Report
Uploaded by
David Izard HernandezReport
Uploaded by
David Izard HernandezDYNAMIC ANALYSIS REPORT
#2141404
Classifications: PUA Injector Backdoor Miner
XMRIG Mal/Generic-S Gen:Variant.Ursu.411696
MALICIOUS Threat Names:
Gen:Variant.Bulz.455783
Verdict Reason: -
Sample Type Windows Exe (x86-64)
File Name svchost.exe
ID #852838
MD5 4197eeb783ac6250fe918d469d0805f0
SHA1 3100575f768290af586d855f2ecf952b5aaae7b3
SHA256 f43b25a5501033f574f0467cdf7534f50cdbec94c3d8a173a80ee9f54fce55eb
File Size 42.00 KB
Report Created 2021-08-15 02:56 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 34
DYNAMIC ANALYSIS REPORT
#2141404
OVERVIEW
VMRay Threat Identifiers (23 rules, 44 matches)
Score Category Operation Count Classification
4/5 Antivirus Malicious content was detected by heuristic scan 2 -
• Built-in AV detected the sample itself as "Gen:Variant.Ursu.411696".
• Built-in AV detected the dropped file C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.exe as "Gen:Variant.Bulz.455783".
4/5 Reputation Known malicious file 1 -
• Reputation analysis labels the sample itself as "Mal/Generic-S".
4/5 Injection Writes into the memory of another process 1 Injector
• (Process #4) svchost.exe modifies memory of (process #13) nslookup.exe.
4/5 Injection Modifies control flow of another process 1 -
• (Process #4) svchost.exe alters context of (process #13) nslookup.exe.
3/5 YARA Suspicious content matched by YARA rules 1 PUA, Miner
• Rule "XMRIG_Miner" from ruleset "PUAs" has matched on a memory dump for (process #13) nslookup.exe.
2/5 Discovery Enumerates running processes 3 -
• (Process #4) svchost.exe enumerates running processes via WMI.
• (Process #9) sihost64.exe enumerates running processes via WMI.
• (Process #13) nslookup.exe enumerates running processes.
2/5 Discovery Executes WMI query 2 -
• (Process #4) svchost.exe executes WMI query: Select CommandLine from Win32_Process where Name='nslookup.exe'.
• (Process #9) sihost64.exe executes WMI query: Select CommandLine from Win32_Process where Name='nslookup.exe'.
2/5 Discovery Reads network adapter information 2 -
• (Process #4) svchost.exe reads the network adapters' addresses by API.
• (Process #13) nslookup.exe reads the network adapters' addresses by API.
2/5 Persistence Installs kernel driver 1 -
• (Process #13) nslookup.exe installs kernel driver.
2/5 Network Connection Sets up server that accepts incoming connections 1 Backdoor
• (Process #13) nslookup.exe starts a TCP server listening on port 49706.
2/5 Reputation Contacts known suspicious URL 1 -
• (Process #4) svchost.exe contacted known malicious URL "https://bitbucket.org/Sanctam/sanctam/raw/d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/xmrig".
2/5 Task Scheduling Schedules task 1 -
• Schedules task for command ""C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe"", to be triggered by Logon.
2/5 Task Scheduling Schedules task via schtasks 1 -
X-Ray Vision for Malware - www.vmray.com 2 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Score Category Operation Count Classification
• Schedules task "svchost" via the schtasks command line utility.
1/5 Hide Tracks Creates process with hidden window 5 -
• (Process #1) svchost.exe starts (process #2) cmd.exe with a hidden window.
• (Process #1) svchost.exe starts (process #4) svchost.exe with a hidden window.
• (Process #4) svchost.exe starts (process #2) cmd.exe with a hidden window.
• (Process #4) svchost.exe starts (process #9) sihost64.exe with a hidden window.
• (Process #4) svchost.exe starts (process #13) nslookup.exe with a hidden window.
1/5 Privilege Escalation Enables process privilege 4 -
• (Process #1) svchost.exe enables process privilege "SeDebugPrivilege".
• (Process #4) svchost.exe enables process privilege "SeDebugPrivilege".
• (Process #13) nslookup.exe enables process privilege "SeLockMemoryPrivilege".
• (Process #15) svchost.exe enables process privilege "SeDebugPrivilege".
1/5 Obfuscation Creates a page with write and execute permissions 1 -
• (Process #4) svchost.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
1/5 Network Connection Performs DNS request 3 -
• (Process #4) svchost.exe resolves host name "sanctam.net" to IP "185.65.135.248".
• (Process #4) svchost.exe resolves host name "bitbucket.org" to IP "104.192.141.1".
• (Process #13) nslookup.exe resolves host name "pool.hashvault.pro" to IP "168.119.38.182".
1/5 Network Connection Connects to remote host 4 -
• (Process #13) nslookup.exe accepts an incoming TCP connection from host "168.119.38.182:80".
• (Process #4) svchost.exe opens an outgoing TCP connection to host "104.192.141.1:443".
• (Process #4) svchost.exe opens an outgoing TCP connection to host "185.65.135.248:58899".
• (Process #13) nslookup.exe opens an outgoing TCP connection to host "168.119.38.182:80".
1/5 Network Connection Tries to connect using an uncommon port 1 -
• (Process #4) svchost.exe tries to connect to TCP port 58899 at 185.65.135.248.
1/5 Obfuscation Resolves API functions dynamically 3 -
• (Process #4) svchost.exe resolves 49 API functions by name.
• (Process #9) sihost64.exe resolves 48 API functions by name.
• (Process #13) nslookup.exe resolves 74 API functions by name.
1/5 Execution Executes itself 2 -
• (Process #1) svchost.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\svchost.exe.
• (Process #15) svchost.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\svchost.exe.
1/5 Execution Drops PE file 2 -
• (Process #4) svchost.exe drops file "C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.exe".
• (Process #4) svchost.exe drops file "C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\WR64.sys".
1/5 Execution Executes dropped PE file 1 -
• Executes dropped file "C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.exe".
X-Ray Vision for Malware - www.vmray.com 3 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Score Category Operation Count Classification
- Trusted Known clean file 1 -
• File "C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\WR64.sys" is a known clean file.
X-Ray Vision for Malware - www.vmray.com 4 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Mitre ATT&CK Matrix
Privilege Defense Credential Lateral Command
Initial Access Execution Persistence Discovery Collection Exfiltration Impact
Escalation Evasion Access Movement and Control
#T1047 #T1082
#T1053 #T1053 #T1065
Windows #T1143 Hidden System
Scheduled Scheduled Uncommonly
Management Window Information
Task Task Used Port
Instrumentation Discovery
#T1016
#T1053 #T1045 System
Scheduled Software Network
Task Packing Configuration
Discovery
#T1057
#T1014 Rootkit Process
Discovery
X-Ray Vision for Malware - www.vmray.com 5 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Sample Information
ID #852838
MD5 4197eeb783ac6250fe918d469d0805f0
SHA1 3100575f768290af586d855f2ecf952b5aaae7b3
SHA256 f43b25a5501033f574f0467cdf7534f50cdbec94c3d8a173a80ee9f54fce55eb
SSDeep 768:g2khNnCxRoB30kHmiCvkSrFJV+0JqK6ecvMIcfat30Qi9EW3tyC+eJK:IfCxRoB3H33Sh+0MEc0xAkVftTJK
File Name svchost.exe
File Size 42.00 KB
Sample Type Windows Exe (x86-64)
Has Macros
Analysis Information
Creation Time 2021-08-15 02:56 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 17
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 2
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 34
X-Ray Vision for Malware - www.vmray.com 6 / 34
DYNAMIC ANALYSIS REPORT
#2141404
X-Ray Vision for Malware - www.vmray.com 7 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Screenshots truncated
X-Ray Vision for Malware - www.vmray.com 8 / 34
DYNAMIC ANALYSIS REPORT
#2141404
NETWORK
General
25.22 KB total sent
3332.71 KB total received
3 ports 80, 58899, 443
4 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
3 DNS requests for 3 domains
1 nameservers contacted
0 total requests returned errors
HTTP/S
1 URLs contacted, 3 servers
3 sessions, 25.22 KB sent, 3332.71 KB received
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
https://bitbucket.org/Sanctam/sanctam/raw/
GET d2123dc19ea65d0fdce7b5d17328d978c42b18cc/includes/ - - 0 bytes NA
xmrig
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
A sanctam.net NoError 185.65.135.248 NA
A bitbucket.org NoError 104.192.141.1 NA
168.119.38.182,
A pool.hashvault.pro NoError NA
49.12.130.173
X-Ray Vision for Malware - www.vmray.com 9 / 34
DYNAMIC ANALYSIS REPORT
#2141404
BEHAVIOR
Process Graph
#16
taskhostw.exe
Child Process
#18
sihost.exe
Child Process
#19
taskhostw.exe
Child Process
#15 Child Process #20
Reboot #1
svchost.exe taskhostw.exe
Child Process
Child Process
#24
taskhostw.exe
Child Process
#25
svchost.exe
#31
locationnotificationwindows.exe #5 Created Scheduled Job #6
Child Process schtasks.exe svchost.exe
#2
Child Process cmd.exe #7 Child Process #10
#1 cmd.exe schtasks.exe
Sample Start Child Process
svchost.exe Child Process
Child Process #9
#4 sihost64.exe
svchost.exe
Modify Memory
Modify Control Flow #13
nslookup.exe
Child Process
X-Ray Vision for Malware - www.vmray.com 10 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #1: svchost.exe
ID 1
File Name c:\users\rdhj0cnfevzx\desktop\svchost.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\svchost.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 41721, Reason: Analysis Target
Unmonitor End Time End Time: 84062, Reason: Terminated
Monitor duration 42.34s
Return Code 0
PID 6992
Parent PID 1652
Bitness 64 Bit
Dropped Files (1)
File Name File Size SHA256 YARA Match
f43b25a5501033f574f0467cdf7534f50cdbec94c3d8a173a80ee9f54fce55
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe 42.00 KB
eb
Host Behavior
Type Count
File 5
Process 2
User 1
System 2
X-Ray Vision for Malware - www.vmray.com 11 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #2: cmd.exe
ID 2
File Name c:\windows\system32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe"' &
Command Line
exit
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 77452, Reason: Child Process
Unmonitor End Time End Time: 86587, Reason: Terminated
Monitor duration 9.13s
Return Code 0
PID 7680
Parent PID 6992
Bitness 64 Bit
Host Behavior
Type Count
Module 1
Environment 8
Process 1
X-Ray Vision for Malware - www.vmray.com 12 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #4: svchost.exe
ID 4
File Name c:\users\rdhj0cnfevzx\appdata\local\temp\svchost.exe
Command Line "C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\
Monitor Start Time Start Time: 82707, Reason: Child Process
Unmonitor End Time End Time: 113496, Reason: Terminated
Monitor duration 30.79s
Return Code 0
PID 7888
Parent PID 6992
Bitness 64 Bit
Dropped Files (3)
File Name File Size SHA256 YARA Match
C:
137adb47aba435999b6c31b404c00b5dc153a2e5d700ec0152c72b3189
\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.e 7.50 KB
121332
xe
C: 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160
14.20 KB
\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\WR64.sys ee5
C:
2294b4b34c025aa294685f8b37732bc97466a6d15054f4b3b2b4fcc74af3
\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.l 2020.77 KB
6d64
og
Host Behavior
Type Count
File 36
Process 3
User 1
System 9
- 11
Registry 24
Module 57
COM 3
- 1
Environment 8
- 14
- 3
Network Behavior
Type Count
HTTPS 1
DNS 2
TCP 2
X-Ray Vision for Malware - www.vmray.com 13 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #5: schtasks.exe
ID 5
File Name c:\windows\system32\schtasks.exe
Command Line schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe"'
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 83511, Reason: Child Process
Unmonitor End Time End Time: 86528, Reason: Terminated
Monitor duration 3.02s
Return Code 0
PID 7828
Parent PID 7680
Bitness 64 Bit
Host Behavior
Type Count
Module 3
System 3
COM 1
File 6
X-Ray Vision for Malware - www.vmray.com 14 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #6: svchost.exe
ID 6
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 84679, Reason: Created Scheduled Job
Unmonitor End Time End Time: 282578, Reason: Terminated by Timeout
Monitor duration 197.90s
Return Code Unknown
PID 996
Parent PID 520
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 15 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #7: cmd.exe
ID 7
File Name c:\windows\system32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe"' &
Command Line
exit
Initial Working Directory C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\
Monitor Start Time Start Time: 99736, Reason: Child Process
Unmonitor End Time End Time: 105168, Reason: Terminated
Monitor duration 5.43s
Return Code 0
PID 6568
Parent PID 7888
Bitness 64 Bit
Host Behavior
Type Count
Module 1
Environment 8
Process 1
X-Ray Vision for Malware - www.vmray.com 16 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #9: sihost64.exe
ID 9
File Name c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\libs\sihost64.exe
Command Line "C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\
Monitor Start Time Start Time: 100211, Reason: Child Process
Unmonitor End Time End Time: 127812, Reason: Terminated
Monitor duration 27.60s
Return Code 1073807364
PID 6600
Parent PID 7888
Bitness 64 Bit
Host Behavior
Type Count
File 8
- 1
Module 50
COM 6
- 2
X-Ray Vision for Malware - www.vmray.com 17 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #10: schtasks.exe
ID 10
File Name c:\windows\system32\schtasks.exe
Command Line schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe"'
Initial Working Directory C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\
Monitor Start Time Start Time: 102451, Reason: Child Process
Unmonitor End Time End Time: 104770, Reason: Terminated
Monitor duration 2.32s
Return Code 0
PID 6628
Parent PID 6568
Bitness 64 Bit
Host Behavior
Type Count
Module 3
System 3
COM 1
File 6
X-Ray Vision for Malware - www.vmray.com 18 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #13: nslookup.exe
ID 13
File Name c:\windows\system32\nslookup.exe
C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-...
Command Line
...FdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
Initial Working Directory C:\Windows\System32\
Monitor Start Time Start Time: 108167, Reason: Child Process
Unmonitor End Time End Time: 130112, Reason: Terminated
Monitor duration 21.95s
Return Code 1073807364
PID 6748
Parent PID 7888
Bitness 64 Bit
Injection Information (14)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x140000000(5368709120) 0x400 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x140001000(5368713216) 0x349200 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x14034b000(5372162048) 0x12e800 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x14047a000(5373403136) 0x11600 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x140730000(5376245760) 0x21400 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x140752000(5376385024) 0xe00 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x140753000(5376389120) 0xa00 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x140754000(5376393216) 0x2000 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x140756000(5376401408) 0x1200 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x140758000(5376409600) 0x200 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x140759000(5376413696) 0x600 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x14075a000(5376417792) 0x8a00 1
\local\temp\svchost.exe
#4: c:
Modify Memory \users\rdhj0cnfevzx\appdata 0x1ec8 0x2ec010(3063824) 0x8 1
\local\temp\svchost.exe
#4: c:
0x7ffc2f6dc230(1407211042
Modify Control Flow \users\rdhj0cnfevzx\appdata 0x1ec8 / 0x1a60 - 1
08432)
\local\temp\svchost.exe
X-Ray Vision for Malware - www.vmray.com 19 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Host Behavior
Type Count
Module 121
File 7
System 69
Environment 1
User 12
- 3
Process 110
- 3
Network Behavior
Type Count
DNS 1
TCP 1
X-Ray Vision for Malware - www.vmray.com 20 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #15: svchost.exe
ID 15
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 158868, Reason: Created Scheduled Job
Unmonitor End Time End Time: 282578, Reason: Terminated by Timeout
Monitor duration 123.71s
Return Code Unknown
PID 1012
Parent PID 524
Bitness 64 Bit
Host Behavior
Type Count
- 4
COM 2
X-Ray Vision for Malware - www.vmray.com 21 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #16: taskhostw.exe
ID 16
File Name c:\windows\system32\taskhostw.exe
Command Line taskhostw.exe TpmTasks
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 176311, Reason: Child Process
Unmonitor End Time End Time: 282578, Reason: Terminated by Timeout
Monitor duration 106.27s
Return Code Unknown
PID 1308
Parent PID 1012
Bitness 64 Bit
Dropped Files (1)
File Name File Size SHA256 YARA Match
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852
- 0 bytes
b855
Host Behavior
Type Count
Registry 7
System 16
Module 4
X-Ray Vision for Malware - www.vmray.com 22 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #18: sihost.exe
ID 18
File Name c:\windows\system32\sihost.exe
Command Line sihost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 180168, Reason: Child Process
Unmonitor End Time End Time: 282578, Reason: Terminated by Timeout
Monitor duration 102.41s
Return Code Unknown
PID 1448
Parent PID 1012
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 23 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #19: taskhostw.exe
ID 19
File Name c:\windows\system32\taskhostw.exe
Command Line taskhostw.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 184834, Reason: Child Process
Unmonitor End Time End Time: 271004, Reason: Terminated
Monitor duration 86.17s
Return Code 0
PID 1556
Parent PID 1012
Bitness 64 Bit
Host Behavior
Type Count
Registry 4
System 11
X-Ray Vision for Malware - www.vmray.com 24 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #20: taskhostw.exe
ID 20
File Name c:\windows\system32\taskhostw.exe
Command Line taskhostw.exe network
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 184949, Reason: Child Process
Unmonitor End Time End Time: 270258, Reason: Terminated
Monitor duration 85.31s
Return Code 0
PID 1580
Parent PID 1012
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 25 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #24: taskhostw.exe
ID 24
File Name c:\windows\system32\taskhostw.exe
Command Line taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 222942, Reason: Child Process
Unmonitor End Time End Time: 282578, Reason: Terminated by Timeout
Monitor duration 59.64s
Return Code Unknown
PID 2144
Parent PID 1012
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 26 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #25: svchost.exe
ID 25
File Name c:\users\rdhj0cnfevzx\appdata\local\temp\svchost.exe
Command Line C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 224027, Reason: Child Process
Unmonitor End Time End Time: 282578, Reason: Terminated by Timeout
Monitor duration 58.55s
Return Code Unknown
PID 2184
Parent PID 1012
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 27 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Process #31: locationnotificationwindows.exe
ID 31
File Name c:\windows\system32\locationnotificationwindows.exe
Command Line C:\Windows\System32\LocationNotificationWindows.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 238597, Reason: Child Process
Unmonitor End Time End Time: 282578, Reason: Terminated by Timeout
Monitor duration 43.98s
Return Code Unknown
PID 2432
Parent PID 1012
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 28 / 34
DYNAMIC ANALYSIS REPORT
#2141404
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
C:
f43b25a5501033f574f0467cd \Users\RDhJ0CNFevzX\AppData\Loc application/
f7534f50cdbec94c3d8a173a al\Temp\svchost.exe, C: Sample File 42.00 KB vnd.microsoft.portable- Read, Access, Write, Create MALICIOUS
80ee9f54fce55eb \Users\RDhJ0CNFevzX\Desktop\svc executable
host.exe
137adb47aba435999b6c31b C: application/
404c00b5dc153a2e5d700ec \Users\RDhJ0CNFevzX\AppData\Ro Dropped File 7.50 KB vnd.microsoft.portable- Access, Write, Create MALICIOUS
0152c72b3189121332 aming\Microsoft\Libs\sihost64.exe executable
11bd2c9f9e2397c9a16e0990 C: application/
e4ed2cf0679498fe0fd418a3d \Users\RDhJ0CNFevzX\AppData\Ro Dropped File 14.20 KB vnd.microsoft.portable- Access, Write, Create CLEAN
fdac60b5c160ee5 aming\Microsoft\Libs\WR64.sys executable
2294b4b34c025aa294685f8b C:
Access, Create, Delete,
37732bc97466a6d15054f4b3 \Users\RDhJ0CNFevzX\AppData\Ro Dropped File 2020.77 KB application/octet-stream CLEAN
Write
b2b4fcc74af36d64 aming\Microsoft\Libs\sihost64.log
Filename
File Name Category Operations Verdict
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe Sample File Read, Access, Write, Create SUSPICIOUS
C:\Users\RDhJ0CNFevzX\Desktop\svchost.exe.config Accessed File Access CLEAN
C:
Access, Create, Delete,
\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.l Dropped File CLEAN
Write
og
C:
\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64-2. Accessed File Access, Delete CLEAN
log
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\Desktop\svchost.exe Sample File Access CLEAN
C:\Windows\system32\schtasks.exe Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe.config Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\ Accessed File Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs Accessed File Access, Create CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft Accessed File Access CLEAN
C:
\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.e Dropped File Access, Write, Create CLEAN
xe
C:
Dropped File Access, Write, Create CLEAN
\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\WR64.sys
C:
\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine. Accessed File Read, Access CLEAN
config
C:\Windows\System32\nslookup.exe Accessed File Access CLEAN
C:\Program Files\Common Files\SSL/openssl.cnf Accessed File Access CLEAN
CONOUT$ Accessed File Access CLEAN
URL
URL Category IP Address Country HTTP Methods Verdict
https://bitbucket.org/Sanctam/sanctam/raw/
d2123dc19ea65d0fdce7b5d17328d978c42b18cc/ - 104.192.141.1 - GET SUSPICIOUS
includes/xmrig
X-Ray Vision for Malware - www.vmray.com 29 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Domain
Domain IP Address Country Protocols Verdict
sanctam.net 185.65.135.248 - DNS CLEAN
bitbucket.org 104.192.141.1 - HTTPS, DNS CLEAN
pool.hashvault.pro 49.12.130.173, 168.119.38.182 - DNS CLEAN
IP
IP Address Domains Country Protocols Verdict
192.168.0.1 - - UDP, DNS CLEAN
104.192.141.1 bitbucket.org United States HTTPS, TCP, DNS CLEAN
185.65.135.248 sanctam.net Sweden TLS, TCP, DNS CLEAN
168.119.38.182 pool.hashvault.pro Germany TLS, TCP, DNS CLEAN
49.12.130.173 pool.hashvault.pro Germany DNS CLEAN
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
access svchost.exe CLEAN
NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
read, access svchost.exe CLEAN
NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\
access svchost.exe CLEAN
AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\
access svchost.exe CLEAN
v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\
read, access svchost.exe CLEAN
v4.0.30319\SchUseStrongCrypto
HKEY_CURRENT_USER access taskhostw.exe, svchost.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current
access svchost.exe CLEAN
Version\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
access svchost.exe CLEAN
Version\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
access svchost.exe CLEAN
\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework access svchost.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\
read, access svchost.exe CLEAN
LegacyWPADSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
access svchost.exe CLEAN
NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
read, access svchost.exe CLEAN
NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic access svchost.exe CLEAN
DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Time Zones\W. Europe Standard read, access svchost.exe CLEAN
Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
read, access svchost.exe CLEAN
NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
read, access svchost.exe CLEAN
NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\
read, access svchost.exe CLEAN
v4.0.30319\HWRPortReuseOnSocketBind
X-Ray Vision for Malware - www.vmray.com 30 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Registry Key Operations Parent Process Name Verdict
HKEY_PERFORMANCE_DATA access svchost.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Aut
access taskhostw.exe CLEAN
oEnrollment
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ce
access taskhostw.exe CLEAN
rtSvc\Configuration
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\Cer
access, create taskhostw.exe CLEAN
tificateTemplateCache
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\Cer
read, access taskhostw.exe CLEAN
tificateTemplateCache\Timestamp
Process
Process Name Commandline Verdict
svchost.exe "C:\Users\RDhJ0CNFevzX\Desktop\svchost.exe" MALICIOUS
svchost.exe "C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe" MALICIOUS
sihost64.exe "C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.exe" MALICIOUS
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:
schtasks.exe SUSPICIOUS
\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe"'
C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-
pool=1 --randomx-mode=auto --randomx-no-...
nslookup.exe SUSPICIOUS
...FdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-
wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:
cmd.exe CLEAN
\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe"' & exit
svchost.exe C:\Windows\system32\svchost.exe -k netsvcs CLEAN
taskhostw.exe taskhostw.exe TpmTasks CLEAN
sihost.exe sihost.exe CLEAN
taskhostw.exe taskhostw.exe CLEAN
taskhostw.exe taskhostw.exe network CLEAN
taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} CLEAN
svchost.exe C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\svchost.exe CLEAN
locationnotificationwindows.exe C:\Windows\System32\LocationNotificationWindows.exe CLEAN
X-Ray Vision for Malware - www.vmray.com 31 / 34
DYNAMIC ANALYSIS REPORT
#2141404
YARA / AV
YARA (34)
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
X-Ray Vision for Malware - www.vmray.com 32 / 34
DYNAMIC ANALYSIS REPORT
#2141404
Ruleset Name Rule Name Rule Description File Type File Name Classification Verdict
PUAs XMRIG_Miner XMRIG: Monero mining software; PUA Memory Dump - PUA, Miner 3/5
Antivirus (2)
File Type Threat Name File Name Verdict
Sample File Gen:Variant.Ursu.411696 C:\Users\RDhJ0CNFevzX\Desktop\svchost.exe MALICIOUS
C:
Dropped File Gen:Variant.Bulz.455783 \Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\sihost64.e MALICIOUS
xe
X-Ray Vision for Malware - www.vmray.com 33 / 34
DYNAMIC ANALYSIS REPORT
#2141404
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.2.2
Dynamic Engine Version 4.2.2 / 07/23/2021 03:44
Static Engine Version 4.2.2.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)
Built-in AV Database Update Release
2021-08-14 19:51:41+00:00
Date
AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10
VTI Ruleset Version 4.2.2.33 / 2021-08-02 14:31:04
YARA Built-in Ruleset Version 4.2.2.34
Link Detonation Heuristics Version -
Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 34 / 34
You might also like
- Report c9ee1d6a90be7524b01814f48b39b232 CompressedNo ratings yetReport c9ee1d6a90be7524b01814f48b39b232 Compressed74 pages
- Jackcr Forensic Challenge Report - Ver2-20121202-BNNo ratings yetJackcr Forensic Challenge Report - Ver2-20121202-BN29 pages
- Incident Response and Digital ForensicsNo ratings yetIncident Response and Digital Forensics50 pages
- Continuation of the previous post. Stealer, RATNo ratings yetContinuation of the previous post. Stealer, RAT8 pages
- Alissa Torres @sibertor #Sansenterprisesummit 3 Jun 2019No ratings yetAlissa Torres @sibertor #Sansenterprisesummit 3 Jun 201940 pages
- Automated in Memory Malware Rootkit Detection Via Binary Analysis and Machine Learning (Slides)No ratings yetAutomated in Memory Malware Rootkit Detection Via Binary Analysis and Machine Learning (Slides)111 pages
- Volatility Commands for Basic Malware AnalysisNo ratings yetVolatility Commands for Basic Malware Analysis6 pages
- WS2016DC - Vulnerabilities and Compliance 6l67jiNo ratings yetWS2016DC - Vulnerabilities and Compliance 6l67ji10 pages
- Compromised Windows System Live Data Gathering ChecklistNo ratings yetCompromised Windows System Live Data Gathering Checklist7 pages
- Malware Analysis on Windows 10 Virtual MachineNo ratings yetMalware Analysis on Windows 10 Virtual Machine4 pages
- DAY5 - Threat Report MITRE -Daily ReportNo ratings yetDAY5 - Threat Report MITRE -Daily Report27 pages
- Hta-W05-Tracking Hackers On Your Network With Sysinternals Sysmon PDFNo ratings yetHta-W05-Tracking Hackers On Your Network With Sysinternals Sysmon PDF39 pages
- Advanced Malware Analysis and Incident Response Evaluation Using ANY - RUNNo ratings yetAdvanced Malware Analysis and Incident Response Evaluation Using ANY - RUN18 pages
- 2025_04_09_Threat_Alert_Latest_Pre_Ransomware_Indicators_0No ratings yet2025_04_09_Threat_Alert_Latest_Pre_Ransomware_Indicators_07 pages
- Name - Shiva Singh Roll - 2041018 Degree - M.tech (IS) Subject - Malware Analysis (CS410245)No ratings yetName - Shiva Singh Roll - 2041018 Degree - M.tech (IS) Subject - Malware Analysis (CS410245)9 pages
