437e1e9d471118c296359bcfc1d6b3a197d36d11e37727a380ef7a09632509d9

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-01-2023 02:44

Target

xmrig-6.18.1/solo_mine_example.cmd
Size

815B
MD5

9a6e73e55c32bb8db34e599a8ae176a3
SHA1

bf4b8811a649529fd821fdee9236622cd1d4ad3d
SHA256

6e87f8c30fe0ef0035227ed01d3824223b72c9a196bdcd3202bb0a533d0ea804
SHA512

aefca1b39751dd5caf3050c8e2dbe0a53ac2d0d14d9178ae10e7b33af256a30fc7522884c1ad5fcfca83fd18aed5bd05c350bbb103bf597ac00fe33b220a53b0

Score

1^/10

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1464	xmrig.exe
Token: SeLockMemoryPrivilege	1464	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1464	xmrig.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1464	1672	cmd.exe	29
PID 1672 wrote to memory of 1464	1672	cmd.exe	29
PID 1672 wrote to memory of 1464	1672	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\xmrig-6.18.1\solo_mine_example.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\xmrig-6.18.1\xmrig.exe
  xmrig.exe -o node.xmr.to:18081 -a rx/0 -u 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD --daemon
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1464

memory/1464-55-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download