Overview

overview

10

Static

static

b4d22b58_b...is.exe

windows7_x64

10

b4d22b58_b...is.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    05-05-2021 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4d22b58_by_Libranalysis.exe

  • Size

    118KB

  • MD5

    b4d22b58cd80b7ffc930a76ca9f9fa71

  • SHA1

    3931f09d3d36e714eade19bab13a2ac5c5db1a6c

  • SHA256

    804acd2d212ff0dbdc4670b07862c19f275fc746b19d431bf6b31f78d7a63ec6

  • SHA512

    fa990e0799500dfef650648d06f7226a5c697b71c587ff32dbabe957a3e0425bd4f3d2f05990af787d3f2b223aa3097a88c2d018d79eadf4776f1742706e9b5e

Score
10/10
xmrigminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4d22b58_by_Libranalysis.exe
    "C:\Users\Admin\AppData\Local\Temp\b4d22b58_by_Libranalysis.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 808
          4⤵
          • Loads dropped DLL
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    MD5

    c9ad591f0b0c0f9ed53cee7ccf0d8488

    SHA1

    23516aa278f7f3cb738d5175ab6cb15afaf4bed2

    SHA256

    b8f68b40dde3f4db2c751545536137310a5d8132e8369c9180ffa7309257c4a5

    SHA512

    7e215cf343decbe668fa96cceecf7ce8e710a237486e054b2b2a939c1ef4193d5eebcd119387e40dbe79a1aa3b98ef93331ba90107b6ed3cbb65cde87ecac442

    Download Submit
  • C:\Windows\SysWOW64\grcopy.dll
    MD5

    c58d385103bdcfcdbac8542edaa678b4

    SHA1

    4fd8fead52d94a5eb6c97ac88da7a9ad5d50603a

    SHA256

    3acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4

    SHA512

    222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9

    Download Submit
  • C:\Windows\SysWOW64\satornas.dll
    MD5

    b26a78df2025cd9fb3ab24e9db7c4b46

    SHA1

    11965c84377cc4903602ca9f3ad5bdcc5a6c62bc

    SHA256

    84eedc3b5feb70a840fe89ce3aa076c76551eb5fc7b07423d47f41a9a3f2ea35

    SHA512

    7b6c05f15c91db49d8d9f2043ad18f529839fa2369bd7ee1fc3ef900dd5d9dea2c84f9a06b3bd23a7ede4d8f9a97bb704b9e4f92f4019b11bd5e336b1e2e4c4d

    Download Submit
  • C:\Windows\SysWOW64\shervans.dll
    MD5

    9fcc83db4e03b67fccabcb604b51948c

    SHA1

    13bfe6ebe5b527f9fbfcf0622cc5da8064422394

    SHA256

    4329dc82e98cc06d23c93a24c89fb597a13f4d2253339b6824c3ffa3d74c8a7b

    SHA512

    78128588c87a03e1fdf9192192918a47e460e0e198ac9ee22ef1ce60acfa12139c2effed6a3d7f96814ec0be01adfa217acf7b38f11924e239af109b7fbf8844

    Download Submit
  • C:\Windows\SysWOW64\smnss.exe
    MD5

    c58d385103bdcfcdbac8542edaa678b4

    SHA1

    4fd8fead52d94a5eb6c97ac88da7a9ad5d50603a

    SHA256

    3acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4

    SHA512

    222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9

    Download Submit
  • C:\Windows\SysWOW64\smnss.exe
    MD5

    c58d385103bdcfcdbac8542edaa678b4

    SHA1

    4fd8fead52d94a5eb6c97ac88da7a9ad5d50603a

    SHA256

    3acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4

    SHA512

    222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9

    Download Submit
  • \Windows\SysWOW64\ctfmen.exe
    MD5

    c9ad591f0b0c0f9ed53cee7ccf0d8488

    SHA1

    23516aa278f7f3cb738d5175ab6cb15afaf4bed2

    SHA256

    b8f68b40dde3f4db2c751545536137310a5d8132e8369c9180ffa7309257c4a5

    SHA512

    7e215cf343decbe668fa96cceecf7ce8e710a237486e054b2b2a939c1ef4193d5eebcd119387e40dbe79a1aa3b98ef93331ba90107b6ed3cbb65cde87ecac442

    Download Submit
  • \Windows\SysWOW64\ctfmen.exe
    MD5

    c9ad591f0b0c0f9ed53cee7ccf0d8488

    SHA1

    23516aa278f7f3cb738d5175ab6cb15afaf4bed2

    SHA256

    b8f68b40dde3f4db2c751545536137310a5d8132e8369c9180ffa7309257c4a5

    SHA512

    7e215cf343decbe668fa96cceecf7ce8e710a237486e054b2b2a939c1ef4193d5eebcd119387e40dbe79a1aa3b98ef93331ba90107b6ed3cbb65cde87ecac442

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    MD5

    9fcc83db4e03b67fccabcb604b51948c

    SHA1

    13bfe6ebe5b527f9fbfcf0622cc5da8064422394

    SHA256

    4329dc82e98cc06d23c93a24c89fb597a13f4d2253339b6824c3ffa3d74c8a7b

    SHA512

    78128588c87a03e1fdf9192192918a47e460e0e198ac9ee22ef1ce60acfa12139c2effed6a3d7f96814ec0be01adfa217acf7b38f11924e239af109b7fbf8844

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    MD5

    9fcc83db4e03b67fccabcb604b51948c

    SHA1

    13bfe6ebe5b527f9fbfcf0622cc5da8064422394

    SHA256

    4329dc82e98cc06d23c93a24c89fb597a13f4d2253339b6824c3ffa3d74c8a7b

    SHA512

    78128588c87a03e1fdf9192192918a47e460e0e198ac9ee22ef1ce60acfa12139c2effed6a3d7f96814ec0be01adfa217acf7b38f11924e239af109b7fbf8844

    Download Submit
  • \Windows\SysWOW64\smnss.exe
    MD5

    c58d385103bdcfcdbac8542edaa678b4

    SHA1

    4fd8fead52d94a5eb6c97ac88da7a9ad5d50603a

    SHA256

    3acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4

    SHA512

    222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9

    Download Submit
  • \Windows\SysWOW64\smnss.exe
    MD5

    c58d385103bdcfcdbac8542edaa678b4

    SHA1

    4fd8fead52d94a5eb6c97ac88da7a9ad5d50603a

    SHA256

    3acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4

    SHA512

    222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9

    Download Submit
  • \Windows\SysWOW64\smnss.exe
    MD5

    c58d385103bdcfcdbac8542edaa678b4

    SHA1

    4fd8fead52d94a5eb6c97ac88da7a9ad5d50603a

    SHA256

    3acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4

    SHA512

    222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9

    Download Submit
  • \Windows\SysWOW64\smnss.exe
    MD5

    c58d385103bdcfcdbac8542edaa678b4

    SHA1

    4fd8fead52d94a5eb6c97ac88da7a9ad5d50603a

    SHA256

    3acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4

    SHA512

    222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9

    Download Submit
  • \Windows\SysWOW64\smnss.exe
    MD5

    c58d385103bdcfcdbac8542edaa678b4

    SHA1

    4fd8fead52d94a5eb6c97ac88da7a9ad5d50603a

    SHA256

    3acbbffc4df2446b5c27ffabe1d2a15c8b74c88e9f7f4cdccc72bf137e4864f4

    SHA512

    222e25b41237a5a7804f8859cdf9e72b8ee06fa490861e9e82c613eaeb73d34be964ca3f5d18d4744c5b30fca30070857c2e48470c9474bc8947c235d5e7def9

    Download Submit
  • memory/548-74-0x0000000000000000-mapping.dmp
    Download
  • memory/548-78-0x00000000003A0000-0x00000000003BF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/828-71-0x00000000753B1000-0x00000000753B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/828-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1424-62-0x0000000000000000-mapping.dmp
    Download