	Browse	51.15.54.102
	file.exe	Get hash	malicious	Browse	51.15.78.68
	file.exe	Get hash	malicious	Browse	51.15.78.68
	file.exe	Get hash	malicious	Browse	51.15.65.182
	file.exe	Get hash	malicious	Browse	51.15.54.102
	file.exe	Get hash	malicious	Browse	51.15.69.136
	file.exe	Get hash	malicious	Browse	135.125.238.108
	file.exe	Get hash	malicious	Browse	135.125.238.108
	file.exe	Get hash	malicious	Browse	51.255.34.118
	file.exe	Get hash	malicious	Browse	51.15.69.136
	file.exe	Get hash	malicious	Browse	135.125.238.108
	file.exe	Get hash	malicious	Browse	51.255.34.118
	file.exe	Get hash	malicious	Browse	51.15.78.68
	file.exe	Get hash	malicious	Browse	51.15.69.136
	file.exe	Get hash	malicious	Browse	51.15.78.68
	file.exe	Get hash	malicious	Browse	51.68.190.80
	file.exe	Get hash	malicious	Browse	51.15.58.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OnlineSASFR	file.exe	Get hash	malicious	Browse	151.115.10.1
	file.exe	Get hash	malicious	Browse	51.15.65.182
	ZBdhdOCSw8.elf	Get hash	malicious	Browse	151.115.48.192
	file.exe	Get hash	malicious	Browse	51.15.65.182
	rM8kh7uPK0.elf	Get hash	malicious	Browse	51.15.103.82
	file.exe	Get hash	malicious	Browse	51.15.78.68
	file.exe	Get hash	malicious	Browse	51.15.69.136
	DvuGZ73eK1.exe	Get hash	malicious	Browse	163.172.208.8
	file.exe	Get hash	malicious	Browse	51.15.58.224
	https://cammeteo.ru/fr/chto-za-fail-download-kak-otkryt-lyuboi-fail-chem-otkryt-pdf-fail-na/	Get hash	malicious	Browse	62.210.26.219
	GFHSHDFSDFUOHSDFIOHJSDFOIHJ.exe	Get hash	malicious	Browse	51.15.78.68
	file.exe	Get hash	malicious	Browse	51.15.69.136
	file.exe	Get hash	malicious	Browse	51.15.65.182
	file.exe	Get hash	malicious	Browse	51.15.65.182
	PixelSee_id72271id.exe	Get hash	malicious	Browse	51.158.164.188
	file.exe	Get hash	malicious	Browse	51.15.58.224
	file.exe	Get hash	malicious	Browse	151.115.10.1
	file.exe	Get hash	malicious	Browse	151.115.10.1
	file.exe	Get hash	malicious	Browse	51.15.78.68
	file.exe	Get hash	malicious	Browse	51.15.65.182

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	1156876496
Entropy (8bit):	0.8937142925128981
Encrypted:	false
SSDEEP:
MD5:	E1DC50830CEA9CD7B7D76E372CF12945
SHA1:	E8997605F20A0692C9A54138DC6351D29AB3B516
SHA-256:	A69DD7DB2B4E233A9CD53923D8E6CA860012B0C805D17BC5D51FE7870A10F116
SHA-512:	4D55D47B79BE215B5758A4CBE0D909F5CAD1867397142978426B1273176A82558762FFA7F0349D839EEE1D1DEFE20655E3A78F6533195E3C1F7339849D39102D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......G.-f..C5..C5..C5.@4..C5.F4..C5e..5..C5Q.G4..C5Q.@4..C5Q.F4].C5.G4..C5..G4..C5..B5..C5.B4..C5.G4P.C5..J4..C5..@4..C5...5..C5...5..C5..A4..C5Rich..C5........PE..d....%.c.........."......d8...D......9.........@.............................P......giZ...`.................................................................;...............@.......;.......................=..(....5..8............................................text...(c8......................... ..`S(I))X)(......8.....................@..@UERMA(FT..+..PO.....................@...&#^JUAMN.....`z.....................@..@BXPR#EHVV....`\|.....................@..`M)AVSKGU.&...p\|.....................@..`DJ%Y)WXR......\|.....................@..`$DGYHKG......\|.....................@..@JMMHMY<.....\|..................... ..`VWTNI()h...........................@...YFSUA$*A.jY.....lY.................`..hIWANMY)R

