xmrig | f1533c81040a0ac5e79d6efd203a03468991aa836fdedcac282ea43a23d653ce

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 17:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ForceOP.exe
Size

35.2MB
MD5

701acb492914a27edd4985aa1a65879a
SHA1

d354180fccbaf877a24aa542adad1edfbc2e6d63
SHA256

f1533c81040a0ac5e79d6efd203a03468991aa836fdedcac282ea43a23d653ce
SHA512

38e35846244c38b4b4b9910789848c92215dbe2a869fbe4fcb3060ac2ad67dee9a8da729f19448524ad6020eaf3345c3c1973b9555763f08a4613cefb4824556
SSDEEP

393216:d76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfdnVQx4urYsANulL7NJ:d0LoCOn+2ds4urYDNulLBiucS

Score

10^/10

xmrig miner spyware stealer

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x000800000002343c-30.dat	family_xmrig
behavioral2/files/0x000800000002343c-30.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	ForceOP.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\x.vbs	taskmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
3980	xmrig.exe

Loads dropped DLL 1 IoCs

pid	Process
4244	ForceOP.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	taskmgr.exe
Token: SeSystemProfilePrivilege	1308	taskmgr.exe
Token: SeCreateGlobalPrivilege	1308	taskmgr.exe
Token: SeLockMemoryPrivilege	3980	xmrig.exe
Token: SeLockMemoryPrivilege	3980	xmrig.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2544	4244	ForceOP.exe	91
PID 4244 wrote to memory of 2544	4244	ForceOP.exe	91
PID 2544 wrote to memory of 1080	2544	cmd.exe	92
PID 2544 wrote to memory of 1080	2544	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\ForceOP.exe
"C:\Users\Admin\AppData\Local\Temp\ForceOP.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs""
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
    3⤵
    - Checks computer location settings
    PID:1080

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4608

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
1⤵
PID:880

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xmrig.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xmrig.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pkg\1a0a9582c7f361685569cf47e056b1fc4deb3bfa8bdf729de8cf27a57aa06508\win-protect\build\Release\winprotect.node

Filesize
122KB

MD5
f3e3ad31a1bd2a88f0b13e0d4188b015

SHA1
42df1fd1ac0582447ee87359c953d09f14b5cd25

SHA256
1a0a9582c7f361685569cf47e056b1fc4deb3bfa8bdf729de8cf27a57aa06508

SHA512
f38810ecd8fa65df2abedef1c839d9ac538b2d490b1d2ace5118b38f78af53ee92e9c12fbfcabadb0a5d99083f1ddb138df478a34784fb06b7939a0cbdca1e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
178B

MD5
2d08d0fce4eb145adc494664ee1f5db5

SHA1
e830a7b9ac1bb3963c0f95521a67b26aac7a3b75

SHA256
0816bd2aa4a4b642a8ceebe79d3a02715d416368efc97cbae460479ae6addee1

SHA512
63895cab7535923393bc1c7a1ebb95d9bb9d0f83286cbde6972b5072971fb44a014da861ac78fdae6fb754653b6678acd714319b1eb356e868b894c848dfc352

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\config.json

Filesize
446B

MD5
8b991ed3b0f511495818bdf83088a4f0

SHA1
96b4600da4c1f12ca6ab063f488a9363c0892e47

SHA256
ea8b6009d7df7bb957b892bbd83e5c598a36c8f824ed3ea2d0830b71b54f3ce1

SHA512
07c1d0c25065c88f88dba89768ed364fa9b2b05dec631b3ef416f75da9df1524ab73c7bccaac1f394798cf36531e82c477032e30aec4482b3af44b68f8164ebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xmrig.exe

Filesize
4.6MB

MD5
bbbd345c542ae27d16f51342036e2a98

SHA1
725c6df0c38ac6418f2362d43e03bbed926a9103

SHA256
5fb19a0330a24d6a1f40dc67776953c2205c31ee4900051c0bdac31799ce74c6

SHA512
0311bdaff197b72cc1d42addc1fc4fb6dafd5547cbd38bc1d3cd6691d6b7d45f4a0a899af7aef13a1f68e12a44c01142164d39e33bc53facc4104a6f7dcb5c74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xmrig.exe

Filesize
7.9MB

MD5
e2fe87cc2c7dab8ca6516620dccd1381

SHA1
f714ec0448325435103519452610cf7aadf8bbba

SHA256
d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4

SHA512
8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

Download Submit
memory/1308-25-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/1308-22-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/1308-28-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/1308-16-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/1308-26-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/1308-27-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/1308-24-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/1308-23-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/1308-18-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/1308-17-0x000002374D150000-0x000002374D151000-memory.dmp

Filesize
4KB

Download
memory/3980-32-0x000001C32F470000-0x000001C32F490000-memory.dmp

Filesize
128KB

Download