xmrig | 8381e02189f0bd728b557fa5f811132e760771e095bc9b0a93412431e9c9589a

Resubmissions

04/01/2024, 10:21

240104-md6twagbd4 10

26/12/2023, 11:38

231226-nry7mafbb5 10

Analysis

max time kernel
140s
max time network
115s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
04/01/2024, 10:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

pdfeditor/start.cmd
Size

48B
MD5

7a5f44ef0fcb9b3b66c65fc36aabf0af
SHA1

76887427c1a843b35de8920f93fa744b1abb5a67
SHA256

56cc2f42fb9967cb986ce44a3530481f2c4f6e79a935e829a8285d023b820763
SHA512

5a128e128e1ebb2c5c265f0dcded63f818ae9d7ac11cd5c10cf89fdebf7ccae5fe78a725ef96aeb6235db396cecbe86d43b2a15b7228f966cd55b7119d7e2490

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral32/memory/4620-3-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp	xmrig
behavioral32/memory/4620-4-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp	xmrig
behavioral32/memory/4620-7-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp	xmrig
behavioral32/memory/4620-8-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp	xmrig

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4620	pdfeditor.exe
Token: SeLockMemoryPrivilege	4620	pdfeditor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4620	pdfeditor.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4620	4228	cmd.exe	17
PID 4228 wrote to memory of 4620	4228	cmd.exe	17

C:\Users\Admin\AppData\Local\Temp\pdfeditor\pdfeditor.exe
pdfeditor.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\pdfeditor\start.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4620-0-0x00000170C4960000-0x00000170C4980000-memory.dmp

Filesize
128KB

Download
memory/4620-2-0x00000170C6170000-0x00000170C6190000-memory.dmp

Filesize
128KB

Download
memory/4620-3-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-6-0x00000170C61B0000-0x00000170C61D0000-memory.dmp

Filesize
128KB

Download
memory/4620-5-0x00000170C6190000-0x00000170C61B0000-memory.dmp

Filesize
128KB

Download
memory/4620-4-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-7-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-8-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-10-0x00000170C61B0000-0x00000170C61D0000-memory.dmp

Filesize
128KB

Download
memory/4620-9-0x00000170C6190000-0x00000170C61B0000-memory.dmp

Filesize
128KB

Download
memory/4620-11-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-12-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-13-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-14-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-15-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-16-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-17-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-18-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download
memory/4620-19-0x00007FF6BB280000-0x00007FF6BBD8B000-memory.dmp

Filesize
11.0MB

Download