xmrig | 0ea327b5a6eb09b51bd1337c2b29e9fd4cbfa11a083736b47188884ffca7e2bf

Analysis

max time kernel
150s
max time network
145s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8f8012_by_Libranalysis.exe
Size

118KB
MD5

2f8f8012ebb28563cc02c5fd13331a77
SHA1

1a2fbf934df02869dc7a563501835e1feb5f6b5c
SHA256

0ea327b5a6eb09b51bd1337c2b29e9fd4cbfa11a083736b47188884ffca7e2bf
SHA512

92326e07db24f96b8f56e5b2b4f7d19dfcaa255592ec0de3f38ee585d5fa50d8a9038f65924b4b39125254ec234783beb003057289bcc995e1edf2afcd10f18c

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\shervans.dll	acprotect
C:\Windows\SysWOW64\shervans.dll	acprotect
\Windows\SysWOW64\shervans.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

ctfmen.exesmnss.exe

pid process

2848 ctfmen.exe
3604 smnss.exe
Loads dropped DLL 2 IoCs

Processes:

2f8f8012_by_Libranalysis.exesmnss.exe

pid process

3152 2f8f8012_by_Libranalysis.exe
3604 smnss.exe

pid	process
2848	ctfmen.exe
3604	smnss.exe

pid	process
3152	2f8f8012_by_Libranalysis.exe
3604	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f8f8012_by_Libranalysis.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	2f8f8012_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2f8f8012_by_Libranalysis.exesmnss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2f8f8012_by_Libranalysis.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	2f8f8012_by_Libranalysis.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1	2f8f8012_by_Libranalysis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1	smnss.exe

Drops file in System32 directory 12 IoCs

Processes:

2f8f8012_by_Libranalysis.exesmnss.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ctfmen.exe	2f8f8012_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	2f8f8012_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	2f8f8012_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\shervans.dll	2f8f8012_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\satornas.dll	2f8f8012_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	2f8f8012_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\shervans.dll	2f8f8012_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\grcopy.dll	2f8f8012_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\smnss.exe	2f8f8012_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1276 3604 WerFault.exe smnss.exe

pid	pid_target	process	target process
1276	3604	WerFault.exe	smnss.exe

Modifies registry class 6 IoCs

Processes:

smnss.exe2f8f8012_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	2f8f8012_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2f8f8012_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2f8f8012_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	2f8f8012_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	2f8f8012_by_Libranalysis.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

smnss.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3604	smnss.exe
Token: SeRestorePrivilege	1276	WerFault.exe
Token: SeBackupPrivilege	1276	WerFault.exe
Token: SeDebugPrivilege	1276	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2f8f8012_by_Libranalysis.exectfmen.exe

description	pid	process	target process
PID 3152 wrote to memory of 2848	3152	2f8f8012_by_Libranalysis.exe	ctfmen.exe
PID 3152 wrote to memory of 2848	3152	2f8f8012_by_Libranalysis.exe	ctfmen.exe
PID 3152 wrote to memory of 2848	3152	2f8f8012_by_Libranalysis.exe	ctfmen.exe
PID 2848 wrote to memory of 3604	2848	ctfmen.exe	smnss.exe
PID 2848 wrote to memory of 3604	2848	ctfmen.exe	smnss.exe
PID 2848 wrote to memory of 3604	2848	ctfmen.exe	smnss.exe

C:\Users\Admin\AppData\Local\Temp\2f8f8012_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\2f8f8012_by_Libranalysis.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\ctfmen.exe
ctfmen.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\smnss.exe
C:\Windows\system32\smnss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1140
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe
MD5
05c9cec487879362296f94556707856e

SHA1
ad61080fa7ecbd490401694e46e2c83245cd5d27

SHA256
c9e68fbde9d95282e2963f98ec0f60c35cfdef5921a7f77332df90f6ab09ffa0

SHA512
293df84586e3f946a1714fbd852ca110fbb1552be225ca03f0c929c4d8f3aaec9cdb19aa678654ee9168e12ca2016dd7f67ed726ba4035cd79d354c89235d72e

Download Submit
C:\Windows\SysWOW64\ctfmen.exe
MD5
05c9cec487879362296f94556707856e

SHA1
ad61080fa7ecbd490401694e46e2c83245cd5d27

SHA256
c9e68fbde9d95282e2963f98ec0f60c35cfdef5921a7f77332df90f6ab09ffa0

SHA512
293df84586e3f946a1714fbd852ca110fbb1552be225ca03f0c929c4d8f3aaec9cdb19aa678654ee9168e12ca2016dd7f67ed726ba4035cd79d354c89235d72e

Download Submit
C:\Windows\SysWOW64\grcopy.dll
MD5
8b136fa7f210265943dcbd58a6a172fa

SHA1
aec7bde364af5dddba512ad761b4373e8c9ca01c

SHA256
ea36c5b6bc679ba38a7c1d238407aa01ca0bf8cd51b6d37999ce179a61052b52

SHA512
afadb482538e5a34c55faee0877cd648d3274036ba7d3901648c0a7dffc99623f534cb0b33480d7f590245823ce13f5c23058497cba7a90c932f3b84a1f238c5

Download Submit
C:\Windows\SysWOW64\satornas.dll
MD5
022498b0f5e164b1c58553f9b684c1fc

SHA1
50c1a942d510424994192d376a7142e03bf7a553

SHA256
382db11ebe981d7166e9097758fd2eed1b151744714e833988e4f05c26a5caf8

SHA512
5db14d658486f404a82dfa445f560551ebba32c5c27037c87b6eb6b7b61fd9d429ac89ff50ceee4b1d35a1b28ddb1674890f12910a7d7a564dd5fd83bcea5c80

Download Submit
C:\Windows\SysWOW64\shervans.dll
MD5
44446608af1d8779f20524aec1a24f17

SHA1
0e0677eb4f75237645bbab3ea61796a479f4073e

SHA256
e929c174ccd89b0f2de6e2a2bce599742c449bbcf33cd20c45bc73618ca718d9

SHA512
d250fc5343cad6799c7f84d7c8e5081ff789b83c5699483186e6251b86de45f540f325952b3ea8a0b3ae1e4584b8c2fa7b4878da995e38681ee2a9878b43fcd0

Download Submit
C:\Windows\SysWOW64\smnss.exe
MD5
8b136fa7f210265943dcbd58a6a172fa

SHA1
aec7bde364af5dddba512ad761b4373e8c9ca01c

SHA256
ea36c5b6bc679ba38a7c1d238407aa01ca0bf8cd51b6d37999ce179a61052b52

SHA512
afadb482538e5a34c55faee0877cd648d3274036ba7d3901648c0a7dffc99623f534cb0b33480d7f590245823ce13f5c23058497cba7a90c932f3b84a1f238c5

Download Submit
C:\Windows\SysWOW64\smnss.exe
MD5
8b136fa7f210265943dcbd58a6a172fa

SHA1
aec7bde364af5dddba512ad761b4373e8c9ca01c

SHA256
ea36c5b6bc679ba38a7c1d238407aa01ca0bf8cd51b6d37999ce179a61052b52

SHA512
afadb482538e5a34c55faee0877cd648d3274036ba7d3901648c0a7dffc99623f534cb0b33480d7f590245823ce13f5c23058497cba7a90c932f3b84a1f238c5

Download Submit
\Windows\SysWOW64\shervans.dll
MD5
44446608af1d8779f20524aec1a24f17

SHA1
0e0677eb4f75237645bbab3ea61796a479f4073e

SHA256
e929c174ccd89b0f2de6e2a2bce599742c449bbcf33cd20c45bc73618ca718d9

SHA512
d250fc5343cad6799c7f84d7c8e5081ff789b83c5699483186e6251b86de45f540f325952b3ea8a0b3ae1e4584b8c2fa7b4878da995e38681ee2a9878b43fcd0

Download Submit
\Windows\SysWOW64\shervans.dll
MD5
44446608af1d8779f20524aec1a24f17

SHA1
0e0677eb4f75237645bbab3ea61796a479f4073e

SHA256
e929c174ccd89b0f2de6e2a2bce599742c449bbcf33cd20c45bc73618ca718d9

SHA512
d250fc5343cad6799c7f84d7c8e5081ff789b83c5699483186e6251b86de45f540f325952b3ea8a0b3ae1e4584b8c2fa7b4878da995e38681ee2a9878b43fcd0

Download Submit
memory/2848-115-0x0000000000000000-mapping.dmp

Download
memory/3604-118-0x0000000000000000-mapping.dmp

Download