xmrig | 999d43ee4c9a1ec38c0b00fc38abe0b29b13cc83983c6ee895cbb2768b29022d | Triage

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 08:33

Sharing

Report Analysis Logs

General

Target

3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
Size

5.2MB
MD5

d381d9db9cbd1b60afdfb4f05e52a775
SHA1

d59c52583ca791e07f3e6aec2ee2590ab9bfd67e
SHA256

3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9
SHA512

cebe8732fbcdc7d5672667d94473245377780e7cce940f5162789fcb6684c49b3c9c9cef6d7aff3cb005d614e32c228fe958011ee27d5063ca488b28b594d861
SSDEEP

98304:Qp4L/JhqnNKIjRFlrDlyzVd/dCR36YDAbJC5kZne:QeL/JhqNRrhyXCR3FAbfhe

Score

10^/10

xmrig miner

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 4656 created 3172	4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe	54
PID 4656 created 3172	4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe	54
PID 4656 created 3172	4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe	54
PID 4656 created 3172	4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe	54
PID 1108 created 3172	1108	updater.exe	54
PID 1108 created 3172	1108	updater.exe	54
PID 1108 created 3172	1108	updater.exe	54

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

resource	yara_rule
behavioral9/memory/5036-15-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-18-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-21-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-22-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-23-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-24-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-25-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-26-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-27-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-28-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig
behavioral9/memory/5036-29-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
1108	updater.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 5036	1108	updater.exe	115

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2628	schtasks.exe
3756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
4656	3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
1108	updater.exe
1108	updater.exe
1108	updater.exe
1108	updater.exe
1108	updater.exe
1108	updater.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1316	powercfg.exe
Token: SeCreatePagefilePrivilege	1316	powercfg.exe
Token: SeShutdownPrivilege	384	powercfg.exe
Token: SeCreatePagefilePrivilege	384	powercfg.exe
Token: SeShutdownPrivilege	2768	powercfg.exe
Token: SeCreatePagefilePrivilege	2768	powercfg.exe
Token: SeShutdownPrivilege	1824	powercfg.exe
Token: SeCreatePagefilePrivilege	1824	powercfg.exe
Token: SeShutdownPrivilege	3056	powercfg.exe
Token: SeCreatePagefilePrivilege	3056	powercfg.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeCreatePagefilePrivilege	1916	powercfg.exe
Token: SeLockMemoryPrivilege	5036	explorer.exe
Token: SeShutdownPrivilege	980	powercfg.exe
Token: SeCreatePagefilePrivilege	980	powercfg.exe
Token: SeLockMemoryPrivilege	5036	explorer.exe
Token: SeShutdownPrivilege	5072	powercfg.exe
Token: SeCreatePagefilePrivilege	5072	powercfg.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 1316	4508	cmd.exe	97
PID 4508 wrote to memory of 1316	4508	cmd.exe	97
PID 4508 wrote to memory of 384	4508	cmd.exe	100
PID 4508 wrote to memory of 384	4508	cmd.exe	100
PID 4508 wrote to memory of 2768	4508	cmd.exe	101
PID 4508 wrote to memory of 2768	4508	cmd.exe	101
PID 4508 wrote to memory of 1824	4508	cmd.exe	102
PID 4508 wrote to memory of 1824	4508	cmd.exe	102
PID 4184 wrote to memory of 3056	4184	cmd.exe	114
PID 4184 wrote to memory of 3056	4184	cmd.exe	114
PID 1108 wrote to memory of 5036	1108	updater.exe	115
PID 4184 wrote to memory of 1916	4184	cmd.exe	116
PID 4184 wrote to memory of 1916	4184	cmd.exe	116
PID 4184 wrote to memory of 980	4184	cmd.exe	117
PID 4184 wrote to memory of 980	4184	cmd.exe	117
PID 4184 wrote to memory of 5072	4184	cmd.exe	118
PID 4184 wrote to memory of 5072	4184	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3172
- C:\Users\Admin\AppData\Local\Temp\3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe
  "C:\Users\Admin\AppData\Local\Temp\3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4952
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
  2⤵
  - Creates scheduled task(s)
  PID:2628
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3272
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
  2⤵
  - Creates scheduled task(s)
  PID:3756
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5036

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml

Filesize
1KB

MD5
059ccb70dc2c65c81c0dc8bea26a4bb2

SHA1
09c60376bf998dff186950104a6e7e4f74b37c24

SHA256
0b28be2c63d9b0b5936fb7a5fecbe3dc9bb69de7d212fadaefc03d643bf9482d

SHA512
416909daef33f4c55dcd99594b47a2ea65a0fa034179cb206a477d73378b8981eddb2187398e4b121b5448d3643f48033bf131c89d6fbfab3c33f21b8bd42c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml

Filesize
1KB

MD5
059ccb70dc2c65c81c0dc8bea26a4bb2

SHA1
09c60376bf998dff186950104a6e7e4f74b37c24

SHA256
0b28be2c63d9b0b5936fb7a5fecbe3dc9bb69de7d212fadaefc03d643bf9482d

SHA512
416909daef33f4c55dcd99594b47a2ea65a0fa034179cb206a477d73378b8981eddb2187398e4b121b5448d3643f48033bf131c89d6fbfab3c33f21b8bd42c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
5.2MB

MD5
d381d9db9cbd1b60afdfb4f05e52a775

SHA1
d59c52583ca791e07f3e6aec2ee2590ab9bfd67e

SHA256
3e488cd6f6cc7b35713c321dc58b63fa95ba9c69248008109b7bf9a543add7e9

SHA512
cebe8732fbcdc7d5672667d94473245377780e7cce940f5162789fcb6684c49b3c9c9cef6d7aff3cb005d614e32c228fe958011ee27d5063ca488b28b594d861

Download Submit
memory/1108-13-0x00007FF6198A0000-0x00007FF619DD0000-memory.dmp

Filesize
5.2MB

Download
memory/1108-7-0x00007FF6198A0000-0x00007FF619DD0000-memory.dmp

Filesize
5.2MB

Download
memory/4656-3-0x00007FF6594A0000-0x00007FF6599D0000-memory.dmp

Filesize
5.2MB

Download
memory/4656-5-0x00007FF6594A0000-0x00007FF6599D0000-memory.dmp

Filesize
5.2MB

Download
memory/4656-0-0x00007FF6594A0000-0x00007FF6599D0000-memory.dmp

Filesize
5.2MB

Download
memory/5036-17-0x0000000013960000-0x0000000013980000-memory.dmp

Filesize
128KB

Download
memory/5036-22-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-15-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-16-0x0000000013940000-0x0000000013960000-memory.dmp

Filesize
128KB

Download
memory/5036-12-0x0000000001010000-0x0000000001030000-memory.dmp

Filesize
128KB

Download
memory/5036-18-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-20-0x0000000013960000-0x0000000013980000-memory.dmp

Filesize
128KB

Download
memory/5036-19-0x0000000013940000-0x0000000013960000-memory.dmp

Filesize
128KB

Download
memory/5036-21-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-14-0x0000000002DF0000-0x0000000002E30000-memory.dmp

Filesize
256KB

Download
memory/5036-23-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-24-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-25-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-26-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-27-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-28-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download
memory/5036-29-0x00007FF6E1790000-0x00007FF6E1FD0000-memory.dmp

Filesize
8.2MB

Download