Analysis
-
max time kernel
152s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 13:02
General
-
Target
xmr.exe
-
Size
1.8MB
-
MD5
b1e29e528a7510be3c04dcff622f63ab
-
SHA1
ae8a2d88a4b0bcd8a11364be5a687f2a2a86d83a
-
SHA256
a98ccb74c29d4e6c3929cfea2f157dd53ce9c3ea67bd25934aab24f416ce9d13
-
SHA512
e7f59ab406d79832dacd0c4bdeb4bbbe8cc626bcf247502f8a817d2f2e39449450806976f5cb725a35f1bb1a58ef41488b32d6aea9cf3a54590c7989d3696040
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 3 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\xmr.exe"C:\Users\Admin\AppData\Local\Temp\xmr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\CjtqpVHEcA\cfgi"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C WScript "C:\ProgramData\CjtqpVHEcA\r.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeWScript "C:\ProgramData\CjtqpVHEcA\r.vbs"3⤵
- Drops startup file
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\CjtqpVHEcA\cfgiMD5
62ee13ef8ee70ac648efca0949b3e474
SHA1ad6cbd2d24d4571a4c38494ab2508de23abe4d68
SHA25674365150ff9a14cbfba07313e7e1c397a234b84aad606b64fa2310c6b213b2a8
SHA512fa04705b160da767d04b5cd8299b6c9c1015e6c8d9b45643ccd72c2bee522a43f917967ad5d0600fcc599ec16fafbdc069f0e36337367a5e4caf7b1979d884aa
-
C:\ProgramData\CjtqpVHEcA\r.vbsMD5
0065ee24d4dd8d3de7357eca05dd7605
SHA18ec12f52f6c59a894c0d7aa829be62f0a9423a92
SHA2565b5f9317f61c56cf5f568327c0220b23287f7043b071e93e1f3a2d3f31cacda3
SHA51271966d11180ee59316922b576d6c1d5ec80694d899f861d83e28012418fedf57b0a3a53d5de2e3f52dde1cf376fc57efbe4b8ef1a182d5a798c02ac291265bb6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gCJCBpvUDZ.urlMD5
0d14a943975c648c95879341d15993c5
SHA1f3b9af3e748daee22572d5b9d94e5b25795acb04
SHA2569a0efbbe99d58279d8df483820fc8d0990719164254def0109564540cad9dc58
SHA512f898b8421ecf615d501c883ffb395da9d3512d6918100b8a1061121b6540d7d6cfae96b07b80eeba4bba0c940c567f0630031609917ec86904420045de9f2c9f
-
memory/1056-71-0x0000000000000000-mapping.dmp
-
memory/1172-63-0x0000000000A14AA0-mapping.dmp
-
memory/1172-64-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1172-65-0x0000000000270000-0x0000000000284000-memory.dmpFilesize
80KB
-
memory/1172-66-0x0000000000938000-0x0000000000A15000-memory.dmpFilesize
884KB
-
memory/1172-68-0x0000000000401000-0x0000000000938000-memory.dmpFilesize
5.2MB
-
memory/1172-70-0x0000000002150000-0x0000000002170000-memory.dmpFilesize
128KB
-
memory/1172-69-0x00000000003D0000-0x00000000003F0000-memory.dmpFilesize
128KB
-
memory/1172-62-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1172-61-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/1488-72-0x0000000000000000-mapping.dmp
-
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB