xmrig | 1663eddd17ee18c998b246d49f2ceb14e9f561d831f43c6ef9d1718e81ccb4e3

General

Target

payload.exe
Size

34.8MB
MD5

597f03a711f5505132cbb5229b224f61
SHA1

799c6b9e0087a5404531ecba2d44532e2adba133
SHA256

1663eddd17ee18c998b246d49f2ceb14e9f561d831f43c6ef9d1718e81ccb4e3
SHA512

f3c226611a9a0859c9080dfb146e4a9183a1012c82b4a3dba019a285f645c18422049f9e8d51a4cfbad4eeaf09da400994ab42cdffc450143e4432b95d01952e
SSDEEP

49152:8XGy32rb/TcvO90dL3BmAFd4A64nsfJZpgul1jPFUbnD18urCkFCOaESeA:8z3Cb5lkAlES

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023351-17.dat	family_xmrig
behavioral2/files/0x0007000000023351-17.dat	xmrig
behavioral2/memory/1184-21-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-22-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-27-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-28-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-29-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-30-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-31-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-32-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-33-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-34-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-35-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-36-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-37-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig
behavioral2/memory/1184-38-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 1 IoCs

pid	Process
1184	xmrig.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeLockMemoryPrivilege	1184	xmrig.exe
Token: SeLockMemoryPrivilege	1184	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1184	xmrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 3284	820	payload.exe	96
PID 820 wrote to memory of 3284	820	payload.exe	96
PID 3284 wrote to memory of 1184	3284	powershell.exe	98
PID 3284 wrote to memory of 1184	3284	powershell.exe	98

C:\Users\Admin\AppData\Local\Temp\payload.exe
"C:\Users\Admin\AppData\Local\Temp\payload.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -c "cd xmrig-6.18.0-gcc-win64 ; .\xmrig.exe -c ..\config.json -B"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\xmrig-6.18.0-gcc-win64\xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\xmrig-6.18.0-gcc-win64\xmrig.exe" -c ..\config.json -B
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8
1⤵
PID:5480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yc4r5mht.os2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.json

Filesize
3KB

MD5
cd05088e8515dfd3c6f2fca659e5ae12

SHA1
dd1527f8c1c231cd94e63c4a7f234e3b6550bdd6

SHA256
00da826d8693c7865e33f48cf356d257fd8df3016c172b42654c4b67da84ea10

SHA512
8ff7acfdcbecbaaf0fc90cfc0694b4dddf866ed1fda795fa8d9e6ad7ca3adc3741307c12719c0894e145862b299e7fa899b719b04309ef301ba566e64183e487

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmrig-6.18.0-gcc-win64\xmrig.exe

Filesize
7.8MB

MD5
87beedbe66a91619f1a4186ef85e052e

SHA1
9f9b24022d0ad059fd24a2b9c94cdac87a399184

SHA256
d1ea28dee35382c510a49e4304ed7cead25bcee5cc869c73c9c53f333139e060

SHA512
f91a4d29d55b990c568eabc51e685f054f6d2a5fc42bf0f8371c435f521c752c9dc582ec0a52d98a03253bc6b09d26feb0a9bd2b95dec55403ab73374b9e4cb9

Download Submit
memory/1184-30-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-31-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-38-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-37-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-19-0x0000020ED59D0000-0x0000020ED59F0000-memory.dmp

Filesize
128KB

Download
memory/1184-36-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-21-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-22-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-35-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-34-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-33-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-32-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-27-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-28-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/1184-29-0x00007FF6FBBE0000-0x00007FF6FC6DD000-memory.dmp

Filesize
11.0MB

Download
memory/3284-8-0x00000109A8EE0000-0x00000109A8F02000-memory.dmp

Filesize
136KB

Download
memory/3284-15-0x00000109C1100000-0x00000109C1110000-memory.dmp

Filesize
64KB

Download
memory/3284-26-0x00000109C1100000-0x00000109C1110000-memory.dmp

Filesize
64KB

Download
memory/3284-25-0x00000109C1100000-0x00000109C1110000-memory.dmp

Filesize
64KB

Download
memory/3284-24-0x00000109C1100000-0x00000109C1110000-memory.dmp

Filesize
64KB

Download
memory/3284-23-0x00007FF95DC40000-0x00007FF95E701000-memory.dmp

Filesize
10.8MB

Download
memory/3284-13-0x00007FF95DC40000-0x00007FF95E701000-memory.dmp

Filesize
10.8MB

Download
memory/3284-14-0x00000109C1100000-0x00000109C1110000-memory.dmp

Filesize
64KB

Download
memory/3284-16-0x00000109C1100000-0x00000109C1110000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing