xmrig | 517f321c489f68449571c735e9c1cbae5d3241a6872972b687be97d2b5d04903

Analysis

max time kernel
57s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222/NanoCorex.exe
Size

5.5MB
MD5

86e969198fa021717306f6e1fa91f548
SHA1

8ff9dc70c623824f91c75af4a4a57b62cea0f0b3
SHA256

5d66f49d642c092195beca3500408edd09409fefc65284ec3f69a8454dc3dfa7
SHA512

36d9d1a468575aa2a76c486a61fa430eae095f5ec24c75915523b758339d00844b5695665101740cce1c3cc61ed3bf8014d623a02feddfbd06cfa2db06761f0e
SSDEEP

98304:TJnZwQ8/VAQRxdsPKJ/lRM/oO3FX5Tz1m2HK1LtKfDAy9Yi7O+Kx:TJWQ8/GQDd3JjPOVXRzPHGL4fDAy9Yiq

Score

10^/10

xmrig defense_evasion discovery evasion miner persistence privilege_escalation

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral12/memory/4748-28-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-29-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-30-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-31-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-32-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-33-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-51-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-54-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-55-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-56-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/4748-57-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4552	netsh.exe
4384	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	NanoCorex.exe

Executes dropped EXE 2 IoCs

pid	Process
4748	TiWorker.exe
972	NanoCore.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
3116	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TiWorker.exe	NanoCorex.exe
File created	C:\Windows\SysWOW64\config.json	NanoCorex.exe
File opened for modification	C:\Windows\SysWOW64\config.json	NanoCorex.exe
File created	C:\Windows\SysWOW64\MicrosoftWindows.xml	NanoCorex.exe
File opened for modification	C:\Windows\SysWOW64\MicrosoftWindows.xml	NanoCorex.exe
File created	C:\Windows\SysWOW64\TiWorker.exe	NanoCorex.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NanoCore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
660	NanoCorex.exe
660	NanoCorex.exe
660	NanoCorex.exe
660	NanoCorex.exe
660	NanoCorex.exe
660	NanoCorex.exe
660	NanoCorex.exe
660	NanoCorex.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4748	TiWorker.exe
Token: SeDebugPrivilege	972	NanoCore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
972	NanoCore.exe
972	NanoCore.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1216	660	NanoCorex.exe	85
PID 660 wrote to memory of 1216	660	NanoCorex.exe	85
PID 1216 wrote to memory of 2204	1216	cmd.exe	87
PID 1216 wrote to memory of 2204	1216	cmd.exe	87
PID 1216 wrote to memory of 5072	1216	cmd.exe	88
PID 1216 wrote to memory of 5072	1216	cmd.exe	88
PID 660 wrote to memory of 3116	660	NanoCorex.exe	89
PID 660 wrote to memory of 3116	660	NanoCorex.exe	89
PID 3116 wrote to memory of 208	3116	cmd.exe	91
PID 3116 wrote to memory of 208	3116	cmd.exe	91
PID 660 wrote to memory of 856	660	NanoCorex.exe	92
PID 660 wrote to memory of 856	660	NanoCorex.exe	92
PID 856 wrote to memory of 4384	856	cmd.exe	94
PID 856 wrote to memory of 4384	856	cmd.exe	94
PID 660 wrote to memory of 5040	660	NanoCorex.exe	95
PID 660 wrote to memory of 5040	660	NanoCorex.exe	95
PID 5040 wrote to memory of 4552	5040	cmd.exe	97
PID 5040 wrote to memory of 4552	5040	cmd.exe	97
PID 660 wrote to memory of 4712	660	NanoCorex.exe	98
PID 660 wrote to memory of 4712	660	NanoCorex.exe	98
PID 4712 wrote to memory of 3300	4712	cmd.exe	100
PID 4712 wrote to memory of 3300	4712	cmd.exe	100
PID 660 wrote to memory of 2152	660	NanoCorex.exe	101
PID 660 wrote to memory of 2152	660	NanoCorex.exe	101
PID 2152 wrote to memory of 4516	2152	cmd.exe	103
PID 2152 wrote to memory of 4516	2152	cmd.exe	103
PID 2152 wrote to memory of 1996	2152	cmd.exe	104
PID 2152 wrote to memory of 1996	2152	cmd.exe	104
PID 660 wrote to memory of 1948	660	NanoCorex.exe	107
PID 660 wrote to memory of 1948	660	NanoCorex.exe	107
PID 1948 wrote to memory of 3420	1948	cmd.exe	109
PID 1948 wrote to memory of 3420	1948	cmd.exe	109
PID 660 wrote to memory of 972	660	NanoCorex.exe	110
PID 660 wrote to memory of 972	660	NanoCorex.exe	110
PID 660 wrote to memory of 972	660	NanoCorex.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe
"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCorex.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:2204
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "WindowsUpdate"
    3⤵
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit
  2⤵
  - Indicator Removal: Clear Persistence
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\system32\schtasks.exe
    schtasks /Delete /TN "WindowsUpdate" /F
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"
    3⤵
    PID:4516
- - C:\Windows\system32\schtasks.exe
    schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\certutil.exe
    certutil –addstore –f root MicrosoftWindows.crt
    3⤵
    PID:3420
- C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe
  "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:972

C:\Windows\SysWOW64\TiWorker.exe
C:\Windows\SysWOW64\TiWorker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt

Filesize
1KB

MD5
1bb617d3aab1dbe2ec2e4a90bf824846

SHA1
bbe179f1bdc4466661da3638420e6ca862bd50ca

SHA256
1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580

SHA512
ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Fixed_Cracked By Alcatraz3222\NanoCore.exe

Filesize
1.4MB

MD5
1728acc244115cbafd3b810277d2e321

SHA1
be64732f46c8a26a5bbf9d7f69c7f031b2c5180b

SHA256
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b

SHA512
8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

Download Submit
C:\Users\Admin\AppData\Local\Temp\autBCD8.tmp

Filesize
3.2MB

MD5
ecede3c32ce83ff76ae584c938512c5a

SHA1
090b15025e131cc03098f6f0d8fa5366bc5fa1f0

SHA256
366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d

SHA512
61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

Download Submit
C:\Windows\SysWOW64\MicrosoftWindows.xml

Filesize
4KB

MD5
b1cbfcc7b7a5716a30b77f5dc5bb6135

SHA1
5c397ffd7a845b2fdf9e82ff73698784a91a2fb9

SHA256
96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430

SHA512
d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7

Download Submit
C:\Windows\SysWOW64\config.json

Filesize
1011B

MD5
3da156f2d3307118a8e2c569be30bc87

SHA1
335678ca235af3736677bd8039e25a6c1ee5efca

SHA256
f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb

SHA512
59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0

Download Submit
memory/4748-33-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-29-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-30-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-31-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-19-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-28-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-32-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-20-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-51-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-54-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-55-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-56-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/4748-57-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download