28df1f77952b8ae263f695b2d4d7c4551976b902e1be48baed720a45bb78adee | Triage

Analysis

max time kernel
1624s
max time network
1799s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-01-2023 14:44

Sharing

Report Analysis Logs

General

Target

xmrig-6.18.1/start.cmd
Size

113B
MD5

34af0052c5617f182798dee7c7e4e4e1
SHA1

b1359e72828cdddb87cdbdfa46e3a79f97cfddac
SHA256

c31ff3e6d1dc5f0555b4c4823205fb44ecd2a2b56a978bddcb33faceae024758
SHA512

00037ae09c97981302d95536a0cda03dc7e6e00fe84f60e14f037b69ef0a7ea68e2767afdd767ef002b7649aa366291e8841d793e29889a62e708c79c99c8c4c

Score

1^/10

Malware Config

Signatures

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2016	xmrig.exe
Token: SeLockMemoryPrivilege	2016	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2016	xmrig.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2016	1684	cmd.exe	29
PID 1684 wrote to memory of 2016	1684	cmd.exe	29
PID 1684 wrote to memory of 2016	1684	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\xmrig-6.18.1\start.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\xmrig-6.18.1\xmrig.exe
  xmrig.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RMHmiB3nPeiynSRpiKyEPZGgWqvjK6JT7r.YKCG -p x
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-55-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2016-56-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download