Report - sys.exe

XMRig Miner Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File
ScreenShot
Created 2023.07.31 11:06 Machine s1_win7_x6401
Filename sys.exe
Type PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
AI Score Not founds Behavior Score
1.8
ZERO API
VT API (file) 48 detected (Common, Convagent, GenericKD, Coinminer, unsafe, Tool, BitCoinMiner, Miner, Miners, malicious, ABRisk, LESC, Attribute, HighConfidence, high confidence, score, CoinminerX, Risktool, Bitminer, R002C0DGQ23, Static AI, Suspicious PE, Xmrig, DisguisedXMRigMiner, Detected, ai score=88, HackTool, XMRMiner, CLASSIC, BlUpQyX6a8Y, susgen, grayware, confidence)
md5 e08b723ca187ecfef73c1b7b5f0ecfc8
sha256 15c357922747ce8768f5567a74ea2ba8f6d1755b220d1007e89b913d940a86cc
ssdeep 98304:xLsUYfB9pOp/BWLbrkShfa+XQD/YPLTDtU5SXXMQHJw7ZB87TtIeUK+MzfL7cybS:Cgp/NQ7rfWOlb1paSbkJFsxfKLNIS
imphash 16bb67d62ee484974f9392fc52c45722
impfuzzy 192:5mShLrx+GW5W6ScwT9Si9pHJpcjSFW4Q8VhdUjgLnH6:bz+GuucK9SiHdlfdUjgLna
  Network IP location

Signature (3cnts)

Level Description
danger File has been identified by 48 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
info Queries for the computername

Rules (8cnts)

Level Name Description Collection
danger XMRig_Miner_IN XMRig Miner binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE64 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
 0x140aee01c AdjustTokenPrivileges
 0x140aee024 AllocateAndInitializeSid
 0x140aee02c CloseServiceHandle
 0x140aee034 ControlService
 0x140aee03c CreateServiceW
 0x140aee044 CryptAcquireContextW
 0x140aee04c CryptCreateHash
 0x140aee054 CryptDecrypt
 0x140aee05c CryptDestroyHash
 0x140aee064 CryptDestroyKey
 0x140aee06c CryptEnumProvidersW
 0x140aee074 CryptExportKey
 0x140aee07c CryptGenRandom
 0x140aee084 CryptGetProvParam
 0x140aee08c CryptGetUserKey
 0x140aee094 CryptReleaseContext
 0x140aee09c CryptSetHashParam
 0x140aee0a4 CryptSignHashW
 0x140aee0ac DeleteService
 0x140aee0b4 DeregisterEventSource
 0x140aee0bc FreeSid
 0x140aee0c4 GetSecurityInfo
 0x140aee0cc GetTokenInformation
 0x140aee0d4 GetUserNameW
 0x140aee0dc LookupPrivilegeValueW
 0x140aee0e4 LsaAddAccountRights
 0x140aee0ec LsaClose
 0x140aee0f4 LsaOpenPolicy
 0x140aee0fc OpenProcessToken
 0x140aee104 OpenSCManagerW
 0x140aee10c OpenServiceW
 0x140aee114 QueryServiceConfigA
 0x140aee11c QueryServiceStatus
 0x140aee124 RegCloseKey
 0x140aee12c RegGetValueW
 0x140aee134 RegOpenKeyExW
 0x140aee13c RegQueryValueExW
 0x140aee144 RegisterEventSourceW
 0x140aee14c ReportEventW
 0x140aee154 SetEntriesInAclA
 0x140aee15c SetSecurityInfo
 0x140aee164 StartServiceW
 0x140aee16c SystemFunction036
CRYPT32.dll
 0x140aee17c CertCloseStore
 0x140aee184 CertDuplicateCertificateContext
 0x140aee18c CertEnumCertificatesInStore
 0x140aee194 CertFindCertificateInStore
 0x140aee19c CertFreeCertificateContext
 0x140aee1a4 CertGetCertificateContextProperty
 0x140aee1ac CertOpenStore
IPHLPAPI.DLL
 0x140aee1bc ConvertInterfaceIndexToLuid
 0x140aee1c4 ConvertInterfaceLuidToNameW
 0x140aee1cc GetAdaptersAddresses
KERNEL32.dll
 0x140aee1dc AcquireSRWLockExclusive
 0x140aee1e4 AcquireSRWLockShared
 0x140aee1ec AddVectoredExceptionHandler
 0x140aee1f4 AssignProcessToJobObject
 0x140aee1fc CancelIo
 0x140aee204 CancelIoEx
 0x140aee20c CancelSynchronousIo
 0x140aee214 CloseHandle
 0x140aee21c ConnectNamedPipe
 0x140aee224 ConvertFiberToThread
 0x140aee22c ConvertThreadToFiber
 0x140aee234 CopyFileW
 0x140aee23c CreateDirectoryW
 0x140aee244 CreateEventA
 0x140aee24c CreateFiber
 0x140aee254 CreateFileA
 0x140aee25c CreateFileMappingA
 0x140aee264 CreateFileW
 0x140aee26c CreateHardLinkW
 0x140aee274 CreateIoCompletionPort
 0x140aee27c CreateJobObjectW
 0x140aee284 CreateNamedPipeA
 0x140aee28c CreateNamedPipeW
 0x140aee294 CreateProcessW
 0x140aee29c CreateSemaphoreA
 0x140aee2a4 CreateSymbolicLinkW
 0x140aee2ac CreateToolhelp32Snapshot
 0x140aee2b4 DebugBreak
 0x140aee2bc DeleteCriticalSection
 0x140aee2c4 DeleteFiber
 0x140aee2cc DeviceIoControl
 0x140aee2d4 DuplicateHandle
 0x140aee2dc EnterCriticalSection
 0x140aee2e4 ExpandEnvironmentStringsA
 0x140aee2ec FileTimeToSystemTime
 0x140aee2f4 FillConsoleOutputAttribute
 0x140aee2fc FillConsoleOutputCharacterW
 0x140aee304 FindClose
 0x140aee30c FindFirstFileW
 0x140aee314 FindNextFileW
 0x140aee31c FindResourceW
 0x140aee324 FlushFileBuffers
 0x140aee32c FlushInstructionCache
 0x140aee334 FlushViewOfFile
 0x140aee33c FormatMessageA
 0x140aee344 FormatMessageW
 0x140aee34c FreeConsole
 0x140aee354 FreeEnvironmentStringsW
 0x140aee35c FreeLibrary
 0x140aee364 GetComputerNameA
 0x140aee36c GetConsoleCursorInfo
 0x140aee374 GetConsoleMode
 0x140aee37c GetConsoleScreenBufferInfo
 0x140aee384 GetConsoleTitleW
 0x140aee38c GetConsoleWindow
 0x140aee394 GetCurrentDirectoryW
 0x140aee39c GetCurrentProcess
 0x140aee3a4 GetCurrentProcessId
 0x140aee3ac GetCurrentThread
 0x140aee3b4 GetCurrentThreadId
 0x140aee3bc GetDiskFreeSpaceW
 0x140aee3c4 GetEnvironmentStringsW
 0x140aee3cc GetEnvironmentVariableW
 0x140aee3d4 GetExitCodeProcess
 0x140aee3dc GetFileAttributesA
 0x140aee3e4 GetFileAttributesW
 0x140aee3ec GetFileInformationByHandle
 0x140aee3f4 GetFileInformationByHandleEx
 0x140aee3fc GetFileSizeEx
 0x140aee404 GetFileType
 0x140aee40c GetFinalPathNameByHandleW
 0x140aee414 GetFullPathNameW
 0x140aee41c GetHandleInformation
 0x140aee424 GetLargePageMinimum
 0x140aee42c GetLastError
 0x140aee434 GetLongPathNameW
 0x140aee43c GetModuleFileNameA
 0x140aee444 GetModuleFileNameW
 0x140aee44c GetModuleHandleA
 0x140aee454 GetModuleHandleExW
 0x140aee45c GetModuleHandleW
 0x140aee464 GetNamedPipeHandleStateA
 0x140aee46c GetNativeSystemInfo
 0x140aee474 GetNumberOfConsoleInputEvents
 0x140aee47c GetPriorityClass
 0x140aee484 GetProcAddress
 0x140aee48c GetProcessAffinityMask
 0x140aee494 GetProcessHeap
 0x140aee49c GetProcessIoCounters
 0x140aee4a4 GetProcessTimes
 0x140aee4ac GetQueuedCompletionStatus
 0x140aee4b4 GetShortPathNameW
 0x140aee4bc GetStartupInfoA
 0x140aee4c4 GetStartupInfoW
 0x140aee4cc GetStdHandle
 0x140aee4d4 GetSystemFirmwareTable
 0x140aee4dc GetSystemInfo
 0x140aee4e4 GetSystemPowerStatus
 0x140aee4ec GetSystemTime
 0x140aee4f4 GetSystemTimeAdjustment
 0x140aee4fc GetSystemTimeAsFileTime
 0x140aee504 GetTempPathW
 0x140aee50c GetThreadContext
 0x140aee514 GetThreadPriority
 0x140aee51c GetThreadTimes
 0x140aee524 GetTickCount
 0x140aee52c GetTickCount64
 0x140aee534 GetVersion
 0x140aee53c GetVersionExA
 0x140aee544 GetVersionExW
 0x140aee54c GlobalMemoryStatusEx
 0x140aee554 HeapAlloc
 0x140aee55c HeapFree
 0x140aee564 InitializeConditionVariable
 0x140aee56c InitializeCriticalSection
 0x140aee574 InitializeCriticalSectionAndSpinCount
 0x140aee57c InitializeSRWLock
 0x140aee584 IsDBCSLeadByteEx
 0x140aee58c IsDebuggerPresent
 0x140aee594 K32GetProcessMemoryInfo
 0x140aee59c LCMapStringW
 0x140aee5a4 LeaveCriticalSection
 0x140aee5ac LoadLibraryA
 0x140aee5b4 LoadLibraryExA
 0x140aee5bc LoadLibraryExW
 0x140aee5c4 LoadLibraryW
 0x140aee5cc LoadResource
 0x140aee5d4 LocalAlloc
 0x140aee5dc LocalFree
 0x140aee5e4 LockResource
 0x140aee5ec MapViewOfFile
 0x140aee5f4 MoveFileExW
 0x140aee5fc MultiByteToWideChar
 0x140aee604 OpenProcess
 0x140aee60c OutputDebugStringA
 0x140aee614 PeekNamedPipe
 0x140aee61c PostQueuedCompletionStatus
 0x140aee624 Process32First
 0x140aee62c Process32Next
 0x140aee634 QueryPerformanceCounter
 0x140aee63c QueryPerformanceFrequency
 0x140aee644 QueueUserWorkItem
 0x140aee64c RaiseException
 0x140aee654 ReOpenFile
 0x140aee65c ReadConsoleA
 0x140aee664 ReadConsoleInputW
 0x140aee66c ReadConsoleW
 0x140aee674 ReadDirectoryChangesW
 0x140aee67c ReadFile
 0x140aee684 RegisterWaitForSingleObject
 0x140aee68c ReleaseSRWLockExclusive
 0x140aee694 ReleaseSRWLockShared
 0x140aee69c ReleaseSemaphore
 0x140aee6a4 RemoveDirectoryW
 0x140aee6ac RemoveVectoredExceptionHandler
 0x140aee6b4 ResetEvent
 0x140aee6bc ResumeThread
 0x140aee6c4 RtlCaptureContext
 0x140aee6cc RtlLookupFunctionEntry
 0x140aee6d4 RtlUnwindEx
 0x140aee6dc RtlVirtualUnwind
 0x140aee6e4 SetConsoleCtrlHandler
 0x140aee6ec SetConsoleCursorInfo
 0x140aee6f4 SetConsoleCursorPosition
 0x140aee6fc SetConsoleMode
 0x140aee704 SetConsoleTextAttribute
 0x140aee70c SetConsoleTitleA
 0x140aee714 SetConsoleTitleW
 0x140aee71c SetCurrentDirectoryW
 0x140aee724 SetEnvironmentVariableW
 0x140aee72c SetErrorMode
 0x140aee734 SetEvent
 0x140aee73c SetFileCompletionNotificationModes
 0x140aee744 SetFilePointerEx
 0x140aee74c SetFileTime
 0x140aee754 SetHandleInformation
 0x140aee75c SetInformationJobObject
 0x140aee764 SetLastError
 0x140aee76c SetNamedPipeHandleState
 0x140aee774 SetPriorityClass
 0x140aee77c SetProcessAffinityMask
 0x140aee784 SetSystemTime
 0x140aee78c SetThreadAffinityMask
