Malware Analysis Report

2025-01-06 15:09

Sample ID 240525-p5kf3ada96
Target miner 2.5.rar
SHA256 5bdf60fee182e68d2b9399028c93d79dddb833e2517694f5a0f17a6207e60c14
Tags
miner xmrig
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bdf60fee182e68d2b9399028c93d79dddb833e2517694f5a0f17a6207e60c14

Threat Level: Known bad

The file miner 2.5.rar was found to be: Known bad.

Malicious Activity Summary

miner xmrig

XMRig Miner payload

Xmrig family

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-25 12:54

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 12:54

Reported

2024-05-25 13:15

Platform

win10v2004-20240508-en

Max time kernel

450s

Max time network

1199s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe
PID 5032 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/832-0-0x000002A92E5A0000-0x000002A92E5C0000-memory.dmp

memory/832-1-0x000002A92E700000-0x000002A92E720000-memory.dmp

memory/832-2-0x000002A92E720000-0x000002A92E740000-memory.dmp

memory/832-3-0x000002A92E740000-0x000002A92E760000-memory.dmp

memory/832-4-0x000002A92E720000-0x000002A92E740000-memory.dmp

memory/832-5-0x000002A92E740000-0x000002A92E760000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 12:54

Reported

2024-05-25 13:15

Platform

win10-20240404-en

Max time kernel

315s

Max time network

1199s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe
PID 2192 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/3284-0-0x000001CE7DAD0000-0x000001CE7DAF0000-memory.dmp

memory/3284-1-0x000001CE7F4C0000-0x000001CE7F4E0000-memory.dmp

memory/3284-2-0x000001CE7F4E0000-0x000001CE7F500000-memory.dmp

memory/3284-3-0x000001CE7F500000-0x000001CE7F520000-memory.dmp

memory/3284-4-0x000001CE7F4E0000-0x000001CE7F500000-memory.dmp

memory/3284-5-0x000001CE7F500000-0x000001CE7F520000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-25 12:54

Reported

2024-05-25 13:14

Platform

win7-20240220-en

Max time kernel

840s

Max time network

1197s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/2784-0-0x0000000000180000-0x00000000001A0000-memory.dmp

memory/2784-2-0x0000000002630000-0x0000000002650000-memory.dmp

memory/2784-1-0x0000000002610000-0x0000000002630000-memory.dmp

memory/2784-4-0x0000000002630000-0x0000000002650000-memory.dmp

memory/2784-3-0x0000000002610000-0x0000000002630000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-25 12:54

Reported

2024-05-25 13:15

Platform

win10v2004-20240508-en

Max time kernel

447s

Max time network

1202s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe
PID 3652 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/1064-0-0x000001A3D77F0000-0x000001A3D7810000-memory.dmp

memory/1064-1-0x000001A3D7830000-0x000001A3D7850000-memory.dmp

memory/1064-2-0x000001A469DB0000-0x000001A469DD0000-memory.dmp

memory/1064-3-0x000001A469FE0000-0x000001A46A000000-memory.dmp

memory/1064-4-0x000001A469DB0000-0x000001A469DD0000-memory.dmp

memory/1064-5-0x000001A469FE0000-0x000001A46A000000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-25 12:54

Reported

2024-05-25 13:15

Platform

win11-20240426-en

Max time kernel

746s

Max time network

1192s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe
PID 3552 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\pool_mine_example.cmd"

C:\Users\Admin\AppData\Local\Temp\miner 2.5\xmrig-6.21.3\xmrig.exe

xmrig.exe -o xmr.2miners.com:2222 -u 435StpkeVHdcvMVhY4SQNdHusi7VaQSNkZqa1bABLLdS5wtNcPrkJNDHvquj4NXXwbJav1T7RGgybAUJvHLKWGmJAhse82k -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/780-0-0x000001FE387D0000-0x000001FE387F0000-memory.dmp

memory/780-1-0x000001FE38810000-0x000001FE38830000-memory.dmp

memory/780-3-0x000001FE38850000-0x000001FE38870000-memory.dmp

memory/780-2-0x000001FE38830000-0x000001FE38850000-memory.dmp

memory/780-4-0x000001FE38830000-0x000001FE38850000-memory.dmp

memory/780-5-0x000001FE38850000-0x000001FE38870000-memory.dmp