Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-12-2021 16:27
Static task
static1
Behavioral task
behavioral1
Sample
6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
Resource
win10-en-20211014
General
-
Target
6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
-
Size
17.8MB
-
MD5
d9ac013439b130beb75112a9a283e8ad
-
SHA1
d9af31324653804281830aeb9f3214e0cc1a6c4f
-
SHA256
6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1
-
SHA512
967ffe9896730239e8e39f8856e25787aeb15d69aba04e4d8842795f5ed20b821f948e53afdcb87f9a4791aaaefabc4b4a28cc0c8ab572016843e4af04990a91
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1444-126-0x00000001402A7C88-mapping.dmp xmrig behavioral1/memory/1444-125-0x0000000140000000-0x0000000140703000-memory.dmp xmrig behavioral1/memory/1444-129-0x0000000140000000-0x0000000140703000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3020 svchost.exe -
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3020 set thread context of 1444 3020 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exepid process 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe Token: SeDebugPrivilege 3020 svchost.exe Token: SeLockMemoryPrivilege 1444 svchost.exe Token: SeLockMemoryPrivilege 1444 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exesvchost.exedescription pid process target process PID 2096 wrote to memory of 3020 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe svchost.exe PID 2096 wrote to memory of 3020 2096 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe PID 3020 wrote to memory of 1444 3020 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe"C:\Users\Admin\AppData\Local\Temp\6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -B --coin=monero --url=xmr.pool.minergate.com:45700 --user=asenevaolga@gmail.com --pass= --cpu-max-threads-hint=50 --donate-level=43⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
d9ac013439b130beb75112a9a283e8ad
SHA1d9af31324653804281830aeb9f3214e0cc1a6c4f
SHA2566c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1
SHA512967ffe9896730239e8e39f8856e25787aeb15d69aba04e4d8842795f5ed20b821f948e53afdcb87f9a4791aaaefabc4b4a28cc0c8ab572016843e4af04990a91
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
d9ac013439b130beb75112a9a283e8ad
SHA1d9af31324653804281830aeb9f3214e0cc1a6c4f
SHA2566c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1
SHA512967ffe9896730239e8e39f8856e25787aeb15d69aba04e4d8842795f5ed20b821f948e53afdcb87f9a4791aaaefabc4b4a28cc0c8ab572016843e4af04990a91
-
memory/1444-128-0x000001F58CA20000-0x000001F58CA34000-memory.dmpFilesize
80KB
-
memory/1444-131-0x000001F58CAA0000-0x000001F58CAC0000-memory.dmpFilesize
128KB
-
memory/1444-130-0x000001F58CA80000-0x000001F58CAA0000-memory.dmpFilesize
128KB
-
memory/1444-129-0x0000000140000000-0x0000000140703000-memory.dmpFilesize
7.0MB
-
memory/1444-126-0x00000001402A7C88-mapping.dmp
-
memory/1444-125-0x0000000140000000-0x0000000140703000-memory.dmpFilesize
7.0MB
-
memory/2096-115-0x0000000000620000-0x0000000000621000-memory.dmpFilesize
4KB
-
memory/3020-124-0x00000000025F0000-0x00000000025F2000-memory.dmpFilesize
8KB
-
memory/3020-127-0x000000001E303000-0x000000001E304000-memory.dmpFilesize
4KB
-
memory/3020-123-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/3020-122-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/3020-117-0x0000000000000000-mapping.dmp