Analysis
-
max time kernel
122s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
LinkMiner.exe
Resource
win7v20210408
General
-
Target
LinkMiner.exe
-
Size
47KB
-
MD5
252abb0504523f55a08c29bbe6460bcc
-
SHA1
0ee2118397347c297e840f3a204a44179f924b3d
-
SHA256
06381f7fd865363d44156b4308e09164804ad102d6e493239723b7d89ca30b44
-
SHA512
32a66496236149a99e2bd4dfb165aee0dd1f7e076792ef4df0f2e8ba3c6f783189701faba3ebf0d730a3c9e91094f3fc240d8cd777f694c14336610f33d0aa4c
Malware Config
Signatures
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\reference\xmrig.exe xmrig C:\Users\Admin\AppData\Roaming\reference\xmrig.exe xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
xmrig.exepid process 1656 xmrig.exe -
Loads dropped DLL 1 IoCs
Processes:
LinkMiner.exepid process 1820 LinkMiner.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
LinkMiner.exexmrig.exedescription pid process Token: SeDebugPrivilege 1820 LinkMiner.exe Token: SeLockMemoryPrivilege 1656 xmrig.exe Token: SeLockMemoryPrivilege 1656 xmrig.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
LinkMiner.exedescription pid process target process PID 1820 wrote to memory of 1656 1820 LinkMiner.exe xmrig.exe PID 1820 wrote to memory of 1656 1820 LinkMiner.exe xmrig.exe PID 1820 wrote to memory of 1656 1820 LinkMiner.exe xmrig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LinkMiner.exe"C:\Users\Admin\AppData\Local\Temp\LinkMiner.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\reference\xmrig.exe"C:\Users\Admin\AppData\Roaming\reference\xmrig.exe" -o solo-xmr.2miners.com:4444 -a rx -k -u 48WRwJWbGu3FZGAqb3kjt1StxueCLVWnQaAUWby8PzBVWcCJ56qJpuFeze78WWCCYG9m76fwXUzGDhCcRbBBrQaF2guJojL.cpuminerAdmin --max-cpu-usage=302⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\reference\xmrig.exeMD5
aa318a599fee3d322d6b5fa6d4b568de
SHA1b2dff433338f5cf776741d3db7c03ed48c220a58
SHA2569b324b9905c4e32ccf5cba0249ab82262173486f6382e170cbf2fafab1846fd9
SHA512b2a9f03d30a0fea28b6fff811ecf443454eb782c71487926fca9c179d7352c4864c5b27fb9dfd3f34a3641cb65d25f8ab6c5d16f2856033fe88c90a2ef44c3e0
-
\Users\Admin\AppData\Roaming\reference\xmrig.exeMD5
aa318a599fee3d322d6b5fa6d4b568de
SHA1b2dff433338f5cf776741d3db7c03ed48c220a58
SHA2569b324b9905c4e32ccf5cba0249ab82262173486f6382e170cbf2fafab1846fd9
SHA512b2a9f03d30a0fea28b6fff811ecf443454eb782c71487926fca9c179d7352c4864c5b27fb9dfd3f34a3641cb65d25f8ab6c5d16f2856033fe88c90a2ef44c3e0
-
memory/1656-65-0x0000000000000000-mapping.dmp
-
memory/1656-67-0x0000000000E30000-0x0000000000E44000-memory.dmpFilesize
80KB
-
memory/1656-68-0x00000000027C0000-0x00000000027E0000-memory.dmpFilesize
128KB
-
memory/1820-62-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/1820-60-0x000000013F7A0000-0x000000013F7A1000-memory.dmpFilesize
4KB
-
memory/1820-63-0x000000001BAD0000-0x000000001BAD2000-memory.dmpFilesize
8KB