xmrig | ab0fc8489013eaad6a8bef41012087bc4fce74f0a4260a7a721cb60418f87416

Analysis

max time kernel
148s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc3597c530373ba8921a9f581312b782.exe
Size

2.2MB
MD5

cc3597c530373ba8921a9f581312b782
SHA1

372e7006ac04a96fb89a924e1bf8387df4af4679
SHA256

ab0fc8489013eaad6a8bef41012087bc4fce74f0a4260a7a721cb60418f87416
SHA512

a21f62eed3a9537db8f0da87b3b8e453ad490a747eddd3ea34157698c3a64e5cf97a622364711d7b8ea79808ee2d78b9c3830cd49926eeb1ca42b8079ccfaac0
SSDEEP

49152:THXm5Fxkri+pB0NMlE0G9nntxoQT91XnHYAod1rqQlZxrdq+of:roFx/YGAE08nrbn4AUv7pqjf

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/4536-53-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-55-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-57-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-59-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-60-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-61-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-62-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-64-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-63-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-68-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-70-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-72-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-73-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/4536-74-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cc3597c530373ba8921a9f581312b782.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	SecurityHealthService.exe

Executes dropped EXE 3 IoCs

pid	Process
2592	sihost64.exe
3620	SecurityHealthService.exe
1616	sihost64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
135	pastebin.com
136	pastebin.com
137	raw.githubusercontent.com
138	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3620 set thread context of 4536	3620	SecurityHealthService.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1444	schtasks.exe
636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
408	cc3597c530373ba8921a9f581312b782.exe
408	cc3597c530373ba8921a9f581312b782.exe
408	cc3597c530373ba8921a9f581312b782.exe
3620	SecurityHealthService.exe
3620	SecurityHealthService.exe
3620	SecurityHealthService.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	cc3597c530373ba8921a9f581312b782.exe
Token: SeDebugPrivilege	3620	SecurityHealthService.exe
Token: SeLockMemoryPrivilege	4536	explorer.exe
Token: SeLockMemoryPrivilege	4536	explorer.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4900	408	cc3597c530373ba8921a9f581312b782.exe	100
PID 408 wrote to memory of 4900	408	cc3597c530373ba8921a9f581312b782.exe	100
PID 4900 wrote to memory of 1444	4900	cmd.exe	102
PID 4900 wrote to memory of 1444	4900	cmd.exe	102
PID 408 wrote to memory of 2592	408	cc3597c530373ba8921a9f581312b782.exe	103
PID 408 wrote to memory of 2592	408	cc3597c530373ba8921a9f581312b782.exe	103
PID 408 wrote to memory of 3620	408	cc3597c530373ba8921a9f581312b782.exe	104
PID 408 wrote to memory of 3620	408	cc3597c530373ba8921a9f581312b782.exe	104
PID 3620 wrote to memory of 5092	3620	SecurityHealthService.exe	107
PID 3620 wrote to memory of 5092	3620	SecurityHealthService.exe	107
PID 5092 wrote to memory of 636	5092	cmd.exe	109
PID 5092 wrote to memory of 636	5092	cmd.exe	109
PID 3620 wrote to memory of 1616	3620	SecurityHealthService.exe	110
PID 3620 wrote to memory of 1616	3620	SecurityHealthService.exe	110
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111
PID 3620 wrote to memory of 4536	3620	SecurityHealthService.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc3597c530373ba8921a9f581312b782.exe
"C:\Users\Admin\AppData\Local\Temp\cc3597c530373ba8921a9f581312b782.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SecurityHealthService" /tr '"C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "SecurityHealthService" /tr '"C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1444
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
  "C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SecurityHealthService" /tr '"C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "SecurityHealthService" /tr '"C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe"'
      4⤵
      Creates scheduled task(s)
      PID:636
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    - Executes dropped EXE
    PID:1616
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=46CZY5i6DAgK7WpYsJkH4aJSNWiaKhLMGiVMHtL35cXCNi2XU2Hhcz57q8a443oAC774qAAbfowcccQXLUPRe1qCVLFr4Cg/O_o --pass= --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=90 --tls --cinit-stealth
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
12KB

MD5
e4a6b92aa160fe9479d6b870ebc503dc

SHA1
eee811d57ddea909eaced16ec661e221a36318fe

SHA256
fdbe30e646b784c52e3687ee11d47ad196dea125afd36290a9923e2f23385edd

SHA512
204a6f4190b4f93779bf2aac23613b7ef2262d5516f3d4fac0d4c787033f52cf3452e35bb14370fefeeb68ecf9226e9ed90e65c7c8e446a0cbfc6aed3a54f110

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe

Filesize
1.9MB

MD5
9684d9e8703e3d718830fc8c297d32ed

SHA1
504fa237322c1b6becd2ffcb829430e1b7a192e6

SHA256
4ec5f7b30040ccf519516dd556c892c24dc537b882078a405ed33cb9c7120573

SHA512
e25d0fcfb91a3a024e8327dd9b55255da5e746087c654c9bfc4f672f6f2ff5b202ff514cc9c697564a8bd8fdeb1ac7bebc3a5281fa7af47fcdcc4dc72fdc011e

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe

Filesize
2.1MB

MD5
c8ec530e697c8263e173378a1267255d

SHA1
f8e17e35b74ea45eeb1348fd173bdfeccec95231

SHA256
e847e4aa56c34a65e70993f64520c55274e90bc5e4df4280492d6949e7f27c27

SHA512
cfdb0f083463d649efa38ec50df2bf2d6c062e3c9a2a19820ec26423842b941338b61e42312e96923b93bfa54ccdb27e8d46dd257247d2d8ec41a0f38f373fc0

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe

Filesize
1.2MB

MD5
1e70a3851c87d50fbfc753a1612fbeff

SHA1
854547841072719eddeeda2e7ae8c7936a5cb16a

SHA256
ec9390b61c682e9d82615da2dabbc83aaac190507e45741dcf2e4defd1fa26fb

SHA512
fa4c4ac78efe6aa094ad49b8a00f026fca4b7ec70c1b5e5dd7e49adeddbeb09171ca7e8f2a6c52cac9c4f59e11323c4970f857ec6f393e8d83bd51600e71a6c5

Download Submit
memory/408-31-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/408-1-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/408-2-0x000000001CBC0000-0x000000001CBD0000-memory.dmp

Filesize
64KB

Download
memory/408-3-0x000000001CFD0000-0x000000001D1F0000-memory.dmp

Filesize
2.1MB

Download
memory/408-5-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/408-0-0x0000000000C90000-0x0000000000EC2000-memory.dmp

Filesize
2.2MB

Download
memory/1616-66-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/1616-69-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/1616-67-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1616-51-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/2592-25-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2592-34-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/2592-33-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

Filesize
24KB

Download
memory/2592-36-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/2592-30-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3620-52-0x000000001CBE0000-0x000000001CBEE000-memory.dmp

Filesize
56KB

Download
memory/3620-32-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3620-35-0x000000001CBF0000-0x000000001CC02000-memory.dmp

Filesize
72KB

Download
memory/3620-56-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3620-37-0x00007FFE0E910000-0x00007FFE0F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-59-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-57-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-60-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-61-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-62-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-64-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-63-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-65-0x0000000002BC0000-0x0000000002BE0000-memory.dmp

Filesize
128KB

Download
memory/4536-58-0x0000000002A00000-0x0000000002A20000-memory.dmp

Filesize
128KB

Download
memory/4536-53-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-68-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-55-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-70-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-71-0x0000000014970000-0x0000000014990000-memory.dmp

Filesize
128KB

Download
memory/4536-72-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-73-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-74-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4536-75-0x00000000149F0000-0x0000000014A10000-memory.dmp

Filesize
128KB

Download
memory/4536-76-0x0000000014A10000-0x0000000014A30000-memory.dmp

Filesize
128KB

Download