Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:20
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.CoinminerXgen.22200.exe
Resource
win7-20240419-en
General
-
Target
SecuriteInfo.com.Win32.CoinminerXgen.22200.exe
-
Size
242KB
-
MD5
a3f767e76c8c6baa9a154d576c7ba49d
-
SHA1
c9a2479bd372fd3ae569b67fc132eac6d5ad9ef0
-
SHA256
eb9a9a49e21219cdc673eb0b3266c2f4c2a759df7c17f4c19ede70e1d5b01dc5
-
SHA512
6e567b6dab41a56eb777a06644e1f6ba0d80131ebcd03443e3b526ef5f7dfaaa3f41ee175a26e976d1b6deef4967d677ec71f87cc63a26559e39e1a6c46042ab
-
SSDEEP
6144:94OlpLX5KTcVgpod/a3gctM7lresEobLr49+I:igX5Pg2dC3ft+wsEobLr49j
Malware Config
Extracted
xenorat
dns.dobiamfollollc.online
Solid_rat_nd8889g
-
delay
61000
-
install_path
appdata
-
port
1283
-
startup_name
bns
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 2828 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 2684 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 2524 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe -
Loads dropped DLL 4 IoCs
pid Process 2108 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2436 set thread context of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 set thread context of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 set thread context of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2768 set thread context of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 set thread context of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 set thread context of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2212 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe Token: SeDebugPrivilege 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 wrote to memory of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 wrote to memory of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 wrote to memory of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 wrote to memory of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 wrote to memory of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 wrote to memory of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 wrote to memory of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 wrote to memory of 2416 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 28 PID 2436 wrote to memory of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 wrote to memory of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 wrote to memory of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 wrote to memory of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 wrote to memory of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 wrote to memory of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 wrote to memory of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 wrote to memory of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 wrote to memory of 2108 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 29 PID 2436 wrote to memory of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2436 wrote to memory of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2436 wrote to memory of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2436 wrote to memory of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2436 wrote to memory of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2436 wrote to memory of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2436 wrote to memory of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2436 wrote to memory of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2436 wrote to memory of 2340 2436 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 30 PID 2108 wrote to memory of 2768 2108 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 31 PID 2108 wrote to memory of 2768 2108 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 31 PID 2108 wrote to memory of 2768 2108 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 31 PID 2108 wrote to memory of 2768 2108 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 31 PID 2768 wrote to memory of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 wrote to memory of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 wrote to memory of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 wrote to memory of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 wrote to memory of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 wrote to memory of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 wrote to memory of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 wrote to memory of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 wrote to memory of 2828 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 32 PID 2768 wrote to memory of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 wrote to memory of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 wrote to memory of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 wrote to memory of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 wrote to memory of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 wrote to memory of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 wrote to memory of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 wrote to memory of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 wrote to memory of 2684 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 33 PID 2768 wrote to memory of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 PID 2768 wrote to memory of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 PID 2768 wrote to memory of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 PID 2768 wrote to memory of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 PID 2768 wrote to memory of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 PID 2768 wrote to memory of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 PID 2768 wrote to memory of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 PID 2768 wrote to memory of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 PID 2768 wrote to memory of 2524 2768 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 34 PID 2340 wrote to memory of 2212 2340 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 37 PID 2340 wrote to memory of 2212 2340 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 37 PID 2340 wrote to memory of 2212 2340 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 37 PID 2340 wrote to memory of 2212 2340 SecuriteInfo.com.Win32.CoinminerXgen.22200.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerXgen.22200.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe2⤵PID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerXgen.22200.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\XenoManager\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe"C:\Users\Admin\AppData\Roaming\XenoManager\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Roaming\XenoManager\SecuriteInfo.com.Win32.CoinminerXgen.22200.exeC:\Users\Admin\AppData\Roaming\XenoManager\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe4⤵
- Executes dropped EXE
PID:2828
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\SecuriteInfo.com.Win32.CoinminerXgen.22200.exeC:\Users\Admin\AppData\Roaming\XenoManager\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe4⤵
- Executes dropped EXE
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\SecuriteInfo.com.Win32.CoinminerXgen.22200.exeC:\Users\Admin\AppData\Roaming\XenoManager\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe4⤵
- Executes dropped EXE
PID:2524
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerXgen.22200.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerXgen.22200.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FA.tmp" /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:2212
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dacf012c41e533acb4ebd13b5e73812f
SHA1b2e0c6b34d27f5e018b1fac586f7b2bf642f652e
SHA256385d5dd36a27e3d8b1fbf7cb42039eb6d574d53123b2ee985c9985c9e201e2f7
SHA5128adf6e33c2f24f00703102203667613d4bc0cc1a16b8c4ba54a131fd7b30ee3cae38b95fea41784b007c5b75eb6e28335c334fce9bb02a83640e963b30494015
-
Filesize
242KB
MD5a3f767e76c8c6baa9a154d576c7ba49d
SHA1c9a2479bd372fd3ae569b67fc132eac6d5ad9ef0
SHA256eb9a9a49e21219cdc673eb0b3266c2f4c2a759df7c17f4c19ede70e1d5b01dc5
SHA5126e567b6dab41a56eb777a06644e1f6ba0d80131ebcd03443e3b526ef5f7dfaaa3f41ee175a26e976d1b6deef4967d677ec71f87cc63a26559e39e1a6c46042ab