3ee04e378f6430e85f5756093e80b243c2ebbcb9f2ee77cc32acd1cd9e333301

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7
submitted
19-07-2020 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skynet_0.2.vir.exe
Size

1.6MB
MD5

0adb101c9c09d85a19facdf4a68677e9
SHA1

3ca97d68f8f7ecb5ef5b3df7a1cc45dc27d3ca6c
SHA256

3ee04e378f6430e85f5756093e80b243c2ebbcb9f2ee77cc32acd1cd9e333301
SHA512

d761a847117bc3e9e740b63aba3bc17ceaf8892dc23cfd1e2c3ff091fb093db5357a44c23b33e9080dbdb67c6d8bba54151d6e153a97e310333edc5ba772338b

Score

8^/10

upx persistence

Malware Config

Signatures

Loads dropped DLL 77 IoCs

Processes:

svchost.exesvchost.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.exe

pid	process
1452	svchost.exe
316	svchost.exe
316	svchost.exe
812	cgminer.exe
812	cgminer.exe
316	svchost.exe
316	svchost.exe
1224	cgminer.exe
1224	cgminer.exe
316	svchost.exe
316	svchost.exe
1872	cgminer.exe
1872	cgminer.exe
316	svchost.exe
316	svchost.exe
1700	cgminer.exe
1700	cgminer.exe
316	svchost.exe
316	svchost.exe
240	cgminer.exe
240	cgminer.exe
316	svchost.exe
316	svchost.exe
1668	cgminer.exe
1668	cgminer.exe
316	svchost.exe
316	svchost.exe
1552	cgminer.exe
1552	cgminer.exe
316	svchost.exe
316	svchost.exe
1188	cgminer.exe
1188	cgminer.exe
316	svchost.exe
316	svchost.exe
1652	cgminer.exe
1652	cgminer.exe
316	svchost.exe
316	svchost.exe
1068	cgminer.exe
1068	cgminer.exe
316	svchost.exe
316	svchost.exe
2028	cgminer.exe
2028	cgminer.exe
316	svchost.exe
316	svchost.exe
1648	cgminer.exe
1648	cgminer.exe
316	svchost.exe
316	svchost.exe
1048	cgminer.exe
1048	cgminer.exe
316	svchost.exe
316	svchost.exe
1092	cgminer.exe
1092	cgminer.exe
316	svchost.exe
316	svchost.exe
1928	cgminer.exe
1928	cgminer.exe
316	svchost.exe
316	svchost.exe
1808	cgminer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1824 WinMail.exe

pid	process
1824	WinMail.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\6646739A-00000001.eml:OECustomProperty	WinMail.exe

Suspicious use of WriteProcessMemory 354 IoCs

Processes:

skynet_0.2.vir.exesvchost.exeulmof.exesvchost.exe

description	pid	process	target process
PID 1140 wrote to memory of 864	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 864	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 864	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 864	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 864	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 864	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 864	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 864	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 wrote to memory of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1452 wrote to memory of 1968	1452	svchost.exe	ulmof.exe
PID 1452 wrote to memory of 1968	1452	svchost.exe	ulmof.exe
PID 1452 wrote to memory of 1968	1452	svchost.exe	ulmof.exe
PID 1452 wrote to memory of 1968	1452	svchost.exe	ulmof.exe
PID 1968 wrote to memory of 1488	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1488	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1488	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1488	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1488	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1488	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1488	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1488	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 1300	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 276	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 276	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 276	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 276	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 276	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 276	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 276	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 276	1968	ulmof.exe	svchost.exe
PID 1968 wrote to memory of 276	1968	ulmof.exe	svchost.exe
PID 276 wrote to memory of 1148	276	svchost.exe	taskhost.exe
PID 276 wrote to memory of 1148	276	svchost.exe	taskhost.exe
PID 276 wrote to memory of 1148	276	svchost.exe	taskhost.exe
PID 276 wrote to memory of 1148	276	svchost.exe	taskhost.exe
PID 276 wrote to memory of 1148	276	svchost.exe	taskhost.exe
PID 276 wrote to memory of 1264	276	svchost.exe	Dwm.exe

Executes dropped EXE 20 IoCs

Processes:

ulmof.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.execgminer.exe

pid	process
1968	ulmof.exe
812	cgminer.exe
1224	cgminer.exe
1872	cgminer.exe
1700	cgminer.exe
240	cgminer.exe
1668	cgminer.exe
1552	cgminer.exe
1188	cgminer.exe
1652	cgminer.exe
1068	cgminer.exe
2028	cgminer.exe
1648	cgminer.exe
1048	cgminer.exe
1092	cgminer.exe
1928	cgminer.exe
1808	cgminer.exe
1520	cgminer.exe
340	cgminer.exe
1524	cgminer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1520 cmd.exe

pid	process
1520	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D0849AC1-6D54-5CEF-D5C6-4735842E799E} = "C:\\Users\\Admin\\AppData\\Roaming\\Acame\\ulmof.exe"	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

svchost.exesvchost.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1452	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	1824	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1824 WinMail.exe

pid	process
1824	WinMail.exe

Suspicious use of SetThreadContext 44 IoCs

Processes:

skynet_0.2.vir.exeulmof.exesvchost.exe

description	pid	process	target process
PID 1140 set thread context of 864	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 set thread context of 316	1140	skynet_0.2.vir.exe	svchost.exe
PID 1140 set thread context of 1452	1140	skynet_0.2.vir.exe	svchost.exe
PID 1968 set thread context of 1488	1968	ulmof.exe	svchost.exe
PID 1968 set thread context of 1300	1968	ulmof.exe	svchost.exe
PID 1968 set thread context of 276	1968	ulmof.exe	svchost.exe
PID 316 set thread context of 812	316	svchost.exe	cgminer.exe
PID 316 set thread context of 812	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1224	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1224	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1872	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1872	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1700	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1700	316	svchost.exe	cgminer.exe
PID 316 set thread context of 240	316	svchost.exe	cgminer.exe
PID 316 set thread context of 240	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1668	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1668	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1552	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1552	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1188	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1188	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1652	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1652	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1068	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1068	316	svchost.exe	cgminer.exe
PID 316 set thread context of 2028	316	svchost.exe	cgminer.exe
PID 316 set thread context of 2028	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1648	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1648	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1048	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1048	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1092	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1092	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1928	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1928	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1808	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1808	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1520	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1520	316	svchost.exe	cgminer.exe
PID 316 set thread context of 340	316	svchost.exe	cgminer.exe
PID 316 set thread context of 340	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1524	316	svchost.exe	cgminer.exe
PID 316 set thread context of 1524	316	svchost.exe	cgminer.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid	process
864	svchost.exe
864	svchost.exe
276	svchost.exe
276	svchost.exe
276	svchost.exe
276	svchost.exe
276	svchost.exe
276	svchost.exe
276	svchost.exe
276	svchost.exe
276	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
316	svchost.exe
276	svchost.exe
276	svchost.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1824 WinMail.exe

pid	process
1824	WinMail.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/864-0-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/864-6-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/864-8-0x0000000000400000-0x00000000006B3000-memory.dmp	upx
behavioral1/memory/812-541-0x0000000000400000-0x000000000044D000-memory.dmp	upx

JavaScript code in executable 20 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js
\Users\Admin\AppData\Local\Temp\libcurl-4.dll	js

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org

flow	ioc
7	checkip.dyndns.org

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\skynet_0.2.vir.exe
"C:\Users\Admin\AppData\Local\Temp\skynet_0.2.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe --HiddenServiceDir "C:\Users\Admin\AppData\Roaming\tor\hidden_service" --HiddenServicePort "55080 127.0.0.1:55080"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe (null)
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:812

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1872

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1700

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:240

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1668

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1188

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1068

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:2028

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1048

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1092

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1928

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Loads dropped DLL
- Executes dropped EXE
PID:1808

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Executes dropped EXE
PID:1520

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Executes dropped EXE
PID:340

C:\Users\Admin\AppData\Local\Temp\cgminer.exe
"C:\Users\Admin\AppData\Local\Temp\cgminer.exe" -o http://127.0.0.1:61697/btc/ -u user -p UB97ad2 -w 128 -I d -k poclbm --api-listen
4⤵
- Executes dropped EXE
PID:1524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe ext "C:\Users\Admin\AppData\Local\Temp\skynet_0.2.vir.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\AppData\Roaming\Acame\ulmof.exe
"C:\Users\Admin\AppData\Roaming\Acame\ulmof.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe --HiddenServiceDir "C:\Users\Admin\AppData\Roaming\tor\hidden_service" --HiddenServicePort "55080 127.0.0.1:55080"
5⤵
PID:1488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe (null)
5⤵
PID:1300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe ext "C:\Users\Admin\AppData\Roaming\Acame\ulmof.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2397c260.bat"
4⤵
- Deletes itself
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6206651608779662951150781288458971480512034206-69500577346998455-847530103"
1⤵
PID:1328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2036

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
PID:1824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1616947751129532948-78008816812012664937316564661517783760268793445-1593620231"
1⤵
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2397c260.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Acame\ulmof.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Acame\ulmof.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Peicor\lani.fia

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\cgminer.exe

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libcurl-4.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Local\Temp\libpdcurses.dll

Download Submit
\Users\Admin\AppData\Roaming\Acame\ulmof.exe

Download Submit
memory/240-576-0x000000000044A780-mapping.dmp

Download
memory/276-469-0x000000000041DBFE-mapping.dmp

Download
memory/316-495-0x000000000040719E-mapping.dmp

Download
memory/316-2-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/316-5-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/316-3-0x000000000040719E-mapping.dmp

Download
memory/340-680-0x000000000044A780-mapping.dmp

Download
memory/812-542-0x000000000044A780-mapping.dmp

Download
memory/812-538-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/812-541-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/864-0-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/864-1-0x00000000006B0800-mapping.dmp

Download
memory/864-12-0x0000000002E40000-0x0000000002E51000-memory.dmp

Filesize
68KB

Download
memory/864-235-0x0000000002E40000-0x0000000002E51000-memory.dmp

Filesize
68KB

Download
memory/864-236-0x0000000003250000-0x0000000003261000-memory.dmp

Filesize
68KB

Download
memory/864-10-0x0000000002E40000-0x0000000002E51000-memory.dmp

Filesize
68KB

Download
memory/864-237-0x0000000002E40000-0x0000000002E51000-memory.dmp

Filesize
68KB

Download
memory/864-473-0x00000000006B0800-mapping.dmp

Download
memory/864-249-0x0000000002E40000-0x0000000002E51000-memory.dmp

Filesize
68KB

Download
memory/864-8-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/864-11-0x0000000003250000-0x0000000003261000-memory.dmp

Filesize
68KB

Download
memory/864-6-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/1048-640-0x000000000044A780-mapping.dmp

Download
memory/1068-616-0x000000000044A780-mapping.dmp

Download
memory/1092-648-0x000000000044A780-mapping.dmp

Download
memory/1188-600-0x000000000044A780-mapping.dmp

Download
memory/1224-552-0x000000000044A780-mapping.dmp

Download
memory/1300-466-0x000000000040719E-mapping.dmp

Download
memory/1452-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1452-9-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1452-7-0x000000000041DBFE-mapping.dmp

Download
memory/1488-464-0x00000000006B0800-mapping.dmp

Download
memory/1520-672-0x000000000044A780-mapping.dmp

Download
memory/1520-474-0x0000000000000000-mapping.dmp

Download
memory/1524-688-0x000000000044A780-mapping.dmp

Download
memory/1552-592-0x000000000044A780-mapping.dmp

Download
memory/1648-632-0x000000000044A780-mapping.dmp

Download
memory/1652-608-0x000000000044A780-mapping.dmp

Download
memory/1668-584-0x000000000044A780-mapping.dmp

Download
memory/1700-568-0x000000000044A780-mapping.dmp

Download
memory/1808-664-0x000000000044A780-mapping.dmp

Download
memory/1824-507-0x0000000004C00000-0x0000000004C02000-memory.dmp

Filesize
8KB

Download
memory/1824-502-0x00000000049D0000-0x00000000049D2000-memory.dmp

Filesize
8KB

Download
memory/1824-479-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/1824-531-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1824-481-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/1824-482-0x0000000003880000-0x0000000003A80000-memory.dmp

Filesize
2.0MB

Download
memory/1824-483-0x0000000003980000-0x0000000003A80000-memory.dmp

Filesize
1024KB

Download
memory/1824-487-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/1824-488-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1824-489-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1824-490-0x0000000003B50000-0x0000000003B52000-memory.dmp

Filesize
8KB

Download
memory/1824-525-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/1824-491-0x00000000040A0000-0x00000000040A2000-memory.dmp

Filesize
8KB

Download
memory/1824-492-0x0000000003B50000-0x0000000003B52000-memory.dmp

Filesize
8KB

Download
memory/1824-493-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1824-494-0x0000000003F40000-0x0000000003F42000-memory.dmp

Filesize
8KB

Download
memory/1824-496-0x0000000004AB0000-0x0000000004AB2000-memory.dmp

Filesize
8KB

Download
memory/1824-497-0x0000000004AC0000-0x0000000004AC2000-memory.dmp

Filesize
8KB

Download
memory/1824-498-0x0000000004AD0000-0x0000000004AD2000-memory.dmp

Filesize
8KB

Download
memory/1824-523-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/1824-499-0x0000000004AE0000-0x0000000004AE2000-memory.dmp

Filesize
8KB

Download
memory/1824-500-0x0000000004AF0000-0x0000000004AF2000-memory.dmp

Filesize
8KB

Download
memory/1824-501-0x00000000042A0000-0x00000000042A2000-memory.dmp

Filesize
8KB

Download
memory/1824-477-0x0000000003880000-0x0000000003980000-memory.dmp

Filesize
1024KB

Download
memory/1824-503-0x00000000049E0000-0x00000000049E2000-memory.dmp

Filesize
8KB

Download
memory/1824-504-0x00000000049F0000-0x00000000049F2000-memory.dmp

Filesize
8KB

Download
memory/1824-505-0x0000000004A90000-0x0000000004A92000-memory.dmp

Filesize
8KB

Download
memory/1824-506-0x0000000003EB0000-0x0000000003EB2000-memory.dmp

Filesize
8KB

Download
memory/1824-508-0x0000000004190000-0x0000000004192000-memory.dmp

Filesize
8KB

Download
memory/1824-509-0x0000000004170000-0x0000000004172000-memory.dmp

Filesize
8KB

Download
memory/1824-510-0x0000000003EF0000-0x0000000003EF2000-memory.dmp

Filesize
8KB

Download
memory/1824-511-0x0000000003F00000-0x0000000003F02000-memory.dmp

Filesize
8KB

Download
memory/1824-512-0x0000000004010000-0x0000000004012000-memory.dmp

Filesize
8KB

Download
memory/1824-513-0x0000000004190000-0x0000000004192000-memory.dmp

Filesize
8KB

Download
memory/1824-514-0x0000000003EA0000-0x0000000003EA2000-memory.dmp

Filesize
8KB

Download
memory/1824-515-0x00000000040A0000-0x00000000040A2000-memory.dmp

Filesize
8KB

Download
memory/1824-522-0x0000000004180000-0x0000000004182000-memory.dmp

Filesize
8KB

Download
memory/1824-516-0x0000000003C10000-0x0000000003C12000-memory.dmp

Filesize
8KB

Download
memory/1824-517-0x0000000004160000-0x0000000004162000-memory.dmp

Filesize
8KB

Download
memory/1824-518-0x0000000004BF0000-0x0000000004BF2000-memory.dmp

Filesize
8KB

Download
memory/1824-519-0x0000000003EB0000-0x0000000003EB2000-memory.dmp

Filesize
8KB

Download
memory/1824-520-0x0000000004BE0000-0x0000000004BE2000-memory.dmp

Filesize
8KB

Download
memory/1824-521-0x0000000004B50000-0x0000000004B52000-memory.dmp

Filesize
8KB

Download
memory/1872-560-0x000000000044A780-mapping.dmp

Download
memory/1928-656-0x000000000044A780-mapping.dmp

Download
memory/1968-461-0x0000000000000000-mapping.dmp

Download
memory/2028-624-0x000000000044A780-mapping.dmp

Download