C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.889927219388042
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
File size:	5866496
MD5:	fb3be4185b968faec0c3ab87fb4b35aa
SHA1:	1178b06bceea6a8ef6d0a7e16d0b0e8fc600f9ce
SHA256:	a0434fdcaec62f8af073f34c580a94cb58d21203f5edf2ccbbcc467b53570d87
SHA512:	bd52fe456a64f33138aef978a2dce5226bda37c7443374d094cc8af820e985b37663c0242a701fb91e7bba963936f0d7f679ad16a2a01b422209d79b327a4b7d
SSDEEP:	98304:DzcoXAO0U/5C+AhzryokB1KAQk3JLdaeHz2z/mqwuQQl4hiSKLJgtl4EPMuIF03H:DAo/0Uxe91w155B7HURwLS43njM50M
TLSH:	FF46227D229C339CC01EC9B85027FD4AB2B2161E86F999ED71CAFAC07FEB4159541B06
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......G.-f..C5..C5..C5..@4..C5..F4..C5e..5..C5Q.G4..C5Q.@4..C5Q.F4].C5..G4..C5..G4..C5..B5..C5..B4..C5..G4P.C5..J4..C5..@4..C5...5..C

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x140a93917
Entrypoint Section:	YFSUA$*A
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63B72582 [Thu Jan 5 19:31:14 2023 UTC]
TLS Callbacks:	0x40a67abf, 0x1, 0x4034bf9c, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e348149d1683ef4048816a2bc0991e05

Entrypoint Preview

Instruction
inc ecx
push edx
pushfd
dec ecx
mov edx, 7745210Ch
cli
dec ebx
jbe 00007F2864F2AD4Eh
dec ecx
not edx
dec ecx
test edx, 37196CA5h
inc ecx
not edx
dec esi
mov edx, dword ptr [esp+edx-77452104h]
dec eax
mov dword ptr [esp+08h], E223B617h
push dword ptr [esp+00h]
popfd
dec eax
lea esp, dword ptr [esp+08h]
call 00007F286537C51Ch
jnc 00007F2864F2AD7Dh
mov esi, 7AB078C9h
scasd
aaa
cmc
mov ch, 2Ch
inc ecx
js 00007F2864F2AD6Bh
push esp
cmpsb
leave
lahf
nop
mov esi, 5CC107C9h
loopne 00007F2864F2ACCBh
push cs
mov eax, B7358B2Fh
iretd
jecxz 00007F2864F2AD48h
nop
inc edi
push eax
enter 3FF5h, 22h
out C9h, al
mov al, 99h
mov byte ptr [152AC9B7h], al
jnbe 00007F2864F2AC93h
xor eax, 5565DC34h
enter C975h, 33h
mov ebx, 4B747CC9h
pop esp
wait
lodsb
sub dword ptr [esi+esi-3Bh], eax
add eax, 4C361A43h
in al, 30h
jno 00007F2864F2ACCCh
mov ebx, C9BCFCD3h
xchg byte ptr [eax+ebx*2-56h], bl
aaa
lds esp, fword ptr [edi]
xchg esi, edi
and al, 03h
and eax, 1F26F337h
push es
jl 00007F2864F2ACF4h
push FFFFFF91h
imul ebp, esp, AE6BEEC9h
xchg dword ptr [edi], esi
dec esi
adc ebx, edi
inc ecx
add dword ptr [eax], eax
add byte ptr [edi-5CDB0E33h], bh
add al, A8h
rcr al, 00000018h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6d7c0	0xf0	YFSUA$*A
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xf23bc0	0x1fecc	YFSUA$*A
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf44000	0xc8	IWANMY)R
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf23ba0	0x1c	YFSUA$*A
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa73de0	0x28	YFSUA$*A
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xf235c0	0x138	YFSUA$*A
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9ac000	0xe0	VWTNI(*)
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x386328	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
S(I))X)(	0x388000	0x16c8b8	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
UERMA(FT	0x4f5000	0x2b00b8	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
&#^JUAMN	0x7a6000	0x1fab8	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
BXPR#EHV	0x7c6000	0xc56	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
M)AVSKGU	0x7c7000	0x26d1	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DJ%Y)WXR	0x7ca000	0x1184	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
$DG*YHKG	0x7cc000	0xf4	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
JMMHMY	0x7cd000	0x1de33c	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
VWTNI(*)	0x9ac000	0xe68	0x1000	False	0.029541015625	data	0.16020090306466317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
YFSUA$*A	0x9ad000	0x596a8c	0x596c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
IWANMY)R	0xf44000	0xc8	0x200	False	0.333984375	data	1.9514876730930713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
WS2_32.dll	recv
IPHLPAPI.DLL	GetAdaptersAddresses
USERENV.dll	GetUserProfileDirectoryW
CRYPT32.dll	CertFindCertificateInStore
KERNEL32.dll	GetVersionExA
USER32.dll	IsWindowVisible
SHELL32.dll	SHGetSpecialFolderPathA
ole32.dll	CoInitializeEx
ADVAPI32.dll	SystemFunction036
bcrypt.dll	BCryptGenRandom
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Network Behavior

Download Network PCAP: filtered – full

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.451.15.54.10249696144442831812 01/08/23-20:38:20.193810	TCP	2831812	ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)	49696	14444	192.168.2.4	51.15.54.102

Network Port Distribution

Total Packets: 8
• 14444 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 20:38:20.147716045 CET	49696	14444	192.168.2.4	51.15.54.102
Jan 8, 2023 20:38:20.189132929 CET	14444	49696	51.15.54.102	192.168.2.4
Jan 8, 2023 20:38:20.189287901 CET	49696	14444	192.168.2.4	51.15.54.102
Jan 8, 2023 20:38:20.193809986 CET	49696	14444	192.168.2.4	51.15.54.102
Jan 8, 2023 20:38:20.231337070 CET	14444	49696	51.15.54.102	192.168.2.4
Jan 8, 2023 20:38:20.244035006 CET	14444	49696	51.15.54.102	192.168.2.4
Jan 8, 2023 20:38:20.378648043 CET	49696	14444	192.168.2.4	51.15.54.102
Jan 8, 2023 20:38:39.675834894 CET	14444	49696	51.15.54.102	192.168.2.4
Jan 8, 2023 20:38:39.770972013 CET	49696	14444	192.168.2.4	51.15.54.102
Jan 8, 2023 20:39:36.903692007 CET	14444	49696	51.15.54.102	192.168.2.4
Jan 8, 2023 20:39:36.947606087 CET	49696	14444	192.168.2.4	51.15.54.102
Jan 8, 2023 20:40:28.229438066 CET	14444	49696	51.15.54.102	192.168.2.4
Jan 8, 2023 20:40:28.280016899 CET	49696	14444	192.168.2.4	51.15.54.102

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 20:38:20.083599091 CET	50911	53	192.168.2.4	8.8.8.8
Jan 8, 2023 20:38:20.103724003 CET	53	50911	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2023 20:38:20.083599091 CET	192.168.2.4	8.8.8.8	0xaad8	Standard query (0)	xmr-eu1.nanopool.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 8, 2023 20:38:20.103724003 CET	8.8.8.8	192.168.2.4	0xaad8	No error (0)	xmr-eu1.nanopool.org	135.125.238.108	A (IP address)	IN (0x0001)	false
Jan 8, 2023 20:38:20.103724003 CET	8.8.8.8	192.168.2.4	0xaad8	No error (0)	xmr-eu1.nanopool.org	51.68.190.80	A (IP address)	IN (0x0001)	false
Jan 8, 2023 20:38:20.103724003 CET	8.8.8.8	192.168.2.4	0xaad8	No error (0)	xmr-eu1.nanopool.org	51.15.69.136	A (IP address)	IN (0x0001)	false
Jan 8, 2023 20:38:20.103724003 CET	8.8.8.8	192.168.2.4	0xaad8	No error (0)	xmr-eu1.nanopool.org	51.15.65.182	A (IP address)	IN (0x0001)	false
Jan 8, 2023 20:38:20.103724003 CET	8.8.8.8	192.168.2.4	0xaad8	No error (0)	xmr-eu1.nanopool.org	51.15.78.68	A (IP address)	IN (0x0001)	false
Jan 8, 2023 20:38:20.103724003 CET	8.8.8.8	192.168.2.4	0xaad8	No error (0)	xmr-eu1.nanopool.org	51.15.54.102	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
• schtasks.exe
• conhost.exe
• icacls.exe
• conhost.exe
• icacls.exe
• conhost.exe
• icacls.exe
• conhost.exe
• IntelCacheUpdater.exe
• AppLaunch.exe
• IntelCacheUpdater.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
• schtasks.exe
• conhost.exe
• icacls.exe
• conhost.exe
• icacls.exe
• conhost.exe
• icacls.exe
• conhost.exe
• IntelCacheUpdater.exe
• AppLaunch.exe
• IntelCacheUpdater.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
• schtasks.exe
• conhost.exe
• icacls.exe
• conhost.exe
• icacls.exe
• conhost.exe
• icacls.exe
• conhost.exe
• IntelCacheUpdater.exe
• AppLaunch.exe
• IntelCacheUpdater.exe

Click to jump to process

Target ID:	0
Start time:	20:36:04
Start date:	08/01/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe
Imagebase:	0x7ff757340000
File size:	5866496 bytes
MD5 hash:	FB3BE4185B968FAEC0C3AB87FB4B35AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000002.535988766.00007FF7576C8000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	20:36:07
Start date:	08/01/2023
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE
Imagebase:	0x7ff67b4d0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	20:36:07
Start date:	08/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	20:36:07
Start date:	08/01/2023
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)
Imagebase:	0x7ff784b20000
File size:	36864 bytes
MD5 hash:	2F768115A6D01814354518DE29EE7CFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	4
Start time:	20:36:08
Start date:	08/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	20:36:08
Start date:	08/01/2023
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)
Imagebase:	0x7ff784b20000
File size:	36864 bytes
MD5 hash:	2F768115A6D01814354518DE29EE7CFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	6
Start time:	20:36:08
Start date:	08/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	20:36:08
Start date:	08/01/2023
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\icacls.exe" "C:\ProgramData\lnteIIxculler" /inheritance:e /deny "admin:(R,REA,RA,RD)
Imagebase:	0x7ff784b20000
File size:	36864 bytes
MD5 hash:	2F768115A6D01814354518DE29EE7CFE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	8
Start time:	20:36:08
Start date:	08/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	20:38:10
Start date:	08/01/2023
Path:	C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
Imagebase:	0x7ff6b8bc0000
File size:	1156876496 bytes
MD5 hash:	E5D5641CC9E28BC2C2A5FB15FD39249F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000E.00000002.657395294.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira
Reputation:	low

Show Windows behavior

Target ID:	15
Start time:	20:38:17
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
Imagebase:	0x7ff7296c0000
File size:	119904 bytes
MD5 hash:	98A8F518B66BA43DF38821C364C3B791
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.828300588.000001D7221FD000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.829305364.000001D722DB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000F.00000002.828171244.000001D722167000.00000002.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.828320650.000001D722203000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.829085456.000001D722D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.828946727.000001D722D48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	16
Start time:	20:40:09
Start date:	08/01/2023
Path:	C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
Wow64 process (32bit):
Commandline:	C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe
Imagebase:
File size:	1156876496 bytes
MD5 hash:	E5D5641CC9E28BC2C2A5FB15FD39249F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000010.00000002.828814716.00007FF6B8F48000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe

C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.64801627.25141.6429.exe