xmrig | 22577366b67db3949feb69639228d19b85258f269ca7a3546565d09c142bb8d7

General

Target

xnew.exe
Size

5.7MB
MD5

be3d7c9e59675e027f450c74a7a2e724
SHA1

a50603600e623fdad2d7fc6032f1f696ff2afc1e
SHA256

22577366b67db3949feb69639228d19b85258f269ca7a3546565d09c142bb8d7
SHA512

e90a87e3e25183c903186d13f366616fbd7d0dfe773a5c2e45a52690f04a20f41b70bb9115bc18cd1b0d7ea585a0e60efd999c3e360aeef93085ceb301a404ab

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
\ProgramData\OneDrive\OneDrive.exe	xmrig
C:\ProgramData\OneDrive\OneDrive.exe	xmrig
C:\ProgramData\OneDrive\OneDrive.exe	xmrig

Executes dropped EXE 2 IoCs

Processes:

OneDrive.exeOneDrive.exe

pid process

528 OneDrive.exe
1588 OneDrive.exe
Drops startup file 1 IoCs

Processes:

xnew.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk xnew.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1100 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
528	OneDrive.exe
1588	OneDrive.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	xnew.exe

pid	process
1100	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

OneDrive.exeOneDrive.exe

description	pid	process
Token: SeLockMemoryPrivilege	528	OneDrive.exe
Token: SeLockMemoryPrivilege	528	OneDrive.exe
Token: SeLockMemoryPrivilege	1588	OneDrive.exe
Token: SeLockMemoryPrivilege	1588	OneDrive.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

xnew.exe

pid process

916 xnew.exe
916 xnew.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

xnew.exe

pid process

916 xnew.exe
916 xnew.exe

pid	process
916	xnew.exe
916	xnew.exe

pid	process
916	xnew.exe
916	xnew.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

xnew.execmd.exeWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 916 wrote to memory of 1912	916	xnew.exe	cmd.exe
PID 916 wrote to memory of 1912	916	xnew.exe	cmd.exe
PID 916 wrote to memory of 1912	916	xnew.exe	cmd.exe
PID 1912 wrote to memory of 2028	1912	cmd.exe	WScript.exe
PID 1912 wrote to memory of 2028	1912	cmd.exe	WScript.exe
PID 1912 wrote to memory of 2028	1912	cmd.exe	WScript.exe
PID 2028 wrote to memory of 1100	2028	WScript.exe	cmd.exe
PID 2028 wrote to memory of 1100	2028	WScript.exe	cmd.exe
PID 2028 wrote to memory of 1100	2028	WScript.exe	cmd.exe
PID 1912 wrote to memory of 668	1912	cmd.exe	WScript.exe
PID 1912 wrote to memory of 668	1912	cmd.exe	WScript.exe
PID 1912 wrote to memory of 668	1912	cmd.exe	WScript.exe
PID 1100 wrote to memory of 528	1100	cmd.exe	OneDrive.exe
PID 1100 wrote to memory of 528	1100	cmd.exe	OneDrive.exe
PID 1100 wrote to memory of 528	1100	cmd.exe	OneDrive.exe
PID 668 wrote to memory of 616	668	WScript.exe	cmd.exe
PID 668 wrote to memory of 616	668	WScript.exe	cmd.exe
PID 668 wrote to memory of 616	668	WScript.exe	cmd.exe
PID 616 wrote to memory of 1588	616	cmd.exe	OneDrive.exe
PID 616 wrote to memory of 1588	616	cmd.exe	OneDrive.exe
PID 616 wrote to memory of 1588	616	cmd.exe	OneDrive.exe

C:\Users\Admin\AppData\Local\Temp\xnew.exe
"C:\Users\Admin\AppData\Local\Temp\xnew.exe"
1⤵
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\cmd.exe
cmd /c ""C:\ProgramData\OneDrive\bat.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\OneDrive\Hide.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\cmd.exe
cmd /c ""C:\ProgramData\OneDrive\start.cmd" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100

C:\ProgramData\OneDrive\OneDrive.exe
OneDrive.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\OneDrive\Hide.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\System32\cmd.exe
cmd /c ""C:\ProgramData\OneDrive\start.cmd" "
4⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\ProgramData\OneDrive\OneDrive.exe
OneDrive.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OneDrive\Hide.vbs
MD5
9d3e53a45a2a66903b60df0da9c43204

SHA1
155d4626973b7c5263a74d7d3ddda4b7f9f41a5f

SHA256
810f546dd3db6b16cedb00e725443bbfea6193533633a905bad53e76c92c3a5c

SHA512
63b48df98b489907df4e92ece7bc50d48867d74dd6bce485a2c708bf9cd7f1bbd797fb287e4b17cf92d87b8b2d4d04b75c2317a200f33903dc36822672cc8efc

Download Submit
C:\ProgramData\OneDrive\OneDrive.exe
MD5
7e747dc3069cd41f41e95fe241ad3fe3

SHA1
b0c4fec61662662f4a436ab0021d10f9c2fa72da

SHA256
3efa2b3639c8c357edee22cf6ddcf47b4be0631c3abdd6fe5eb119eff31fef41

SHA512
08d14dfc8f98cf917e61935afaec56389705b17abf0f40f07cf8ffcdb34c60c45b2064d27bf70ffb5073a87021e13e5fd3b6cd22bdaa3ff0bf01baa2f19ff5e8

Download Submit
C:\ProgramData\OneDrive\OneDrive.exe
MD5
7e747dc3069cd41f41e95fe241ad3fe3

SHA1
b0c4fec61662662f4a436ab0021d10f9c2fa72da

SHA256
3efa2b3639c8c357edee22cf6ddcf47b4be0631c3abdd6fe5eb119eff31fef41

SHA512
08d14dfc8f98cf917e61935afaec56389705b17abf0f40f07cf8ffcdb34c60c45b2064d27bf70ffb5073a87021e13e5fd3b6cd22bdaa3ff0bf01baa2f19ff5e8

Download Submit
C:\ProgramData\OneDrive\bat.bat
MD5
58cc6845de149329e70735ddfeb15929

SHA1
05e988b00c98ac78a51799f42a440e6deee8b57f

SHA256
6af13cac95660c368b511f827ed20214028499cc8b39fad60df42526fcd1bf64

SHA512
d0adf5eb00047bcb8a429a69ba89fc2b78b907af779a46d99d464398c1efc8081f7d40c83f0312406a7d4d391af58ad1e2dd38d6cb96e94a6be91d5539edd43e

Download Submit
C:\ProgramData\OneDrive\config.json
MD5
b6391bd3c1f12cc1a7d0e9340ac64163

SHA1
1be90c7983362dd2efd83b6f9a2f36a23788cb38

SHA256
41e8a2598eb0929655feb8ad6eeffd5e3f762368557f361b37e296ce9586c13c

SHA512
1034825bad67098ca4c1e5b7040cfba008fd3e7a28cf47261fc891ce15c04c6d4d45b297215c0f34f932c13536e003702aa9c3f148e50fcdcbc45b7cc3851bca

Download Submit
C:\ProgramData\OneDrive\start.cmd
MD5
e59c417c96b0fece601eed82898106ce

SHA1
d962291aa061ac1a26290f8eaae617c2a0bd538b

SHA256
2ceb591c8490c88f3519a156dc4fb7c9dd1423bd19e77f03116613a06c86e307

SHA512
6a8bff6b11a3a2f5d75bfc4cf00d3d0e48f777f983c927493cc79a9ffa00f24d078903c833cb2833d1c5c0d09316927243343a689aa7ae559fa0a8d961fb9b90

Download Submit
\ProgramData\OneDrive\OneDrive.exe
MD5
7e747dc3069cd41f41e95fe241ad3fe3

SHA1
b0c4fec61662662f4a436ab0021d10f9c2fa72da

SHA256
3efa2b3639c8c357edee22cf6ddcf47b4be0631c3abdd6fe5eb119eff31fef41

SHA512
08d14dfc8f98cf917e61935afaec56389705b17abf0f40f07cf8ffcdb34c60c45b2064d27bf70ffb5073a87021e13e5fd3b6cd22bdaa3ff0bf01baa2f19ff5e8

Download Submit
memory/528-81-0x0000000000550000-0x0000000000570000-memory.dmp

Filesize
128KB

Download
memory/528-80-0x00000000004A0000-0x00000000004C0000-memory.dmp

Filesize
128KB

Download
memory/528-70-0x0000000000000000-mapping.dmp

Download
memory/528-79-0x0000000000470000-0x0000000000490000-memory.dmp

Filesize
128KB

Download
memory/528-73-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/616-74-0x0000000000000000-mapping.dmp

Download
memory/668-68-0x0000000000000000-mapping.dmp

Download
memory/916-59-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1100-67-0x0000000000000000-mapping.dmp

Download
memory/1588-76-0x0000000000000000-mapping.dmp

Download
memory/1588-82-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download
memory/1588-83-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/1588-84-0x00000000003B0000-0x00000000003D0000-memory.dmp

Filesize
128KB

Download
memory/1912-60-0x0000000000000000-mapping.dmp

Download
memory/2028-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads