xmrig | 03c4964299ebbe765ef18d901be45b17e69e6b0d3a71f7eb43a28be4b0bb3d02

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccb1f8eda38035cc9f93f46786dbe146.exe
Size

3.5MB
MD5

ccb1f8eda38035cc9f93f46786dbe146
SHA1

6eb2e28bb5001e3c25262495e2f2fb0607de99dd
SHA256

03c4964299ebbe765ef18d901be45b17e69e6b0d3a71f7eb43a28be4b0bb3d02
SHA512

70df2f86085343ce9390f3af01c468f9d34a273116227a2002c5e8b6c4b331ca6b8592fa599f245b89dc2bf510dda4a33ea7780d3ef0dba40c957f3f51419f3b
SSDEEP

49152:lOw5cT7kCAPfy6JliMmBS0NExxVWS62fRHMaUSKb+e24mwBTtXjU5QOX:koEiVx0wJsaGbjxh

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral2/memory/2720-29-0x0000020422200000-0x0000020422A20000-memory.dmp	xmrig
behavioral2/files/0x0006000000023224-38.dat	family_xmrig
behavioral2/files/0x0006000000023224-38.dat	xmrig
behavioral2/memory/5012-53-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-61-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-71-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-86-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-92-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-107-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-118-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-124-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-135-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-146-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-157-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig
behavioral2/memory/5012-163-0x00007FF697630000-0x00007FF698133000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5012	xmrig.exe

Loads dropped DLL 1 IoCs

pid	Process
4948	rundll32.exe

Registers new Windows logon scripts automatically executed at logon. 1 TTPs 1 IoCs

persistence

Logon Script (Windows)

T1037.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Environment\UserInitMprLogonScript = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps\\cleanhelper.dll T34 /k notfun123 /auto 2"	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newhelper = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\WindowsApps\\cleanhelper.exe"	ccb1f8eda38035cc9f93f46786dbe146.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xmrig = "C:\\Users\\Admin\\AppData\\Roaming\\Volt\\xmrig.exe"	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
15	pastebin.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	ccb1f8eda38035cc9f93f46786dbe146.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	ccb1f8eda38035cc9f93f46786dbe146.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe
880	ccb1f8eda38035cc9f93f46786dbe146.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5012	xmrig.exe
Token: SeLockMemoryPrivilege	5012	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5012	xmrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4948	880	ccb1f8eda38035cc9f93f46786dbe146.exe	97
PID 880 wrote to memory of 4948	880	ccb1f8eda38035cc9f93f46786dbe146.exe	97
PID 2720 wrote to memory of 5012	2720	Process not Found	98
PID 2720 wrote to memory of 5012	2720	Process not Found	98

C:\Users\Admin\AppData\Local\Temp\ccb1f8eda38035cc9f93f46786dbe146.exe
"C:\Users\Admin\AppData\Local\Temp\ccb1f8eda38035cc9f93f46786dbe146.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\cleanhelper.dll T34 /k notfun123 /auto 2
  2⤵
  - Loads dropped DLL
  PID:4948

C:\Users\Admin\AppData\Roaming\Volt\xmrig.exe
C:\Users\Admin\AppData\Roaming\Volt\xmrig.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Boot or Logon Initialization Scripts

T1037

Logon Script (Windows)

T1037.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Boot or Logon Initialization Scripts

T1037

Logon Script (Windows)

T1037.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\cleanhelper.dll

Filesize
597KB

MD5
3a545eaeb3c646d80716c325298b4db5

SHA1
3eefc6c2268ea0298c39dea9fbd71987b31989d5

SHA256
fd793216e10034cf0e2b57956d5fffa5d816551712d53bab79d8cbbd11d7df1d

SHA512
b5650776302d30d0d29f5369d21a62d8a17409926be0864b5578d80393133b663a4527316babbe5388c78b32330afb5f3e1e484be92b43b113ff9c2737efc2ef

Download Submit
C:\Users\Admin\AppData\Roaming\Volt\config.json

Filesize
3KB

MD5
d9cf79f1697c4eab98b01f1396a41058

SHA1
e973de6064bc4acc870edf20736299b4af5e94ad

SHA256
162547817f101090b503bda122a81286a487936aab966adb53105962313b6164

SHA512
b9cfa1c4a52af313a5a092152a5fefcf5ef5f8141944589e611ef90743b103374a9f84ce1aba04c5b3bf0a3e9798d2c4a11d53997cc5622b72ccc1a5e3983bad

Download Submit
C:\Users\Admin\AppData\Roaming\Volt\xmrig.exe

Filesize
3.6MB

MD5
d14d525eff62f77fb388273e7a67874a

SHA1
07444ffef7ade5b3a39332ef74277754c1c6b41e

SHA256
d1b97a919b793ab2733e25f3d5b039c0dd5cbc1d8fc350eb14a0a1ea8c23dd79

SHA512
7cd736f4636526054cb3d4d9a300c73fd367c778a95cdb44f6411ffb38864e5a0b93bb0f8237573a7e94167aa8adf40a35264d22ad47af58a59c50fec22e1a50

Download Submit
C:\Users\Admin\AppData\Roaming\dd_BackgroundDownload_20221228044804.log

Filesize
192B

MD5
229411e44b5a0491625e3dfc56592232

SHA1
6c3c5af029c4b1376cd74e4b547a9fcade97a7f3

SHA256
e5cb2d7bc2d9dba21f43a684b2c31113b6b4e9ed22bc63467fdff840f0f894f3

SHA512
c0e4dee29091b1dea232cdbd3f3e1c7878df3163d5a7ca238a6f9b9dd5ec00d5ccc816b4fb8149282e191ec047b6c6c8f4c461cb272955bf59de9e43b0e58eec

Download Submit
memory/880-23-0x0000000140000000-0x0000000140093000-memory.dmp

Filesize
588KB

Download
memory/880-2-0x0000000140000000-0x0000000140093000-memory.dmp

Filesize
588KB

Download
memory/880-0-0x0000000140000000-0x0000000140093000-memory.dmp

Filesize
588KB

Download
memory/2720-24-0x0000000180000000-0x0000000180094000-memory.dmp

Filesize
592KB

Download
memory/2720-19-0x0000000180000000-0x0000000180094000-memory.dmp

Filesize
592KB

Download
memory/2720-29-0x0000020422200000-0x0000020422A20000-memory.dmp

Filesize
8.1MB

Download
memory/2720-39-0x0000000180000000-0x0000000180094000-memory.dmp

Filesize
592KB

Download
memory/2720-13-0x0000000180000000-0x0000000180094000-memory.dmp

Filesize
592KB

Download
memory/2720-11-0x00000204207C0000-0x00000204207C2000-memory.dmp

Filesize
8KB

Download
memory/4948-10-0x00000166CFCB0000-0x00000166CFCB4000-memory.dmp

Filesize
16KB

Download
memory/5012-61-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-98-0x000001C7DC800000-0x000001C7DC820000-memory.dmp

Filesize
128KB

Download
memory/5012-43-0x000001C7DC3C0000-0x000001C7DC3E0000-memory.dmp

Filesize
128KB

Download
memory/5012-40-0x000001C748A50000-0x000001C748A70000-memory.dmp

Filesize
128KB

Download
memory/5012-71-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-76-0x000001C7DC800000-0x000001C7DC820000-memory.dmp

Filesize
128KB

Download
memory/5012-78-0x000001C7DCE60000-0x000001C7DCE80000-memory.dmp

Filesize
128KB

Download
memory/5012-79-0x000001C7DD090000-0x000001C7DD0B0000-memory.dmp

Filesize
128KB

Download
memory/5012-77-0x000001C7DCE40000-0x000001C7DCE60000-memory.dmp

Filesize
128KB

Download
memory/5012-86-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-92-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-53-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-99-0x000001C7DCE40000-0x000001C7DCE60000-memory.dmp

Filesize
128KB

Download
memory/5012-100-0x000001C7DCE60000-0x000001C7DCE80000-memory.dmp

Filesize
128KB

Download
memory/5012-105-0x000001C7DD090000-0x000001C7DD0B0000-memory.dmp

Filesize
128KB

Download
memory/5012-107-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-118-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-124-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-135-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-146-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-157-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download
memory/5012-163-0x00007FF697630000-0x00007FF698133000-memory.dmp

Filesize
11.0MB

Download