Miner Backdoor PUA
XMRig C2/Generic-A Mal/Generic-S XMRig.EMB
Created on 2024-08-01T15:29:11+00:00
service.exe
Remarks (1/1)
(0x0200000E): The overall sleep time of all monitored processes was truncated from "6 minutes, 25 seconds" to "771.0 milliseconds" to reveal dormant functionality.
Remarks
(0x0200005D): 1225 additional dumps with the reason "Content Changed" and a total of 8879 MB were skipped because the respective maximum limit was reached.
(0x0200004A): 2 dump(s) were skipped because they exceeded the maximum dump size of 16 MB. The largest one was 2080 MB.
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\kEecfMwgj\Desktop\service.exe | Sample File | Binary |
Malicious
|
...
|
Verdict |
Malicious
|
Names | Mal/Generic-S |
Image Base | 0x140000000 |
Entry Point | 0x14073EBB0 |
Size Of Code | 0x0018E000 |
Size Of Initialized Data | 0x00001000 |
Size Of Uninitialized Data | 0x005B1000 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_AMD64 |
Compile Timestamp | 2024-07-26 17:53 (UTC+2) |
CompanyName | - |
FileDescription | Services and Controller app |
FileVersion | 10.0.17134.1 (WinBuild.160101.0800) |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | service.exe |
ProductName | Services and Controller app |
ProductVersion | 10.0.17134.1 (WinBuild.160101.0800) |
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
UPX0 | 0x140001000 | 0x005B1000 | 0x00000000 | 0x00000200 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
UPX1 | 0x1405B2000 | 0x0018E000 | 0x0018DA00 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 8.0 |
.rsrc | 0x140740000 | 0x00001000 | 0x00000A00 | 0x0018DC00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.78 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
LsaClose | - | 0x140740628 | 0x00740628 | 0x0018E228 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
BCryptGenRandom | - | 0x140740638 | 0x00740638 | 0x0018E238 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CertOpenStore | - | 0x140740648 | 0x00740648 | 0x0018E248 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetAdaptersAddresses | - | 0x140740658 | 0x00740658 | 0x0018E258 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
LoadLibraryA | - | 0x140740668 | 0x00740668 | 0x0018E268 | 0x00000000 |
ExitProcess | - | 0x140740670 | 0x00740670 | 0x0018E270 | 0x00000000 |
GetProcAddress | - | 0x140740678 | 0x00740678 | 0x0018E278 | 0x00000000 |
VirtualProtect | - | 0x140740680 | 0x00740680 | 0x0018E280 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CoInitializeEx | - | 0x140740690 | 0x00740690 | 0x0018E290 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetProcessMemoryInfo | - | 0x1407406A0 | 0x007406A0 | 0x0018E2A0 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ShowWindow | - | 0x1407406B0 | 0x007406B0 | 0x0018E2B0 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetUserProfileDirectoryW | - | 0x1407406C0 | 0x007406C0 | 0x0018E2C0 | 0x00000000 |
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ioctlsocket | 0x0000000A | 0x1407406D0 | 0x007406D0 | 0x0018E2D0 | - |
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | First Execution |
![]() |
64-bit | 0x13FE3F769 |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13FA11D3C |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13FA14970 |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13FA14979 |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13FA40900 |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13FA31D28 |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13FA1D7E0 |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13FA20E5C |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13F7039F0 |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13FA3FB9C |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13F736E50 |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Content Changed |
![]() |
64-bit | 0x13FA13AA0 |
![]() |
...
|
buffer | 1 | 0x0025B000 | 0x0025FFFF | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x000D0000 | 0x000EFFFF | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00418E00 | 0x004191C7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004191D0 | 0x0041A3CF | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x0041B3E0 | 0x0041B607 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x0041B610 | 0x0041B68F | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x0041C3C0 | 0x0041C517 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x0041C560 | 0x0041C75F | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x0041C810 | 0x0041C937 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x0041C940 | 0x0041CA0D | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x0041CB00 | 0x0041DAFF | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x0041EB10 | 0x0041ED0F | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004219B0 | 0x00421B67 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00421B70 | 0x00421D27 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00421D30 | 0x00421EE7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00421EF0 | 0x004220A7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004220B0 | 0x00422267 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00422270 | 0x00422427 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00422430 | 0x004225E7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004239F0 | 0x00423BA7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00423BB0 | 0x00423D67 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00423D70 | 0x00423F27 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00423F30 | 0x004240E7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004240F0 | 0x004242A7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004242B0 | 0x00424467 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00424470 | 0x00424627 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00424630 | 0x004247E7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004247F0 | 0x004249A7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00427020 | 0x00427117 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00427120 | 0x0042719F | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00427270 | 0x004272F5 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00427300 | 0x0042737F | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00427390 | 0x0042740F | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00427420 | 0x0042749F | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004274D0 | 0x004275C7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004275D0 | 0x004276C7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004276D0 | 0x004277C7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004277D0 | 0x004278C7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004278D0 | 0x004279C7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x004279D0 | 0x00427AC7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00427DD0 | 0x00427EC7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00427ED0 | 0x00427F4F | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
buffer | 1 | 0x00432470 | 0x004364D7 | First Network Behavior |
![]() |
64-bit | - |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | First Network Behavior |
![]() |
64-bit | 0x13F9E1BA0 |
![]() |
...
|
buffer | 1 | 0x003A0000 | 0x003DFFFF | First Execution |
![]() |
64-bit | 0x003A0000 |
![]() |
...
|
service.exe | 1 | 0x13F700000 | 0x13FE40FFF | Final Dump |
![]() |
64-bit | 0x13F907F80 |
![]() |
...
|