xmrig | f81d2b083548afd9b722626a4d2d94ff9f180b9fbb57e66c42036a4317bca1cb

Analysis

max time kernel
14s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d0810f_by_Libranalysis.exe
Size

118KB
MD5

d2d0810fa6f942c316339a48c865d41b
SHA1

d5adefd42699b367307639e1a298f07a56513e6c
SHA256

f81d2b083548afd9b722626a4d2d94ff9f180b9fbb57e66c42036a4317bca1cb
SHA512

b679711faf592c9aac2c10dd438974e2a52300c38ff4e647ce26de62e9c0f7c8fb70c6ebfab4dd11fe776dfd86159a41c61bb895d9877f1eed6168eed509c613

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\shervans.dll	acprotect
C:\Windows\SysWOW64\shervans.dll	acprotect
\Windows\SysWOW64\shervans.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

ctfmen.exesmnss.exe

pid process

3780 ctfmen.exe
3820 smnss.exe
Loads dropped DLL 2 IoCs

Processes:

d2d0810f_by_Libranalysis.exesmnss.exe

pid process

1016 d2d0810f_by_Libranalysis.exe
3820 smnss.exe

pid	process
3780	ctfmen.exe
3820	smnss.exe

pid	process
1016	d2d0810f_by_Libranalysis.exe
3820	smnss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d2d0810f_by_Libranalysis.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	d2d0810f_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmen = "C:\\Windows\\system32\\ctfmen.exe"	smnss.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d2d0810f_by_Libranalysis.exesmnss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	d2d0810f_by_Libranalysis.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1	d2d0810f_by_Libranalysis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	smnss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\1	smnss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d2d0810f_by_Libranalysis.exe

Drops file in System32 directory 12 IoCs

Processes:

d2d0810f_by_Libranalysis.exesmnss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\shervans.dll	d2d0810f_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\zipfi.dll	smnss.exe
File created	C:\Windows\SysWOW64\zipfiaq.dll	smnss.exe
File created	C:\Windows\SysWOW64\smnss.exe	smnss.exe
File created	C:\Windows\SysWOW64\ctfmen.exe	d2d0810f_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\ctfmen.exe	d2d0810f_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\shervans.dll	d2d0810f_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\grcopy.dll	d2d0810f_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\grcopy.dll	d2d0810f_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\smnss.exe	d2d0810f_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\satornas.dll	d2d0810f_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\satornas.dll	d2d0810f_by_Libranalysis.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2156 3820 WerFault.exe smnss.exe

pid	pid_target	process	target process
2156	3820	WerFault.exe	smnss.exe

Modifies registry class 6 IoCs

Processes:

d2d0810f_by_Libranalysis.exesmnss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	d2d0810f_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32\ = "C:\\Windows\\SysWow64\\shervans.dll"	smnss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32	d2d0810f_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d2d0810f_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d2d0810f_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	d2d0810f_by_Libranalysis.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe
2156	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

smnss.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3820	smnss.exe
Token: SeRestorePrivilege	2156	WerFault.exe
Token: SeBackupPrivilege	2156	WerFault.exe
Token: SeDebugPrivilege	2156	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d2d0810f_by_Libranalysis.exectfmen.exe

description	pid	process	target process
PID 1016 wrote to memory of 3780	1016	d2d0810f_by_Libranalysis.exe	ctfmen.exe
PID 1016 wrote to memory of 3780	1016	d2d0810f_by_Libranalysis.exe	ctfmen.exe
PID 1016 wrote to memory of 3780	1016	d2d0810f_by_Libranalysis.exe	ctfmen.exe
PID 3780 wrote to memory of 3820	3780	ctfmen.exe	smnss.exe
PID 3780 wrote to memory of 3820	3780	ctfmen.exe	smnss.exe
PID 3780 wrote to memory of 3820	3780	ctfmen.exe	smnss.exe

C:\Users\Admin\AppData\Local\Temp\d2d0810f_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\d2d0810f_by_Libranalysis.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\ctfmen.exe
ctfmen.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\smnss.exe
C:\Windows\system32\smnss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1144
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ctfmen.exe
MD5
b908598e3e29d84ea7c4296c57121a24

SHA1
909b073c8aab40d7f9e37ea06a663f5f96396a86

SHA256
35d1eb4d188643fa4da0d400254eca28c17cb95cbed619071365f0f1eaba135a

SHA512
513d0a38cb161b77b4e956ec68429239ca547c83ac6e5f97e9f3da18f6ff1e8768977db537c9a4f2b0ca26f02043a5dd71b922413ba95dbcf20f3205f02d460d

Download Submit
C:\Windows\SysWOW64\ctfmen.exe
MD5
b908598e3e29d84ea7c4296c57121a24

SHA1
909b073c8aab40d7f9e37ea06a663f5f96396a86

SHA256
35d1eb4d188643fa4da0d400254eca28c17cb95cbed619071365f0f1eaba135a

SHA512
513d0a38cb161b77b4e956ec68429239ca547c83ac6e5f97e9f3da18f6ff1e8768977db537c9a4f2b0ca26f02043a5dd71b922413ba95dbcf20f3205f02d460d

Download Submit
C:\Windows\SysWOW64\grcopy.dll
MD5
923154de6b790052e6f80127e816acb1

SHA1
b9ad78a36acd4c64fcb47bcc414520af8f3bc3d1

SHA256
c8ae44e2a12a069072c53ca5f668d842dc9740f62c552d8fa1c359a30c1beb71

SHA512
a0409470a3b630d8b621bded0055c2548eb078bc423b1f6bba5f086489038cd4e2f1cf59950f732a868944db6d4b6b1f491a55d8ed64d2def444e44d286b5be8

Download Submit
C:\Windows\SysWOW64\satornas.dll
MD5
5077d10dce9a23323257f4e51120e305

SHA1
341ad26b98703ffb30133683fb08859fe0efcc4f

SHA256
80d036b3ad77fc1a44006060bf4644bed42c86ea608f33b76ea4255b6e9361bc

SHA512
7d7eeb6f28204ebac8c67a4f8b54fd1aeb3b5b2c1f93a313fc208dd6a9f8568621768e57dfb67acee319d085604afacbc5adcc988b06234f18e3b85e36538343

Download Submit
C:\Windows\SysWOW64\shervans.dll
MD5
1f225772fabbdce9a8b02aba1ef6384a

SHA1
5fba361792bc7a73476ef322db48fdfaa2f1ab21

SHA256
29d4bab388879d396ad22e4396e88e3eb681bed074f1393f9d82548c62d4ecc6

SHA512
9eb9ffb9a4ce8c90ae35049d6e48dda82e5056962efe0e5756893a5ce61058b3d4d2c033905862a2abee09dec3aa8c7024285e8997ab606d3a43d5461110d9e6

Download Submit
C:\Windows\SysWOW64\smnss.exe
MD5
923154de6b790052e6f80127e816acb1

SHA1
b9ad78a36acd4c64fcb47bcc414520af8f3bc3d1

SHA256
c8ae44e2a12a069072c53ca5f668d842dc9740f62c552d8fa1c359a30c1beb71

SHA512
a0409470a3b630d8b621bded0055c2548eb078bc423b1f6bba5f086489038cd4e2f1cf59950f732a868944db6d4b6b1f491a55d8ed64d2def444e44d286b5be8

Download Submit
C:\Windows\SysWOW64\smnss.exe
MD5
923154de6b790052e6f80127e816acb1

SHA1
b9ad78a36acd4c64fcb47bcc414520af8f3bc3d1

SHA256
c8ae44e2a12a069072c53ca5f668d842dc9740f62c552d8fa1c359a30c1beb71

SHA512
a0409470a3b630d8b621bded0055c2548eb078bc423b1f6bba5f086489038cd4e2f1cf59950f732a868944db6d4b6b1f491a55d8ed64d2def444e44d286b5be8

Download Submit
\Windows\SysWOW64\shervans.dll
MD5
1f225772fabbdce9a8b02aba1ef6384a

SHA1
5fba361792bc7a73476ef322db48fdfaa2f1ab21

SHA256
29d4bab388879d396ad22e4396e88e3eb681bed074f1393f9d82548c62d4ecc6

SHA512
9eb9ffb9a4ce8c90ae35049d6e48dda82e5056962efe0e5756893a5ce61058b3d4d2c033905862a2abee09dec3aa8c7024285e8997ab606d3a43d5461110d9e6

Download Submit
\Windows\SysWOW64\shervans.dll
MD5
1f225772fabbdce9a8b02aba1ef6384a

SHA1
5fba361792bc7a73476ef322db48fdfaa2f1ab21

SHA256
29d4bab388879d396ad22e4396e88e3eb681bed074f1393f9d82548c62d4ecc6

SHA512
9eb9ffb9a4ce8c90ae35049d6e48dda82e5056962efe0e5756893a5ce61058b3d4d2c033905862a2abee09dec3aa8c7024285e8997ab606d3a43d5461110d9e6

Download Submit
memory/3780-115-0x0000000000000000-mapping.dmp

Download
memory/3820-118-0x0000000000000000-mapping.dmp

Download