xmrig | 9b2a0965ba90251f7cb553480e2844e98496aa5e0cb5df5c9331507a30fb0b6c

General

Target

Xminer.exe
Size

5.7MB
MD5

562db3d1e91f2ab1aaf3929e52dba6df
SHA1

340daf78c5507221dd25af4dc899b3ef84bbea90
SHA256

9b2a0965ba90251f7cb553480e2844e98496aa5e0cb5df5c9331507a30fb0b6c
SHA512

cb18a33b65eaff6afd87428633c933fedfb90f6210c625e91dd5acda4e2c1906ffdf17b7d7cfbe4562b139562072288561256c8f74cc4111ce744e2b4afe6f83

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\OneDrive\OneDrive.exe	xmrig
C:\ProgramData\OneDrive\OneDrive.exe	xmrig
C:\ProgramData\OneDrive\OneDrive.exe	xmrig

Executes dropped EXE 2 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

3592 OneDrive.exe
3408 OneDrive.exe
Drops startup file 1 IoCs

Processes:

Xminer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk Xminer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe

pid	process
3592	OneDrive.exe
3408	OneDrive.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	Xminer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

OneDrive.exeOneDrive.exe

description	pid	process
Token: SeLockMemoryPrivilege	3592	OneDrive.exe
Token: SeLockMemoryPrivilege	3592	OneDrive.exe
Token: SeLockMemoryPrivilege	3408	OneDrive.exe
Token: SeLockMemoryPrivilege	3408	OneDrive.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Xminer.exe

pid process

3156 Xminer.exe
3156 Xminer.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Xminer.exe

pid process

3156 Xminer.exe
3156 Xminer.exe

pid	process
3156	Xminer.exe
3156	Xminer.exe

pid	process
3156	Xminer.exe
3156	Xminer.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Xminer.execmd.exeWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 3156 wrote to memory of 2076	3156	Xminer.exe	cmd.exe
PID 3156 wrote to memory of 2076	3156	Xminer.exe	cmd.exe
PID 2076 wrote to memory of 2836	2076	cmd.exe	WScript.exe
PID 2076 wrote to memory of 2836	2076	cmd.exe	WScript.exe
PID 2836 wrote to memory of 2784	2836	WScript.exe	cmd.exe
PID 2836 wrote to memory of 2784	2836	WScript.exe	cmd.exe
PID 2784 wrote to memory of 3592	2784	cmd.exe	OneDrive.exe
PID 2784 wrote to memory of 3592	2784	cmd.exe	OneDrive.exe
PID 2076 wrote to memory of 188	2076	cmd.exe	WScript.exe
PID 2076 wrote to memory of 188	2076	cmd.exe	WScript.exe
PID 188 wrote to memory of 2196	188	WScript.exe	cmd.exe
PID 188 wrote to memory of 2196	188	WScript.exe	cmd.exe
PID 2196 wrote to memory of 3408	2196	cmd.exe	OneDrive.exe
PID 2196 wrote to memory of 3408	2196	cmd.exe	OneDrive.exe

C:\Users\Admin\AppData\Local\Temp\Xminer.exe
"C:\Users\Admin\AppData\Local\Temp\Xminer.exe"
1⤵
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\OneDrive\bat.bat" "
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\OneDrive\Hide.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\OneDrive\start.cmd" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\ProgramData\OneDrive\OneDrive.exe
OneDrive.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\OneDrive\Hide.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\OneDrive\start.cmd" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\ProgramData\OneDrive\OneDrive.exe
OneDrive.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OneDrive\Hide.vbs
MD5
9d3e53a45a2a66903b60df0da9c43204

SHA1
155d4626973b7c5263a74d7d3ddda4b7f9f41a5f

SHA256
810f546dd3db6b16cedb00e725443bbfea6193533633a905bad53e76c92c3a5c

SHA512
63b48df98b489907df4e92ece7bc50d48867d74dd6bce485a2c708bf9cd7f1bbd797fb287e4b17cf92d87b8b2d4d04b75c2317a200f33903dc36822672cc8efc

Download Submit
C:\ProgramData\OneDrive\OneDrive.exe
MD5
7e747dc3069cd41f41e95fe241ad3fe3

SHA1
b0c4fec61662662f4a436ab0021d10f9c2fa72da

SHA256
3efa2b3639c8c357edee22cf6ddcf47b4be0631c3abdd6fe5eb119eff31fef41

SHA512
08d14dfc8f98cf917e61935afaec56389705b17abf0f40f07cf8ffcdb34c60c45b2064d27bf70ffb5073a87021e13e5fd3b6cd22bdaa3ff0bf01baa2f19ff5e8

Download Submit
C:\ProgramData\OneDrive\OneDrive.exe
MD5
7e747dc3069cd41f41e95fe241ad3fe3

SHA1
b0c4fec61662662f4a436ab0021d10f9c2fa72da

SHA256
3efa2b3639c8c357edee22cf6ddcf47b4be0631c3abdd6fe5eb119eff31fef41

SHA512
08d14dfc8f98cf917e61935afaec56389705b17abf0f40f07cf8ffcdb34c60c45b2064d27bf70ffb5073a87021e13e5fd3b6cd22bdaa3ff0bf01baa2f19ff5e8

Download Submit
C:\ProgramData\OneDrive\OneDrive.exe
MD5
7e747dc3069cd41f41e95fe241ad3fe3

SHA1
b0c4fec61662662f4a436ab0021d10f9c2fa72da

SHA256
3efa2b3639c8c357edee22cf6ddcf47b4be0631c3abdd6fe5eb119eff31fef41

SHA512
08d14dfc8f98cf917e61935afaec56389705b17abf0f40f07cf8ffcdb34c60c45b2064d27bf70ffb5073a87021e13e5fd3b6cd22bdaa3ff0bf01baa2f19ff5e8

Download Submit
C:\ProgramData\OneDrive\bat.bat
MD5
58cc6845de149329e70735ddfeb15929

SHA1
05e988b00c98ac78a51799f42a440e6deee8b57f

SHA256
6af13cac95660c368b511f827ed20214028499cc8b39fad60df42526fcd1bf64

SHA512
d0adf5eb00047bcb8a429a69ba89fc2b78b907af779a46d99d464398c1efc8081f7d40c83f0312406a7d4d391af58ad1e2dd38d6cb96e94a6be91d5539edd43e

Download Submit
C:\ProgramData\OneDrive\config.json
MD5
b6391bd3c1f12cc1a7d0e9340ac64163

SHA1
1be90c7983362dd2efd83b6f9a2f36a23788cb38

SHA256
41e8a2598eb0929655feb8ad6eeffd5e3f762368557f361b37e296ce9586c13c

SHA512
1034825bad67098ca4c1e5b7040cfba008fd3e7a28cf47261fc891ce15c04c6d4d45b297215c0f34f932c13536e003702aa9c3f148e50fcdcbc45b7cc3851bca

Download Submit
C:\ProgramData\OneDrive\start.cmd
MD5
e59c417c96b0fece601eed82898106ce

SHA1
d962291aa061ac1a26290f8eaae617c2a0bd538b

SHA256
2ceb591c8490c88f3519a156dc4fb7c9dd1423bd19e77f03116613a06c86e307

SHA512
6a8bff6b11a3a2f5d75bfc4cf00d3d0e48f777f983c927493cc79a9ffa00f24d078903c833cb2833d1c5c0d09316927243343a689aa7ae559fa0a8d961fb9b90

Download Submit
memory/188-121-0x0000000000000000-mapping.dmp

Download
memory/2076-114-0x0000000000000000-mapping.dmp

Download
memory/2196-126-0x0000000000000000-mapping.dmp

Download
memory/2784-119-0x0000000000000000-mapping.dmp

Download
memory/2836-117-0x0000000000000000-mapping.dmp

Download
memory/3408-136-0x000002D99A800000-0x000002D99A820000-memory.dmp

Filesize
128KB

Download
memory/3408-135-0x000002D907E40000-0x000002D907E60000-memory.dmp

Filesize
128KB

Download
memory/3408-127-0x0000000000000000-mapping.dmp

Download
memory/3408-134-0x000002D907E20000-0x000002D907E40000-memory.dmp

Filesize
128KB

Download
memory/3592-124-0x0000025FC8330000-0x0000025FC8350000-memory.dmp

Filesize
128KB

Download
memory/3592-132-0x0000025FC9E20000-0x0000025FC9E40000-memory.dmp

Filesize
128KB

Download
memory/3592-133-0x0000025FC9E40000-0x0000025FC9E60000-memory.dmp

Filesize
128KB

Download
memory/3592-131-0x0000025FC9E00000-0x0000025FC9E20000-memory.dmp

Filesize
128KB

Download
memory/3592-130-0x0000025FC8360000-0x0000025FC8380000-memory.dmp

Filesize
128KB

Download
memory/3592-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads