xmrig | 3ca0bf28baacf269c3f6a7215516ae6c2181487f006f192ecac3537595a792c2

Analysis

max time kernel
158s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
Size

1.8MB
MD5

7b7f4f390ecafc124ac298f5f58f46ae
SHA1

ed19d12269c86117897865ebc3e6e79d11d485a6
SHA256

1be33e42910515d58685e4cee83c4c9b7de4e6a155a6fd936922682a9922d42d
SHA512

fc37474112152bc9ea1d3671b445fc59995e868bac2203147854824ea94e5d171a5b1e29474403377b504ac778f04b3290628383758ec428f6838e0271eb7545
SSDEEP

49152:VEVUcg1LD3L+nIrBQfLdKiDRB1X8wcWynn:VE3g1RkAiDrmwchnn

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral8/memory/2332-24-0x0000000000400000-0x000000000070F000-memory.dmp	xmrig

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2152	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe

Executes dropped EXE 1 IoCs

pid	Process
5060	Chrome.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/memory/4396-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral8/memory/4396-1-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral8/memory/4396-2-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral8/memory/4396-3-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral8/memory/4396-4-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral8/memory/2332-17-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral8/memory/2332-19-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral8/memory/2332-20-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral8/memory/2332-22-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral8/memory/2332-23-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral8/memory/2332-24-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral8/memory/4396-28-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\C:\Google\Chrome\Update\Chrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe\""	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Google\Chrome\Update\Chrome.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe\""	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral8/memory/4396-2-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral8/memory/4396-3-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral8/memory/4396-4-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral8/memory/4396-28-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5060 set thread context of 2332	5060	Chrome.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	Chrome.exe
Token: SeLockMemoryPrivilege	2332	notepad.exe
Token: SeLockMemoryPrivilege	2332	notepad.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 5060	4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe	97
PID 4396 wrote to memory of 5060	4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe	97
PID 4396 wrote to memory of 5060	4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe	97
PID 5060 wrote to memory of 2332	5060	Chrome.exe	98
PID 5060 wrote to memory of 2332	5060	Chrome.exe	98
PID 5060 wrote to memory of 2332	5060	Chrome.exe	98
PID 5060 wrote to memory of 2332	5060	Chrome.exe	98
PID 5060 wrote to memory of 2332	5060	Chrome.exe	98
PID 5060 wrote to memory of 2332	5060	Chrome.exe	98
PID 5060 wrote to memory of 2332	5060	Chrome.exe	98
PID 5060 wrote to memory of 2332	5060	Chrome.exe	98
PID 4396 wrote to memory of 2152	4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe	103
PID 4396 wrote to memory of 2152	4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe	103
PID 4396 wrote to memory of 2152	4396	1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe	103

C:\Users\Admin\AppData\Local\Temp\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe
"C:\Users\Admin\AppData\Local\Temp\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Google\Chrome\Update\Chrome.exe
  C:\Google\Chrome\Update\Chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\notepad.exe
    "C:\Windows\notepad.exe" -c "C:\ProgramData\ExxprQSiUG\cfgi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1BE33E42910515D58685E4CEE83C4C9B7DE4E6A155A6FD936922682A9922D42D.exe" "Chrome.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ExxprQSiUG\cfgi

Filesize
1KB

MD5
921c6622d8a9d1c4714bebf291978a81

SHA1
e36516e44a29b1c1faae11d1d9b4d7f5a5197c24

SHA256
83bc743bfe6fe362921f4d62ca037e835f558947aa8ceea18047a21efa37892f

SHA512
1d087761d0932de99e6819ab33b076697252dd76e6cce7130c9698d34d282280b1a54a19ab623b59e13fba4a3cf984979a95219bb031d3e1a487416735cf03f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\autAD81.tmp

Filesize
1.5MB

MD5
94f3e40ceba94f6d85d5731c2a5d380d

SHA1
a378f737bfea085b152744c2761e16e9be2007eb

SHA256
5159fa4d7cce05595f252d37924546906020526e0d4509768f71c0f3f778235b

SHA512
3f1151b17290b53bdf1024fc5059fe8f95b5afa06576b389587f9abe85ab69c02f88d2b45dc736ff6b7dcd6a383453b7a0d3673b23704774da8a485c806c1154

Download Submit
memory/2332-29-0x000001890A850000-0x000001890A860000-memory.dmp

Filesize
64KB

Download
memory/2332-37-0x000001890A850000-0x000001890A860000-memory.dmp

Filesize
64KB

Download
memory/2332-30-0x000001890A860000-0x000001890A870000-memory.dmp

Filesize
64KB

Download
memory/2332-43-0x000001890A8B0000-0x000001890A8C0000-memory.dmp

Filesize
64KB

Download
memory/2332-17-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2332-19-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2332-20-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2332-22-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2332-23-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2332-24-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2332-25-0x000001890A610000-0x000001890A620000-memory.dmp

Filesize
64KB

Download
memory/2332-42-0x000001890A890000-0x000001890A8A0000-memory.dmp

Filesize
64KB

Download
memory/2332-27-0x000001890A840000-0x000001890A850000-memory.dmp

Filesize
64KB

Download
memory/2332-41-0x000001890A8A0000-0x000001890A8B0000-memory.dmp

Filesize
64KB

Download
memory/2332-44-0x000001890A8C0000-0x000001890A8D0000-memory.dmp

Filesize
64KB

Download
memory/2332-40-0x000001890A880000-0x000001890A890000-memory.dmp

Filesize
64KB

Download
memory/2332-31-0x000001890A870000-0x000001890A880000-memory.dmp

Filesize
64KB

Download
memory/2332-32-0x000001890A880000-0x000001890A890000-memory.dmp

Filesize
64KB

Download
memory/2332-33-0x000001890A8A0000-0x000001890A8B0000-memory.dmp

Filesize
64KB

Download
memory/2332-34-0x000001890A890000-0x000001890A8A0000-memory.dmp

Filesize
64KB

Download
memory/2332-35-0x000001890A8B0000-0x000001890A8C0000-memory.dmp

Filesize
64KB

Download
memory/2332-36-0x000001890A8C0000-0x000001890A8D0000-memory.dmp

Filesize
64KB

Download
memory/2332-39-0x000001890A870000-0x000001890A880000-memory.dmp

Filesize
64KB

Download
memory/2332-38-0x000001890A860000-0x000001890A870000-memory.dmp

Filesize
64KB

Download
memory/4396-3-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4396-4-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4396-28-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4396-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4396-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4396-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download