Overview

overview

10

Static

static

f81d2b0835...cb.exe

windows7_x64

10

f81d2b0835...cb.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f81d2b083548afd9b722626a4d2d94ff9f180b9fbb57e66c42036a4317bca1cb.exe

  • Size

    118KB

  • MD5

    d2d0810fa6f942c316339a48c865d41b

  • SHA1

    d5adefd42699b367307639e1a298f07a56513e6c

  • SHA256

    f81d2b083548afd9b722626a4d2d94ff9f180b9fbb57e66c42036a4317bca1cb

  • SHA512

    b679711faf592c9aac2c10dd438974e2a52300c38ff4e647ce26de62e9c0f7c8fb70c6ebfab4dd11fe776dfd86159a41c61bb895d9877f1eed6168eed509c613

Score
10/10
xmrigminerpersistence

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f81d2b083548afd9b722626a4d2d94ff9f180b9fbb57e66c42036a4317bca1cb.exe
    "C:\Users\Admin\AppData\Local\Temp\f81d2b083548afd9b722626a4d2d94ff9f180b9fbb57e66c42036a4317bca1cb.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\SysWOW64\ctfmen.exe
      ctfmen.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\SysWOW64\smnss.exe
        C:\Windows\system32\smnss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ctfmen.exe
    MD5

    d5bdd7eb8097a8d9465e90db98041934

    SHA1

    daca96d922fbe04adfcb7f7498ef85f44bd8674a

    SHA256

    ca15d800af1464ee4afcc711bcb12c0855d6c647d49757054e38b05b3c2e8350

    SHA512

    eea41739bb2ed986891471b8c6f7e0569bbfbe7707b78a48f641ad75054f6b252f63d4efb0a5f93671a5c3dee2cec9fd86dbbc3083ee1847fd4a3f4e9928b170

    Download Submit
  • C:\Windows\SysWOW64\ctfmen.exe
    MD5

    d5bdd7eb8097a8d9465e90db98041934

    SHA1

    daca96d922fbe04adfcb7f7498ef85f44bd8674a

    SHA256

    ca15d800af1464ee4afcc711bcb12c0855d6c647d49757054e38b05b3c2e8350

    SHA512

    eea41739bb2ed986891471b8c6f7e0569bbfbe7707b78a48f641ad75054f6b252f63d4efb0a5f93671a5c3dee2cec9fd86dbbc3083ee1847fd4a3f4e9928b170

    Download Submit
  • C:\Windows\SysWOW64\grcopy.dll
    MD5

    cb52a8a409f78feb11bb923245583891

    SHA1

    33beb0ce175ce81206d00c94e3266c8372fba79c

    SHA256

    13cdce27b18f55fca68babee47074fe0504c3b583203503c9b867b105ebf3706

    SHA512

    7f0c996cdd4db3e910a6aa3e792358607ce24493f20c427bce291ecaca79ca76c147176c01613a13b8fd36b922c22f5701a1fc643c44e755d4bb4c496794824c

    Download Submit
  • C:\Windows\SysWOW64\satornas.dll
    MD5

    a43ac16daf59d5fc5d47b9aa2289551b

    SHA1

    d902142b366363a95c728898b997ff53de1f8d81

    SHA256

    b871dfaf51ebbf2acf09a080095677c826033f60a086c6e956867d04efe1580b

    SHA512

    ce6cab4465817a11164b99027ca351aaed4ffe063928aa4d71a5b8b27ea141b8c223ea6b633134d05ca9efba4deacd7b7557fd9f3ad30d310a1ef276fa92c80a

    Download Submit
  • C:\Windows\SysWOW64\shervans.dll
    MD5

    ada472af90dfa600002d457bd59d9e70

    SHA1

    04bfa1ac291e1f9424e44dfa5b75a07855f5e19a

    SHA256

    84643cf6b1f034958b57d94b4e6723a40a54005885e21f2a754ee6551f7f3ee1

    SHA512

    c83b0975d636ec247ba7cab0047fb159fc503fae65cb5d2c72123da1392a7f466ab718b522f697ceafd038230cb2d7e44715510677b64fd928f41224f1c1f594

    Download Submit
  • C:\Windows\SysWOW64\smnss.exe
    MD5

    cb52a8a409f78feb11bb923245583891

    SHA1

    33beb0ce175ce81206d00c94e3266c8372fba79c

    SHA256

    13cdce27b18f55fca68babee47074fe0504c3b583203503c9b867b105ebf3706

    SHA512

    7f0c996cdd4db3e910a6aa3e792358607ce24493f20c427bce291ecaca79ca76c147176c01613a13b8fd36b922c22f5701a1fc643c44e755d4bb4c496794824c

    Download Submit
  • C:\Windows\SysWOW64\smnss.exe
    MD5

    cb52a8a409f78feb11bb923245583891

    SHA1

    33beb0ce175ce81206d00c94e3266c8372fba79c

    SHA256

    13cdce27b18f55fca68babee47074fe0504c3b583203503c9b867b105ebf3706

    SHA512

    7f0c996cdd4db3e910a6aa3e792358607ce24493f20c427bce291ecaca79ca76c147176c01613a13b8fd36b922c22f5701a1fc643c44e755d4bb4c496794824c

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    MD5

    ada472af90dfa600002d457bd59d9e70

    SHA1

    04bfa1ac291e1f9424e44dfa5b75a07855f5e19a

    SHA256

    84643cf6b1f034958b57d94b4e6723a40a54005885e21f2a754ee6551f7f3ee1

    SHA512

    c83b0975d636ec247ba7cab0047fb159fc503fae65cb5d2c72123da1392a7f466ab718b522f697ceafd038230cb2d7e44715510677b64fd928f41224f1c1f594

    Download Submit
  • \Windows\SysWOW64\shervans.dll
    MD5

    ada472af90dfa600002d457bd59d9e70

    SHA1

    04bfa1ac291e1f9424e44dfa5b75a07855f5e19a

    SHA256

    84643cf6b1f034958b57d94b4e6723a40a54005885e21f2a754ee6551f7f3ee1

    SHA512

    c83b0975d636ec247ba7cab0047fb159fc503fae65cb5d2c72123da1392a7f466ab718b522f697ceafd038230cb2d7e44715510677b64fd928f41224f1c1f594

    Download Submit
  • memory/1292-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3884-118-0x0000000000000000-mapping.dmp
    Download