Overview

overview

10

Static

static

b4d22b58_b...is.exe

windows7_x64

10

b4d22b58_b...is.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4d22b58_by_Libranalysis.exe

  • Size

    118KB

  • MD5

    b4d22b58cd80b7ffc930a76ca9f9fa71

  • SHA1

    3931f09d3d36e714eade19bab13a2ac5c5db1a6c

  • SHA256

    804acd2d212ff0dbdc4670b07862c19f275fc746b19d431bf6b31f78d7a63ec6

  • SHA512

    fa990e0799500dfef650648d06f7226a5c697b71c587ff32dbabe957a3e0425bd4f3d2f05990af787d3f2b223aa3097a88c2d018d79eadf4776f1742706e9b5e

Score
10/10
xmrigminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4d22b58_by_Libranalysis.exe
    "C:\Users\Admin\AppData\Local\Temp\b4d22b58_by_Libranalysis.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1392
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    MD5

    783e0c46651b332e408e0877db3f35d9

    SHA1

    5d20c0686d7b06c81a23ab8a2e8028b21e269ebc

    SHA256

    07d7f528db77666bf755306149b3826535eff7a3cca39f87d66a12b7b19d30f7

    SHA512

    b9b950cc7ed67d0a2480593773ec9471c33608c628f51f59d10b5543ff4ee7ef7bf209061a7130320c3ef4b9756e26f59a5f0ae9207185dadf859307439b329d

    Download Submit
  • C:\Windows\SysWOW64\ctfmen.exe
    MD5

    783e0c46651b332e408e0877db3f35d9

    SHA1

    5d20c0686d7b06c81a23ab8a2e8028b21e269ebc

    SHA256

    07d7f528db77666bf755306149b3826535eff7a3cca39f87d66a12b7b19d30f7

    SHA512

    b9b950cc7ed67d0a2480593773ec9471c33608c628f51f59d10b5543ff4ee7ef7bf209061a7130320c3ef4b9756e26f59a5f0ae9207185dadf859307439b329d

    Download Submit
  • C:\Windows\SysWOW64\grcopy.dll
    MD5

    578ccb47152ab1aa106d8e7f1333edb4

    SHA1

    3e89f046e22474aa077ff5763d5fa2bb4aadad2a

    SHA256

    2698c7e8dfe0a5189c590e219ad2d14ec52dbc0e9223bde7bbb1d59e42cc9557

    SHA512

    6a6e51fedd4c15d9000eaa2686738d53cf1cd80a9d77ea87be7b997b424e4b81b27a7d43f4a71b18dd19a5c62cdfbeb4e3966aeab4e02b01221a146ae14a7d59

    Download Submit
  • C:\Windows\SysWOW64\satornas.dll
    MD5

    9737f397c6bba40cd39eb3a4d9fae4d4

    SHA1

    b42ee469713614b5c789a6fc3a539e0d1c5d86e8

    SHA256

    ea4b0fb26ce02d1aea00a2b78961520886fae51333813668602e34adf4fe7bed

    SHA512

    0c81f3efc30ade6f29179cde82061335ab3817bea873459aac5958da0ddee42c95cf1597e06cf7167bf80db568a87c5ac80772db7aac9872aebcbe05bfa442f5

    Download Submit
  • C:\Windows\SysWOW64\shervans.dll
    MD5

    f4f385513ae830b2a5e7d532cd975ca4

    SHA1

    090b231c7ef91327f335b36673dd6551a666c007

    SHA256

    97c73659ab6631ec1b5e928551c4e4ecb45ad1b011612e1d201ffc34501e1e62

    SHA512

    c401dac1a153dfc2afb22a00f0a81eed025e38c6e9a3912a286c37afddbe35466e36581df0716b3ea330570488361eaf3be202ffd8082b20a6fdb85cc859be23

    Download Submit
  • C:\Windows\SysWOW64\smnss.exe
    MD5

    578ccb47152ab1aa106d8e7f1333edb4

    SHA1

    3e89f046e22474aa077ff5763d5fa2bb4aadad2a

    SHA256

    2698c7e8dfe0a5189c590e219ad2d14ec52dbc0e9223bde7bbb1d59e42cc9557

    SHA512

    6a6e51fedd4c15d9000eaa2686738d53cf1cd80a9d77ea87be7b997b424e4b81b27a7d43f4a71b18dd19a5c62cdfbeb4e3966aeab4e02b01221a146ae14a7d59

    Download Submit
  • C:\Windows\SysWOW64\smnss.exe
    MD5

    578ccb47152ab1aa106d8e7f1333edb4

    SHA1

    3e89f046e22474aa077ff5763d5fa2bb4aadad2a

    SHA256

    2698c7e8dfe0a5189c590e219ad2d14ec52dbc0e9223bde7bbb1d59e42cc9557

    SHA512

    6a6e51fedd4c15d9000eaa2686738d53cf1cd80a9d77ea87be7b997b424e4b81b27a7d43f4a71b18dd19a5c62cdfbeb4e3966aeab4e02b01221a146ae14a7d59

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    MD5

    f4f385513ae830b2a5e7d532cd975ca4

    SHA1

    090b231c7ef91327f335b36673dd6551a666c007

    SHA256

    97c73659ab6631ec1b5e928551c4e4ecb45ad1b011612e1d201ffc34501e1e62

    SHA512

    c401dac1a153dfc2afb22a00f0a81eed025e38c6e9a3912a286c37afddbe35466e36581df0716b3ea330570488361eaf3be202ffd8082b20a6fdb85cc859be23

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    MD5

    f4f385513ae830b2a5e7d532cd975ca4

    SHA1

    090b231c7ef91327f335b36673dd6551a666c007

    SHA256

    97c73659ab6631ec1b5e928551c4e4ecb45ad1b011612e1d201ffc34501e1e62

    SHA512

    c401dac1a153dfc2afb22a00f0a81eed025e38c6e9a3912a286c37afddbe35466e36581df0716b3ea330570488361eaf3be202ffd8082b20a6fdb85cc859be23

    Download Submit
  • memory/2788-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2808-118-0x0000000000000000-mapping.dmp
    Download