xmrig | c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
Size

2.5MB
MD5

25b54d8f7b1a6ab3917b287f46397662
SHA1

7e10ddf33e6834fd0c02679d352885da13648043
SHA256

c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d
SHA512

d27f432dd321e05685bd2762863a9a67e1615781d7c2077a3a683cd44f52cb2d29863ca586bce97f8f3f81479e75aada05829ef379611176661b5b3890778681
SSDEEP

49152:sf4a+2CTAF1ja2hrkJ0UXeFvcpnIUsLgLfjnWspdwnicE6LvPpeGP/UOLpOYC9:m+bAjhhrkaUXeFvcE+fKYihEeomLpOH9

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2624-20-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-24-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-25-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-23-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-22-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-26-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2624-27-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
632	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-20-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-24-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-25-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-23-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-22-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-26-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2624-27-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2776	powercfg.exe
2612	powercfg.exe
2784	powercfg.exe
2712	powercfg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 2624	2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe	54

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2744	sc.exe
2212	sc.exe
2884	sc.exe
2584	sc.exe
2796	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
632	powershell.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe
2624	conhost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	powershell.exe
Token: SeShutdownPrivilege	2784	powercfg.exe
Token: SeShutdownPrivilege	2776	powercfg.exe
Token: SeLockMemoryPrivilege	2624	conhost.exe
Token: SeShutdownPrivilege	2612	powercfg.exe
Token: SeShutdownPrivilege	2712	powercfg.exe
Token: SeLockMemoryPrivilege	2624	conhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2880	2232	cmd.exe	39
PID 2232 wrote to memory of 2880	2232	cmd.exe	39
PID 2232 wrote to memory of 2880	2232	cmd.exe	39
PID 2460 wrote to memory of 2624	2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe	54
PID 2460 wrote to memory of 2624	2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe	54
PID 2460 wrote to memory of 2624	2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe	54
PID 2460 wrote to memory of 2624	2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe	54
PID 2460 wrote to memory of 2624	2460	c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe	54

C:\Users\Admin\AppData\Local\Temp\c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe
"C:\Users\Admin\AppData\Local\Temp\c680ca35412f9ebf681b1f699c6de6a59164c1a1f269f06e452bd0638d5ebf4d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2880
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2744
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2884
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2212
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2584
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2796
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-4-0x000007FEF5EEE000-0x000007FEF5EEF000-memory.dmp

Filesize
4KB

Download
memory/632-5-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/632-6-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/632-7-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/632-8-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/632-9-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/632-10-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/632-11-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/632-12-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-20-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-21-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2624-24-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-25-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-23-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-22-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-26-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-27-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download