xmrig | a915f3fc1b16a26921fae81d06542f90f2036207a5289d91ba32b80eb39949ae

Analysis

max time kernel
150s
max time network
305s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2024, 06:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a915f3fc1b16a26921fae81d06542f90f2036207a5289d91ba32b80eb39949ae.exe
Size

32KB
MD5

70a2b765dda3f2bc823a5ce815e67808
SHA1

7fd170f6efd0a5a96124807a4035a8420b9a6423
SHA256

a915f3fc1b16a26921fae81d06542f90f2036207a5289d91ba32b80eb39949ae
SHA512

c19bd890a4de662196f7dc7451a3a84dec729dec12bf820620eb40737bf0ce9298e1c8a98e13275ebbcc6a142b08143f499584050b228b95424b78913ce15143
SSDEEP

768:ZNT0Oj8/nq/FhgLGbLLzneLeoD0F7Pnd:Z5Qq/FhgLGbLveaF9

Score

10^/10

xmrig xworm miner rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral5/files/0x000100000002aa2e-402.dat	family_xworm

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral5/files/0x000100000002a9ec-589.dat	family_xmrig

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
273	bitbucket.org
409	bitbucket.org
588	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral5/files/0x000100000002a9e3-512.dat	autoit_exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	a915f3fc1b16a26921fae81d06542f90f2036207a5289d91ba32b80eb39949ae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800000f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	a915f3fc1b16a26921fae81d06542f90f2036207a5289d91ba32b80eb39949ae.exe

C:\Users\Admin\AppData\Local\Temp\a915f3fc1b16a26921fae81d06542f90f2036207a5289d91ba32b80eb39949ae.exe
"C:\Users\Admin\AppData\Local\Temp\a915f3fc1b16a26921fae81d06542f90f2036207a5289d91ba32b80eb39949ae.exe"
1⤵
- Modifies system certificate store
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NI4YQYX1\AppGate2103v01[1].exe

Filesize
5.0MB

MD5
5111c44e0409c72968f79ca056e3fcfb

SHA1
7bcc5651b0143ea7df58ea521ab9c6b283666765

SHA256
7d308f38489962f4594dcd26e74f3404431cb79019a07194fbe9d27f39bcff6a

SHA512
0a17998f99bef19cc6936e19dc0e42df893d623ab53cd72ddf572ad13e8a7057de41e03b9e1854e137c1012af4d40d448b47ac1a8d8ea179f9de07f46374b828

Download Submit
C:\Users\Admin\AppData\Local\Temp\2AdAu2EmW203YaDN.exe

Filesize
3.3MB

MD5
64257341e518ff4bf7f2370c048dbd4b

SHA1
aa58e632c09a2ca9e1f4e7f61b1532946f5efe37

SHA256
f03a1fff1539beb68be62ff8c8f137c37155bf3065ba988f2c4ee4831588250f

SHA512
e0dc0c9db115a6a2720e0325b0a50008301cc0daf4d0c849be522acda617db8118d621744d5aa89564aedfc259910d60f361eeed1fa04f077690f3a241ef43c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABdQMGFlKWkPHcr1.exe

Filesize
1.0MB

MD5
ea7dbf57173e3bdd6bc45ac3758fde60

SHA1
27bd51006590542a3e0b898f69e40ace6c431012

SHA256
19f6c51e7b7274657d3fc2611ec086323df6531fa9256c3ceddaa9d6000b2b91

SHA512
beda6884bbac13d5116492d3139ea91599f24cd71339a23f1f478156d54d62232d0c06ae33cddb42138420653167d6022aad8bc3090716e4eaeeb39160789dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABdQMGFlKWkPHcr1.exe

Filesize
300B

MD5
a037ae5c13701ee809d479c819509cd1

SHA1
662142925f6687bf4a13416dc7218317e4386f23

SHA256
30d52178587505d1a4873d5f27b1c107df58617f788db2765955c05e9fe7384b

SHA512
7ce5173fbee38cb5ae3afb0ed300bcc4c202055244cd6094eca1731d9ebcb76b032b46d5afb1db0d2a56adb13c5791cd74e33fbdc6ce3214c96b7b428f167356

Download Submit
C:\Users\Admin\AppData\Local\Temp\MLB53q0oFoOgw3Ig.exe

Filesize
36B

MD5
a1ca4bebcd03fafbe2b06a46a694e29a

SHA1
ffc88125007c23ff6711147a12f9bba9c3d197ed

SHA256
c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

SHA512
6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MLB53q0oFoOgw3Ig.exe

Filesize
4.1MB

MD5
046bebfd9a29feb9cd6e81659d235a95

SHA1
94fdaa0d2d80f33d6f2da03cd8b0cad2a40e72f0

SHA256
c24d5aa7093f64c3ee43dd3910477a0998f09cf23080f75e328669587dedd778

SHA512
11c064477913160aad1ee8b60172d14018fad385b0e677f3282d4113c7a5e2328a184ff9b55fa975cba601936962f4eb71b41544e4dead725ba00ac2f2d42ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pxhj7zF6JA9vTdpp.exe

Filesize
32KB

MD5
b3c17139f2dea8728e101a512fe39675

SHA1
c6dbc133419976d8d8ca15fa0f308f4533f1cac6

SHA256
c6dfe47f80593e7f8d0ff363dfea6d09fcc989ca81c6bb38bffdb02c66590121

SHA512
182066ccd38c806fc97109de365d73b3bc1bedd5fb19d56d70077ba1a661d117ee5edaaceea0e726d4fde48657d81a35623c104fb0a48d8b3b617cb728bf238f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pxhj7zF6JA9vTdpp.exe

Filesize
1.4MB

MD5
af3153454a8ee46af2a4c84ce6599e59

SHA1
42fa461b98dc5d6cce2ad2fa7cafbe1a9d0d2536

SHA256
ee36ca4fb0e7989882c8ad00bb19b71f2af27c5cac8bea6855d1fcf87d5be550

SHA512
8956caa3e63f839888d0d79bd473627c3fd1d8280ba0e9d010d5598da0ec7ea6ed88d5ba64c744b8d65dd28bad52162a9063d054e80e028dd2c246a097f1b79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pxhj7zF6JA9vTdpp.exe

Filesize
611KB

MD5
aea11c26ff4de7c6d5d3cca4cd97836f

SHA1
d870eedcc83fa063510e646bcbe9e55fe453887c

SHA256
40ff4057568f05f9d390cc0b10ff854f1e00ccd14e3a356f084181b3cf8a5810

SHA512
6526a72e1ef4f286562a772161ba8e8c4b626e5ba0c3fefafd7bdefe3311f5ef729be2617cc6e18a20d203af73a635f44c8ebafee8441b65b8b520cfcc1e6db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pxhj7zF6JA9vTdpp.exe

Filesize
4.1MB

MD5
63aaff2c7abae6a54651d4e703579c9c

SHA1
fe5697346cb6b7defb59434c8a50dcafe9ef1b28

SHA256
e0d0c303038e1a68905c2087176eca33a0deea084f62480fa5df3fd9f86a7cb0

SHA512
df7f29118f874aa607343ee311b34adf8cab5c8e7cecad79b9944164a2593e0c1f50f5e8d48baa0e85a3d32b2740f3531fe14c9d7cf8870c243389889247f734

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pxhj7zF6JA9vTdpp.exe

Filesize
10.7MB

MD5
a14f7eea4f081394300d1b450a4c3b01

SHA1
1f407961a9b4df152d4fddc2c81066ac88ad47cf

SHA256
d6c54acd0455124757f21c5573c45f878aecc95a0413fe8feff2c57acb31bf30

SHA512
1ca918680dc811dec37cf6cb072747bac226a7c1655adff24dcf667d9a276edfdd21ebdf082cf07a072c8f5e85053dc79c5716dac59380932fa050959c2a6763

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pxhj7zF6JA9vTdpp.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SlicZegshzD5dRVi.exe

Filesize
315B

MD5
a34ac19f4afae63adc5d2f7bc970c07f

SHA1
a82190fc530c265aa40a045c21770d967f4767b8

SHA256
d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3

SHA512
42e53d96e5961e95b7a984d9c9778a1d3bd8ee0c87b8b3b515fa31f67c2d073c8565afc2f4b962c43668c4efa1e478da9bb0ecffa79479c7e880731bc4c55765

Download Submit
C:\Users\Admin\AppData\Local\Temp\SlicZegshzD5dRVi.exe

Filesize
3.1MB

MD5
81ce7ca5b0c17d2d525c04304d63973d

SHA1
289b4d6e1f8fa4621680541a65821329cb322ab9

SHA256
bd9d05232354895535a1ff4dfc8272ebe91aef6a3c5f87b68e5ef6feff2bd8f7

SHA512
7a0456c8e139bba20e6bc0d686451c90b12a5ef3493538b97293f19d73032e29511bf934cf79ef8e4e74e57115f5a5ee02b6e4e4e783a39ff6af56383db5cce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SlicZegshzD5dRVi.exe

Filesize
2.2MB

MD5
facd0fbd0b0f61da2faa16d1a162f2fa

SHA1
64cf679525aa81e15ffac6a68b632828328c4d2f

SHA256
beceb1700e40dbb044c8fdf58c0f7ffafe3a241323e3668154e53d524a4e1a77

SHA512
fdca0950258329e4be3df59be0b210758cf8023befe9cf8f0a6c00e6f379678c82ed59d4c2da6291df306783fc068d35c8308f81556350746d631cb19884a695

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1UDhPFR0iDqIz3L.exe

Filesize
3.4MB

MD5
0daa8b35d2dfb2705380532d9d2728e0

SHA1
ad42470be59afbc6866d0f0ebca0984518b66e9a

SHA256
5744c936ea3755f5a9e28f193112bb911be159445e74fe19b27269ad03fa80a8

SHA512
6f470ef4876d6853f247f8708edfb783040cd98d0744c907fc239255c7d4fcae5ef7fb0d95f907b6b8b1ef488f51d10a1eac5b921054cf1666d330b6ef7c7af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1UDhPFR0iDqIz3L.exe

Filesize
3.4MB

MD5
ed9f75544329d1555605b0faf65349c5

SHA1
519e6c4c3caeb7bd1bbda32eac5b1626831282d2

SHA256
68ae231a16c126246d18dde81b339f765f2674c8e9a9dde7ec956ccf009c6777

SHA512
39a8a720c98c4c59ecdfa89ba3d0bae9dfff1dc9e0c0f622ef5859c26fa78605d505f01ff13523e53f4d4d6dbc9315c205f8384a47e84ed45d34845f8e31ee62

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1UDhPFR0iDqIz3L.exe

Filesize
5.4MB

MD5
10ec0ba0655ee2e698515182f89aaae9

SHA1
45a434a936ed054e37a1f444a40e4814470d1ab4

SHA256
5d9048b38069d00c4750faf69e8b2caa0672ae70f0f1fa33c75e3928badc9f43

SHA512
8c1a6124e6feb6e562ee31f89921b69d2027fc37cf3dc21cbbd9339f3f9284206114fd3b862dbedb50876b540b82fca3df4b00f760e303326e71db413c5a469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1txsgIg1W5RngdH.exe

Filesize
19B

MD5
595e88012a6521aae3e12cbebe76eb9e

SHA1
da3968197e7bf67aa45a77515b52ba2710c5fc34

SHA256
b16e15764b8bc06c5c3f9f19bc8b99fa48e7894aa5a6ccdad65da49bbf564793

SHA512
fd13c580d15cc5e8b87d97ead633209930e00e85c113c776088e246b47f140efe99bdf6ab02070677445db65410f7e62ec23c71182f9f78e9d0e1b9f7fda0dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1txsgIg1W5RngdH.exe

Filesize
472KB

MD5
473515ae71a3c24cd47c301c4f5f5bed

SHA1
8d4c49df6f8a3cd592c7872e080a00243ec8976b

SHA256
1f1013225a25664b94d97b0cc0e2d0b0ad03e9b98b43699575cc5ffeca9d3366

SHA512
2b32859a9c957554bfc5e8ac4856ba6d8ae1e279b84b41610a712ca75b43ad4f379a113a6550a58a431c7d1ff652be69b002754a93b63c67db5491d90a5ae646

Download Submit