xmrig | 40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779

Analysis

max time kernel
144s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 07:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
Size

3.1MB
MD5

2f03ead3988fc2b5e16470ed0a96557d
SHA1

4d0dcb7ebb340af8887fdec5f665eb091db9caf6
SHA256

40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779
SHA512

799830b418d6bf37a4d7bcd9649ee6d2f0551101029fecb5e44e8115fd7e29daabd8e662e316565bd6e1e36aaf9c26a82c49c7bd65e7eb28a73e9c3930c90ca6
SSDEEP

49152:ByTeFwtj0HLirwzPPk/iZuKsZxof6SD3nlOyT3Pwsu8/Cf6PyBXEjk1:ByVEer3/iQZxofZXlOaN/Cf66NEa

Score

10^/10

xmrig execution miner persistence vmprotect

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023447-49.dat	family_xmrig
behavioral2/files/0x0007000000023447-49.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	w.exe

Executes dropped EXE 5 IoCs

pid	Process
3924	w.exe
1968	csrss.exe
4120	csrss.exe
4592	svchost.exe
3128	chrome.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000023441-39.dat	vmprotect
behavioral2/memory/4592-41-0x0000000000400000-0x000000000055E000-memory.dmp	vmprotect
behavioral2/memory/4592-42-0x0000000000400000-0x000000000055E000-memory.dmp	vmprotect
behavioral2/memory/4592-55-0x0000000000400000-0x000000000055E000-memory.dmp	vmprotect

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\systam33\w.bat	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File opened for modification	C:\Windows\Fonts\systam33\svchost.ini	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File opened for modification	C:\Windows\Fonts\systam33\svchost.exe	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File created	C:\Windows\Fonts\systam33\w.exe	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File created	C:\Windows\Fonts\chrome\chrome.exe	w.exe
File opened for modification	C:\Windows\Fonts\systam33\svchost.log	svchost.exe
File created	C:\Windows\Fonts\systam33\1.ini	cmd.exe
File created	C:\Windows\Fonts\systam33\csrss.exe	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File created	C:\Windows\Fonts\systam33\svchost.exe	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File opened for modification	C:\Windows\Fonts\systam33\w.exe	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File opened for modification	C:\Windows\Fonts\chrome\config.json	w.exe
File opened for modification	C:\Windows\Fonts\chrome\chrome.exe	w.exe
File created	C:\Windows\Fonts\chrome\WinRing0x64.sys	w.exe
File opened for modification	C:\Windows\Fonts\chrome\WinRing0x64.sys	w.exe
File created	C:\Windows\Fonts\systam33\w.bat	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File created	C:\Windows\Fonts\systam33\svchost.ini	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File opened for modification	C:\Windows\Fonts\systam33\csrss.exe	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
File created	C:\Windows\Fonts\chrome\xmrig-asm.lib	w.exe
File opened for modification	C:\Windows\Fonts\chrome\xmrig-asm.lib	w.exe
File created	C:\Windows\Fonts\chrome\config.json	w.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2628	sc.exe
4864	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
648	PING.EXE
2084	PING.EXE
4648	PING.EXE
2760	PING.EXE
2780	PING.EXE
764	PING.EXE
3948	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
Token: SeIncBasePriorityPrivilege	3924	w.exe
Token: SeLockMemoryPrivilege	3128	chrome.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3128	chrome.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 3924	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe	83
PID 1064 wrote to memory of 3924	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe	83
PID 1064 wrote to memory of 3924	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe	83
PID 1064 wrote to memory of 3472	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe	84
PID 1064 wrote to memory of 3472	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe	84
PID 1064 wrote to memory of 3472	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe	84
PID 1064 wrote to memory of 3392	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe	86
PID 1064 wrote to memory of 3392	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe	86
PID 1064 wrote to memory of 3392	1064	40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe	86
PID 3472 wrote to memory of 3380	3472	cmd.exe	89
PID 3472 wrote to memory of 3380	3472	cmd.exe	89
PID 3472 wrote to memory of 3380	3472	cmd.exe	89
PID 3924 wrote to memory of 2032	3924	w.exe	90
PID 3924 wrote to memory of 2032	3924	w.exe	90
PID 3924 wrote to memory of 2032	3924	w.exe	90
PID 3472 wrote to memory of 648	3472	cmd.exe	91
PID 3472 wrote to memory of 648	3472	cmd.exe	91
PID 3472 wrote to memory of 648	3472	cmd.exe	91
PID 3392 wrote to memory of 2084	3392	cmd.exe	93
PID 3392 wrote to memory of 2084	3392	cmd.exe	93
PID 3392 wrote to memory of 2084	3392	cmd.exe	93
PID 2032 wrote to memory of 4648	2032	cmd.exe	94
PID 2032 wrote to memory of 4648	2032	cmd.exe	94
PID 2032 wrote to memory of 4648	2032	cmd.exe	94
PID 3472 wrote to memory of 2628	3472	cmd.exe	97
PID 3472 wrote to memory of 2628	3472	cmd.exe	97
PID 3472 wrote to memory of 2628	3472	cmd.exe	97
PID 3472 wrote to memory of 2760	3472	cmd.exe	98
PID 3472 wrote to memory of 2760	3472	cmd.exe	98
PID 3472 wrote to memory of 2760	3472	cmd.exe	98
PID 3472 wrote to memory of 1968	3472	cmd.exe	99
PID 3472 wrote to memory of 1968	3472	cmd.exe	99
PID 3472 wrote to memory of 1968	3472	cmd.exe	99
PID 3472 wrote to memory of 2780	3472	cmd.exe	100
PID 3472 wrote to memory of 2780	3472	cmd.exe	100
PID 3472 wrote to memory of 2780	3472	cmd.exe	100
PID 3472 wrote to memory of 4120	3472	cmd.exe	101
PID 3472 wrote to memory of 4120	3472	cmd.exe	101
PID 3472 wrote to memory of 4120	3472	cmd.exe	101
PID 3472 wrote to memory of 764	3472	cmd.exe	102
PID 3472 wrote to memory of 764	3472	cmd.exe	102
PID 3472 wrote to memory of 764	3472	cmd.exe	102
PID 3472 wrote to memory of 4864	3472	cmd.exe	103
PID 3472 wrote to memory of 4864	3472	cmd.exe	103
PID 3472 wrote to memory of 4864	3472	cmd.exe	103
PID 3472 wrote to memory of 3948	3472	cmd.exe	106
PID 3472 wrote to memory of 3948	3472	cmd.exe	106
PID 3472 wrote to memory of 3948	3472	cmd.exe	106
PID 4592 wrote to memory of 3128	4592	svchost.exe	105
PID 4592 wrote to memory of 3128	4592	svchost.exe	105
PID 3472 wrote to memory of 1800	3472	cmd.exe	108
PID 3472 wrote to memory of 1800	3472	cmd.exe	108
PID 3472 wrote to memory of 1800	3472	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe
"C:\Users\Admin\AppData\Local\Temp\40331d6e3d18c61d5591aa85fc455f6674e78924ce4660ce18221aa49f696779.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\Fonts\systam33\w.exe
  "C:\Windows\Fonts\systam33\w.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~46CD.tmp.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systam33\w.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=16 lines=2
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:648
- - C:\Windows\SysWOW64\sc.exe
    sc create UmRdpSerivce binPath= C:\Windows\Fonts\systam33\svchost.exe start= auto
    3⤵
    - Launches sc.exe
    PID:2628
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2760
- - C:\Windows\Fonts\systam33\csrss.exe
    csrss set UmRdpSerivce DisplayName "Remote Desktop Services UserMode Port Redriector"
    3⤵
    - Executes dropped EXE
    PID:1968
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2780
- - C:\Windows\Fonts\systam33\csrss.exe
    csrss set UmRdpSerivce Description "Allows the redirection of Printers/Drives/Ports for RDP connectoins"
    3⤵
    - Executes dropped EXE
    PID:4120
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:764
- - C:\Windows\SysWOW64\sc.exe
    sc start UmRdpSerivce
    3⤵
    - Launches sc.exe
    PID:4864
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3948
- - C:\Windows\SysWOW64\regini.exe
    regini 1.ini
    3⤵
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~44F8.tmp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2084

C:\Windows\Fonts\systam33\svchost.exe
C:\Windows\Fonts\systam33\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\Fonts\chrome\chrome.exe
  C:\Windows\Fonts\chrome\chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZ~44F8.tmp.bat

Filesize
266B

MD5
515c5ab1bba53eb7acbf281eba8374e0

SHA1
6765a6f12b36bdd914aab7b093b8738d7288d4e0

SHA256
a48bcdb7a59fce333ddcd1e33e6547df049231ad42f032440aaa51075f9ac943

SHA512
cc7416c518866fa1969f22ccdcae7658ab3c6a6de424829565937b41f455338d7e13c401131ff2611e8d8af4d5c26994ed6a81896f62dd2c995cde8824045ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZ~46CD.tmp.bat

Filesize
124B

MD5
9e8e1faaaf54789725159a1e527e8a15

SHA1
edec5b0de9a98b93106d8e951b323007d6b62726

SHA256
4150d0db0898ea43c5ac912fa94dc8567783755d3252bd28e3d40c5de4758851

SHA512
723c6751215188cfd81d57d873522b56724a0a6c7fdfe38c730a648a43b98db024bcd482de224b5d4201188f91d264bb4dacc653fdea2d1a3f0a8dc11e979b81

Download Submit
C:\Windows\Fonts\chrome\chrome.exe

Filesize
5.2MB

MD5
6b592d1cceaf329c68acaff75fb80be2

SHA1
ebf5f792c4672973d366b14715b828e9e6e18dac

SHA256
f6be8784ea31ee34b36efe2cb5d68bfec8fa33ab1a550c6fccb63cf469fe1208

SHA512
4d32d48c29487eea40e3decfe9cc05e40c356df46eca51ac4ccef0bbb31abfb441f592b3bbd491ef5748865637f4420ebfbb76ab5e3df221148e8de8ba8f5138

Download Submit
C:\Windows\Fonts\chrome\config.json

Filesize
2KB

MD5
3a2058068bc4a85ecd8edb7a7ebd3b09

SHA1
6f3ee264746612708e6cb1edd5b1e998bb9cfd5e

SHA256
f332695c2d7a40f634b93befbb479d854934cdf7d09bac8450382ea94c971239

SHA512
39e18d39522a2db7e0c9db438e51901810efa20fb3d9125467e4025fff012024decf2601d2d9731b619d5f189715fcafff07f751c9e579fcfee3394897f5e3d3

Download Submit
C:\Windows\Fonts\systam33\1.ini

Filesize
73B

MD5
792c1d6adbc2d208c00b35e55d1d98d6

SHA1
dd15327dd92517b395d0873f1655e60097455a29

SHA256
f093e254d918363e7f1e61b1f3b76692395f96d124fae1b77cb791e3a1a286bd

SHA512
c1ccaef5f5ff78a613d2dd1271af4427ad94797d3f9bf26f5a30637376435dfd7a51cc23844dc9ac6553b43775507d3b2def8b867f1a5305feb1ad0c4bfe1801

Download Submit
C:\Windows\Fonts\systam33\csrss.exe

Filesize
286KB

MD5
b80172424d378e595b8ed4254ea7a492

SHA1
56d2049d50c38ff3e0fda94f0af5344c253abe35

SHA256
c67b6e6bde919aec414bc2176a77d6082758636e8d60d2ca83198a10d4cec9c7

SHA512
7de17c82076248e253335319970010b73e87ecb5c3ed00387a9d353edc31afbfcc58f09afbe3edacc1cef8b637d4d272cbf13d857135e7fbb364c0f3a7a9dd85

Download Submit
C:\Windows\Fonts\systam33\svchost.exe

Filesize
684KB

MD5
cf7341a71cb0117e651fd1b4dc414657

SHA1
b34b4aa0f90fa9e02d4bd3fc64644b07d27876f4

SHA256
d55e4e16c8c60095c9897bea7db8fb71bf099008a3bc942a6062ffd5c0f05b27

SHA512
a161caafacaea87caada40b52753512ca83242e3c5a129793686843fdecb667e0fa5b92a384c260a7f11f38009fa787a39e8487628fb52bb81c1dd813c293859

Download Submit
C:\Windows\Fonts\systam33\svchost.ini

Filesize
252B

MD5
62eb1b85bc112779e5bf0d380e92476d

SHA1
e32ecf8b742db94681b9dc6ad6bc7da966699fb2

SHA256
49fa9854a9283cf2f82d1a2e9be542ee438069542f3ab8acbb93e130968df463

SHA512
3a44c33a3793b29f0d060265e1e448b228b49f404a6dec88222798606da57063a7cf6f03bcc0aa93bd9c4e05d4b1e70da136a1eac901dd6e727837cfe4607df3

Download Submit
C:\Windows\Fonts\systam33\w.bat

Filesize
531B

MD5
48b7fb879283096712fca22f385750f1

SHA1
7ba4395c9a84f6df15fb38cbc325fed38ee3a75a

SHA256
d6f5b894cfb148c85f5176ddb7426d82c742769c38a0c5be29b93a1b9fdfce3b

SHA512
fe3849c9139721978781bce2bb3fa97270f61df890ed79b6ecf4d7499351f12d474341dbcb89a9afb15bf54e081b79f06e34667832afee1377ec719a6326473b

Download Submit
C:\Windows\Fonts\systam33\w.exe

Filesize
2.2MB

MD5
e18bb32fccbca160f1e64777065a7f9c

SHA1
c94a7c7f6e74bbd25e6e3a2f20d1888de1d73c39

SHA256
8d3e6f50c5ec01cff2af94c635942daf3a55a43453639755acc1b5d27c51b6ab

SHA512
8c4ec28de9443ae439b256afa108902ecf75a091d177be03abe059e75db597c3451917fd8f37f48e3024be5521678781a7029fce71ac367d1b8491a08ee3ca05

Download Submit
memory/3128-51-0x0000022E14D60000-0x0000022E14D80000-memory.dmp

Filesize
128KB

Download
memory/4592-41-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4592-42-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4592-55-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download