28df1f77952b8ae263f695b2d4d7c4551976b902e1be48baed720a45bb78adee | Triage

Analysis

max time kernel
1626s
max time network
1791s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/01/2023, 15:28

Sharing

Report Analysis Logs

General

Target

xmrig-6.18.1/start.cmd
Size

113B
MD5

34af0052c5617f182798dee7c7e4e4e1
SHA1

b1359e72828cdddb87cdbdfa46e3a79f97cfddac
SHA256

c31ff3e6d1dc5f0555b4c4823205fb44ecd2a2b56a978bddcb33faceae024758
SHA512

00037ae09c97981302d95536a0cda03dc7e6e00fe84f60e14f037b69ef0a7ea68e2767afdd767ef002b7649aa366291e8841d793e29889a62e708c79c99c8c4c

Score

1^/10

Malware Config

Signatures

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1688	xmrig.exe
Token: SeLockMemoryPrivilege	1688	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1688	xmrig.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1688	1732	cmd.exe	28
PID 1732 wrote to memory of 1688	1732	cmd.exe	28
PID 1732 wrote to memory of 1688	1732	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\xmrig-6.18.1\start.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\xmrig-6.18.1\xmrig.exe
  xmrig.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RMHmiB3nPeiynSRpiKyEPZGgWqvjK6JT7r.YKCG -p x
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-55-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/1688-56-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download