Edit tour
Windows
Analysis Report
h2qWqtD73F.exe
Overview
General Information
Sample name: | h2qWqtD73F.exerenamed because original name is a hash value |
Original sample name: | d0c2dd0e059c5011ed2eee4c65122177.exe |
Analysis ID: | 1528505 |
MD5: | d0c2dd0e059c5011ed2eee4c65122177 |
SHA1: | a992a12930f59a9bff9a49337c004fef02a9fa4e |
SHA256: | 9db1d611bba928f40d86374641783083cda4f613236f3ec21ce62bcdeee9a6e6 |
Tags: | 64exetrojan |
Infos: | |
Detection
Xmrig
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected PersistenceViaHiddenTask
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- h2qWqtD73F.exe (PID: 7828 cmdline:
"C:\Users\ user\Deskt op\h2qWqtD 73F.exe" MD5: D0C2DD0E059C5011ED2EEE4C65122177) - dialer.exe (PID: 8108 cmdline:
C:\Windows \System32\ dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93) - winlogon.exe (PID: 552 cmdline:
winlogon.e xe MD5: F8B41A1B3E569E7E6F990567F21DCE97) - lsass.exe (PID: 640 cmdline:
C:\Windows \system32\ lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A) - svchost.exe (PID: 2508 cmdline:
C:\Windows \system32\ svchost.ex e -k Netwo rkService -p -s Cryp tSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 916 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dwm.exe (PID: 980 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 352 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 476 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 660 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 652 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1060 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - updater.exe (PID: 7012 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Google\Chr ome\update r.exe MD5: D0C2DD0E059C5011ED2EEE4C65122177) - dialer.exe (PID: 7816 cmdline:
C:\Windows \System32\ dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93) - svchost.exe (PID: 1332 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1364 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s EventS ystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1404 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s T hemes MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1452 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s DispBr okerDeskto pSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1504 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1624 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S ENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1660 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s AudioEndpo intBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1668 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s FontCa che MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1752 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p -s NlaS vc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1836 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1864 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s netpro fm MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1972 cmdline:
C:\Windows \system32\ svchost.ex e -k Netwo rkService -p -s Dnsc ache MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1980 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1992 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 2044 cmdline:
C:\Windows \system32\ svchost.ex e -k appmo del -p -s StateRepos itory MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1032 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s S hellHWDete ction MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - spoolsv.exe (PID: 2136 cmdline:
C:\Windows \System32\ spoolsv.ex e MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F) - svchost.exe (PID: 2220 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s WinHttpAu toProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1120 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s P rofSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1132 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1192 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1288 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s U serManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- powershell.exe (PID: 7880 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 8124 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# polrad#> I F([System. Environmen t]::OSVers ion.Versio n -lt [Sys tem.Versio n]"6.2") { schtasks /create /f /sc onlog on /rl hig hest /tn ' GoogleUpda teTaskMach ineQC' /tr '''C:\Use rs\user\Ap pData\Roam ing\Google \Chrome\up dater.exe' '' } Else { Register -Scheduled Task -Acti on (New-Sc heduledTas kAction -E xecute 'C: \Users\use r\AppData\ Roaming\Go ogle\Chrom e\updater. exe') -Tri gger (New- ScheduledT askTrigger -AtLogOn) -Settings (New-Sche duledTaskS ettingsSet -AllowSta rtIfOnBatt eries -Dis allowHardT erminate - DontStopIf GoingOnBat teries -Do ntStopOnId leEnd -Exe cutionTime Limit (New -TimeSpan -Days 1000 )) -TaskNa me 'Google UpdateTask MachineQC' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 5320 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 2744 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# polrad#> I F([System. Environmen t]::OSVers ion.Versio n -lt [Sys tem.Versio n]"6.2") { schtasks /create /f /sc onlog on /rl hig hest /tn ' GoogleUpda teTaskMach ineQC' /tr '''C:\Use rs\user\Ap pData\Roam ing\Google \Chrome\up dater.exe' '' } Else { Register -Scheduled Task -Acti on (New-Sc heduledTas kAction -E xecute 'C: \Users\use r\AppData\ Roaming\Go ogle\Chrom e\updater. exe') -Tri gger (New- ScheduledT askTrigger -AtLogOn) -Settings (New-Sche duledTaskS ettingsSet -AllowSta rtIfOnBatt eries -Dis allowHardT erminate - DontStopIf GoingOnBat teries -Do ntStopOnId leEnd -Exe cutionTime Limit (New -TimeSpan -Days 1000 )) -TaskNa me 'Google UpdateTask MachineQC' -RunLevel 'Highest' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5944 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
MALWARE_Win_CoinMiner02 | Detects coinmining malware | ditekSHen |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Click to see the 11 entries |
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |