Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1458484
MD5:b99383ade7723a2376ac12d1ff516aa6
SHA1:5298425d67725856a9bd85104b5b585b306f2b53
SHA256:13a78b0cac6ce349e4dbfeb770d7c77d598b0ed1c688e7cf915d2f931cd58bf7
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Detected Stratum mining protocol
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • file.exe (PID: 4340 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B99383ADE7723A2376AC12D1FF516AA6)
    • conhost.exe (PID: 3784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • notepad.exe (PID: 1280 cmdline: notepad.exe MD5: 27F71B12CB585541885A31BE22F61C83)
    • powershell.exe (PID: 3196 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6528 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 6272 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 2760 cmdline: C:\Windows\system32\sc.exe delete "MXOLIHZI" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4996 cmdline: C:\Windows\system32\sc.exe create "MXOLIHZI" binpath= "C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3768 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2580 cmdline: C:\Windows\system32\sc.exe start "MXOLIHZI" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • nlkuzmdacjrb.exe (PID: 5608 cmdline: C:\ProgramData\xtthvazemyzh\nlkuzmdacjrb.exe MD5: B99383ADE7723A2376AC12D1FF516AA6)
    • notepad.exe (PID: 1208 cmdline: notepad.exe MD5: 27F71B12CB585541885A31BE22F61C83)
    • powershell.exe (PID: 4904 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6804 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 3260 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • conhost.exe (PID: 504 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 2120 cmdline: conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
No configs have been found
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    SourceRuleDescriptionAuthorStrings
    00000012.00000002.2251660159.00000122A4359000.00000004.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x28e7d1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    00000000.00000002.2226259589.000001BB80000000.00000020.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x28e791:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    00000000.00000002.2226502800.000001BB802AB000.00000004.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x28e7d1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    00000012.00000002.2251423159.00000122A40B0000.00000020.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x28e791:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    0000001A.00000002.3409824385.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      Click to see the 3 entries
      SourceRuleDescriptionAuthorStrings
      26.2.conhost.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        26.2.conhost.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x37ef98:$a1: mining.set_target
        • 0x371220:$a2: XMRIG_HOSTNAME
        • 0x373b48:$a3: Usage: xmrig [OPTIONS]
        • 0x3711f8:$a4: XMRIG_VERSION
        26.2.conhost.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
        • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
        26.2.conhost.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
        • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
        • 0x3cd180:$s3: \\.\WinRing0_
        • 0x376148:$s4: pool_wallet
        • 0x3705f0:$s5: cryptonight
        • 0x370600:$s5: cryptonight
        • 0x370610:$s5: cryptonight
        • 0x370620:$s5: cryptonight
        • 0x370638:$s5: cryptonight
        • 0x370648:$s5: cryptonight
        • 0x370658:$s5: cryptonight
        • 0x370670:$s5: cryptonight
        • 0x370680:$s5: cryptonight
        • 0x370698:$s5: cryptonight
        • 0x3706b0:$s5: cryptonight
        • 0x3706c0:$s5: cryptonight
        • 0x3706d0:$s5: cryptonight
        • 0x3706e0:$s5: cryptonight
        • 0x3706f8:$s5: cryptonight
        • 0x370710:$s5: cryptonight
        • 0x370720:$s5: cryptonight
        • 0x370730:$s5: cryptonight

        System Summary

        barindex
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4340, ParentProcessNa<