xmrig | a3b523e9f230a7c208429e8dca59372cc3611674471dd40d76810793cdd8f2de | Triage

Submit
Reports

Overview

overview

Static

static

9d1af01005...64.exe

windows7_x64

9d1af01005...64.exe

windows10_x64

Sharing

General

Target

9d1af0100597194c6a4ff921f5cee664.exe
Size

1.4MB
Sample

211210-mhntvshebq
MD5

9d1af0100597194c6a4ff921f5cee664
SHA1

9337f0989e0195126f2bbdd6408643a9d67b6087
SHA256

a3b523e9f230a7c208429e8dca59372cc3611674471dd40d76810793cdd8f2de
SHA512

0a8d8ce36203144990d7492cb79d360c88ad3af0d3d67bdde0d9144ed2a163b98f1ea40b6688f53fc1e41e73e6647f2ee9891aacc5239108fd3daf2d3460ec3f

Score

10^/10

xmrig discovery miner persistence spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

9d1af0100597194c6a4ff921f5cee664.exe

Resource

win7-en-20211208

xmrig discovery miner persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9d1af0100597194c6a4ff921f5cee664.exe

Resource

win10-en-20211208

persistence suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  9d1af0100597194c6a4ff921f5cee664.exe
- Size
  
  1.4MB
- MD5
  
  9d1af0100597194c6a4ff921f5cee664
- SHA1
  
  9337f0989e0195126f2bbdd6408643a9d67b6087
- SHA256
  
  a3b523e9f230a7c208429e8dca59372cc3611674471dd40d76810793cdd8f2de
- SHA512
  
  0a8d8ce36203144990d7492cb79d360c88ad3af0d3d67bdde0d9144ed2a163b98f1ea40b6688f53fc1e41e73e6647f2ee9891aacc5239108fd3daf2d3460ec3f
Score

10^/10

xmrig discovery miner persistence spyware stealer suricata
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- suricata: ET MALWARE DCRAT Activity (GET)
  suricata: ET MALWARE DCRAT Activity (GET)
  suricata
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xmrigdiscoveryminerpersistencespywarestealer

behavioral2

persistencesuricata

© 2018-2024

Terms | Privacy