 0x140aee794 SetThreadContext
 0x140aee79c SetThreadPriority
 0x140aee7a4 SetUnhandledExceptionFilter
 0x140aee7ac SizeofResource
 0x140aee7b4 Sleep
 0x140aee7bc SleepConditionVariableCS
 0x140aee7c4 SuspendThread
 0x140aee7cc SwitchToFiber
 0x140aee7d4 SwitchToThread
 0x140aee7dc SystemTimeToFileTime
 0x140aee7e4 TerminateProcess
 0x140aee7ec TlsAlloc
 0x140aee7f4 TlsFree
 0x140aee7fc TlsGetValue
 0x140aee804 TlsSetValue
 0x140aee80c TryAcquireSRWLockExclusive
 0x140aee814 TryAcquireSRWLockShared
 0x140aee81c TryEnterCriticalSection
 0x140aee824 UnmapViewOfFile
 0x140aee82c UnregisterWait
 0x140aee834 UnregisterWaitEx
 0x140aee83c VerSetConditionMask
 0x140aee844 VerifyVersionInfoA
 0x140aee84c VirtualAlloc
 0x140aee854 VirtualFree
 0x140aee85c VirtualProtect
 0x140aee864 VirtualQuery
 0x140aee86c WaitForMultipleObjects
 0x140aee874 WaitForSingleObject
 0x140aee87c WaitNamedPipeW
 0x140aee884 WakeAllConditionVariable
 0x140aee88c WakeConditionVariable
 0x140aee894 WideCharToMultiByte
 0x140aee89c WriteConsoleInputW
 0x140aee8a4 WriteConsoleW
 0x140aee8ac WriteFile
 0x140aee8b4 __C_specific_handler
msvcrt.dll
 0x140aee8c4 ___lc_codepage_func
 0x140aee8cc ___mb_cur_max_func
 0x140aee8d4 __argv
 0x140aee8dc __doserrno
 0x140aee8e4 __getmainargs
 0x140aee8ec __initenv
 0x140aee8f4 __iob_func
 0x140aee8fc __set_app_type
 0x140aee904 __setusermatherr
 0x140aee90c _acmdln
 0x140aee914 _amsg_exit
 0x140aee91c _assert
 0x140aee924 _beginthreadex
 0x140aee92c _cexit
 0x140aee934 _close
 0x140aee93c _close
 0x140aee944 _commode
 0x140aee94c _endthreadex
 0x140aee954 _errno
 0x140aee95c _exit
 0x140aee964 _fdopen
 0x140aee96c _filelengthi64
 0x140aee974 _fileno
 0x140aee97c _findclose
 0x140aee984 _fileno
 0x140aee98c _findfirst64
 0x140aee994 _findnext64
 0x140aee99c _fmode
 0x140aee9a4 _fstat64
 0x140aee9ac _fullpath
 0x140aee9b4 _get_osfhandle
 0x140aee9bc _gmtime64
 0x140aee9c4 _initterm
 0x140aee9cc _isatty
 0x140aee9d4 _localtime64
 0x140aee9dc _lock
 0x140aee9e4 _lseeki64
 0x140aee9ec _mkdir
 0x140aee9f4 _onexit
 0x140aee9fc _open
 0x140aeea04 _open_osfhandle
 0x140aeea0c _read
 0x140aeea14 _read
 0x140aeea1c _setjmp
 0x140aeea24 _setmode
 0x140aeea2c _snwprintf
 0x140aeea34 _stat64
 0x140aeea3c _stricmp
 0x140aeea44 _strdup
 0x140aeea4c _strdup
 0x140aeea54 _strnicmp
 0x140aeea5c _time64
 0x140aeea64 _ultoa
 0x140aeea6c _unlock
 0x140aeea74 _umask
 0x140aeea7c _vscprintf
 0x140aeea84 _vsnprintf
 0x140aeea8c _vsnwprintf
 0x140aeea94 _wchmod
 0x140aeea9c _wcsdup
 0x140aeeaa4 _wcsnicmp
 0x140aeeaac _wcsrev
 0x140aeeab4 _wfopen
 0x140aeeabc _wopen
 0x140aeeac4 _write
 0x140aeeacc _wrmdir
 0x140aeead4 abort
 0x140aeeadc atof
 0x140aeeae4 atoi
 0x140aeeaec calloc
 0x140aeeaf4 exit
 0x140aeeafc fclose
 0x140aeeb04 feof
 0x140aeeb0c ferror
 0x140aeeb14 fflush
 0x140aeeb1c fgetpos
 0x140aeeb24 fgets
 0x140aeeb2c fopen
 0x140aeeb34 fprintf
 0x140aeeb3c fputc
 0x140aeeb44 fputs
 0x140aeeb4c fread
 0x140aeeb54 free
 0x140aeeb5c fseek
 0x140aeeb64 fsetpos
 0x140aeeb6c ftell
 0x140aeeb74 fwrite
 0x140aeeb7c getc
 0x140aeeb84 getenv
 0x140aeeb8c getwc
 0x140aeeb94 islower
 0x140aeeb9c isspace
 0x140aeeba4 isupper
 0x140aeebac iswctype
 0x140aeebb4 isxdigit
 0x140aeebbc _write
 0x140aeebc4 localeconv
 0x140aeebcc longjmp
 0x140aeebd4 malloc
 0x140aeebdc memchr
 0x140aeebe4 memcmp
 0x140aeebec memcpy
 0x140aeebf4 memmove
 0x140aeebfc memset
 0x140aeec04 printf
 0x140aeec0c putc
 0x140aeec14 putwc
 0x140aeec1c qsort
 0x140aeec24 raise
 0x140aeec2c realloc
 0x140aeec34 rand
 0x140aeec3c setlocale
 0x140aeec44 setvbuf
 0x140aeec4c signal
 0x140aeec54 sprintf
 0x140aeec5c srand
 0x140aeec64 strcat
 0x140aeec6c strchr
 0x140aeec74 strcmp
 0x140aeec7c strcoll
 0x140aeec84 strcpy
 0x140aeec8c strcspn
 0x140aeec94 strerror
 0x140aeec9c strftime
 0x140aeeca4 strlen
 0x140aeecac strncmp
 0x140aeecb4 strncpy
 0x140aeecbc strrchr
 0x140aeecc4 strspn
 0x140aeeccc strstr
 0x140aeecd4 strtol
 0x140aeecdc strtoul
 0x140aeece4 strxfrm
 0x140aeecec tolower
 0x140aeecf4 toupper
 0x140aeecfc towlower
 0x140aeed04 towupper
 0x140aeed0c ungetc
 0x140aeed14 vfprintf
 0x140aeed1c ungetwc
 0x140aeed24 wcschr
 0x140aeed2c wcscmp
 0x140aeed34 wcscoll
 0x140aeed3c wcscpy
 0x140aeed44 wcsftime
 0x140aeed4c wcslen
 0x140aeed54 wcsncmp
 0x140aeed5c wcsncpy
 0x140aeed64 wcspbrk
 0x140aeed6c wcsrchr
 0x140aeed74 wcsstr
 0x140aeed7c wcstombs
 0x140aeed84 wcsxfrm
ole32.dll
 0x140aeed94 CoCreateInstance
 0x140aeed9c CoInitializeEx
 0x140aeeda4 CoUninitialize
SHELL32.dll
 0x140aeedb4 SHGetSpecialFolderPathA
USER32.dll
 0x140aeedc4 DispatchMessageA
 0x140aeedcc GetLastInputInfo
 0x140aeedd4 GetMessageA
 0x140aeeddc GetProcessWindowStation
 0x140aeede4 GetSystemMetrics
 0x140aeedec GetUserObjectInformationW
 0x140aeedf4 MapVirtualKeyW
 0x140aeedfc MessageBoxW
 0x140aeee04 ShowWindow
 0x140aeee0c TranslateMessage
USERENV.dll
 0x140aeee1c GetUserProfileDirectoryW
WS2_32.dll
 0x140aeee2c FreeAddrInfoW
 0x140aeee34 GetAddrInfoW
 0x140aeee3c WSACleanup
 0x140aeee44 WSADuplicateSocketW
 0x140aeee4c WSAGetLastError
 0x140aeee54 WSAGetOverlappedResult
 0x140aeee5c WSAIoctl
 0x140aeee64 WSARecv
 0x140aeee6c WSARecvFrom
 0x140aeee74 WSASend
 0x140aeee7c WSASendTo
 0x140aeee84 WSASetLastError
 0x140aeee8c WSASocketW
 0x140aeee94 WSAStartup
 0x140aeee9c accept
 0x140aeeea4 ind
 0x140aeeeac closesocket
 0x140aeeeb4 connect
 0x140aeeebc freeaddrinfo
 0x140aeeec4 getaddrinfo
 0x140aeeecc gethostbyname
 0x140aeeed4 gethostname
 0x140aeeedc getnameinfo
 0x140aeeee4 getpeername
 0x140aeeeec getsockname
 0x140aeeef4 getsockopt
 0x140aeeefc htonl
 0x140aeef04 htons
 0x140aeef0c ioctlsocket
 0x140aeef14 listen
 0x140aeef1c ntohs
 0x140aeef24 recv
 0x140aeef2c select
 0x140aeef34 send
 0x140aeef3c setsockopt
 0x140aeef44 shutdown
 0x140aeef4c socket

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure