xmrig | db5575ba91df5cf9571f4ad36d0091b7a3e03ce9aeab80cd87295360046cb47e

Analysis

max time kernel
53s
max time network
62s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
24/10/2023, 12:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Njrat/NjRat 0.7D.exe
Size

2.2MB
MD5

27e353481e08ead38d3f5dd7a4042d01
SHA1

61f6691539aa0201f69a61f2d6b4328c47856ef9
SHA256

0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260
SHA512

ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd
SSDEEP

49152:MP0OMxYLKA67mRRxMQSL/neZW9F8saXeAx5vAoNhaPsQ+Quc393:wMxYLK+RRCQSL/V9FqXeIF2qDct

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 22 IoCs

miner

resource	yara_rule
behavioral1/memory/2680-40-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-41-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-42-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-43-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-44-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-45-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-46-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-47-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-48-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-51-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-54-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-56-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-58-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-59-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-60-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-61-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-62-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-63-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-64-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-65-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-66-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2680-67-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

pid	Process
2336	sihost64.exe
2788	Services.exe
2600	sihost64.exe

Loads dropped DLL 3 IoCs

pid	Process
2276	NjRat 0.7D.exe
2276	NjRat 0.7D.exe
2788	Services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2680	2788	Services.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2400	schtasks.exe
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2276	NjRat 0.7D.exe
2276	NjRat 0.7D.exe
2788	Services.exe
2788	Services.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	NjRat 0.7D.exe
Token: SeDebugPrivilege	2788	Services.exe
Token: SeLockMemoryPrivilege	2680	explorer.exe
Token: SeLockMemoryPrivilege	2680	explorer.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1492	2276	NjRat 0.7D.exe	28
PID 2276 wrote to memory of 1492	2276	NjRat 0.7D.exe	28
PID 2276 wrote to memory of 1492	2276	NjRat 0.7D.exe	28
PID 1492 wrote to memory of 2400	1492	cmd.exe	30
PID 1492 wrote to memory of 2400	1492	cmd.exe	30
PID 1492 wrote to memory of 2400	1492	cmd.exe	30
PID 2276 wrote to memory of 2336	2276	NjRat 0.7D.exe	31
PID 2276 wrote to memory of 2336	2276	NjRat 0.7D.exe	31
PID 2276 wrote to memory of 2336	2276	NjRat 0.7D.exe	31
PID 2276 wrote to memory of 2788	2276	NjRat 0.7D.exe	32
PID 2276 wrote to memory of 2788	2276	NjRat 0.7D.exe	32
PID 2276 wrote to memory of 2788	2276	NjRat 0.7D.exe	32
PID 2788 wrote to memory of 2860	2788	Services.exe	34
PID 2788 wrote to memory of 2860	2788	Services.exe	34
PID 2788 wrote to memory of 2860	2788	Services.exe	34
PID 2860 wrote to memory of 2744	2860	cmd.exe	36
PID 2860 wrote to memory of 2744	2860	cmd.exe	36
PID 2860 wrote to memory of 2744	2860	cmd.exe	36
PID 2788 wrote to memory of 2600	2788	Services.exe	37
PID 2788 wrote to memory of 2600	2788	Services.exe	37
PID 2788 wrote to memory of 2600	2788	Services.exe	37
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38
PID 2788 wrote to memory of 2680	2788	Services.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Njrat\NjRat 0.7D.exe
"C:\Users\Admin\AppData\Local\Temp\Njrat\NjRat 0.7D.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2400
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Services.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2744
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    - Executes dropped EXE
    PID:2600
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7158719 --pass=durker --cpu-max-threads-hint=70 --donate-level=5 --unam-idle-wait=1 --unam-idle-cpu=90 --unam-stealth
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
2.2MB

MD5
27e353481e08ead38d3f5dd7a4042d01

SHA1
61f6691539aa0201f69a61f2d6b4328c47856ef9

SHA256
0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260

SHA512
ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
2.2MB

MD5
27e353481e08ead38d3f5dd7a4042d01

SHA1
61f6691539aa0201f69a61f2d6b4328c47856ef9

SHA256
0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260

SHA512
ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
2.2MB

MD5
27e353481e08ead38d3f5dd7a4042d01

SHA1
61f6691539aa0201f69a61f2d6b4328c47856ef9

SHA256
0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260

SHA512
ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
memory/2276-19-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-0-0x000000013F100000-0x000000013F32E000-memory.dmp

Filesize
2.2MB

Download
memory/2276-3-0x000000001BF70000-0x000000001BFF0000-memory.dmp

Filesize
512KB

Download
memory/2276-1-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-13-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-12-0x000000013F5E0000-0x000000013F5E6000-memory.dmp

Filesize
24KB

Download
memory/2336-20-0x000000001BEA0000-0x000000001BF20000-memory.dmp

Filesize
512KB

Download
memory/2336-23-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-57-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-35-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-32-0x000000013F490000-0x000000013F496000-memory.dmp

Filesize
24KB

Download
memory/2600-34-0x00000000007E0000-0x0000000000860000-memory.dmp

Filesize
512KB

Download
memory/2680-55-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download
memory/2680-51-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-67-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-66-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-37-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-38-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-39-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-40-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-41-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-42-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-43-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-44-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-45-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-46-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-47-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-48-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-49-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/2680-65-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-64-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-54-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-63-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-56-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-62-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-58-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-59-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-60-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2680-61-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2788-18-0x000000013F690000-0x000000013F8BE000-memory.dmp

Filesize
2.2MB

Download
memory/2788-21-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-52-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-33-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2788-36-0x0000000000A60000-0x0000000000A6E000-memory.dmp

Filesize
56KB

Download
memory/2788-22-0x000000001C1C0000-0x000000001C240000-memory.dmp

Filesize
512KB

Download