xmrig | 54daf89aa3776125914b24afe9c24b16f8bf92c87ccb954b2a4963cccedfcecd

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 16:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

nslookup.exe
Size

3.5MB
MD5

8ba3d0a1644dd0c500cb9b5711a49075
SHA1

d61daa1d00a9fc7daeceb3ad0ade5fb86162722c
SHA256

54daf89aa3776125914b24afe9c24b16f8bf92c87ccb954b2a4963cccedfcecd
SHA512

3b06d7523e6de94575f88560ffa24b9f2463e459660c4cdd87a45790813c607f1da092694d2fcb48deda27191f4067121851b423117ee285e7efab7d65a828b6
SSDEEP

98304:1vBllU3QaTp4uF1FPzWkxA8ToX3CtHdDwn:NDOlWEToX389k

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2672 created 3472	2672	nslookup.exe	56
PID 2672 created 3472	2672	nslookup.exe	56
PID 2672 created 3472	2672	nslookup.exe	56

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/2668-8-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-9-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-10-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-11-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-12-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-13-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-14-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-15-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-16-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-17-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-18-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-19-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-20-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig
behavioral2/memory/2668-21-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	xmrig

Blocklisted process makes network request 18 IoCs

flow	pid	Process
35	2668	cmd.exe
37	2668	cmd.exe
39	2668	cmd.exe
48	2668	cmd.exe
53	2668	cmd.exe
54	2668	cmd.exe
55	2668	cmd.exe
62	2668	cmd.exe
63	2668	cmd.exe
64	2668	cmd.exe
65	2668	cmd.exe
66	2668	cmd.exe
85	2668	cmd.exe
86	2668	cmd.exe
87	2668	cmd.exe
88	2668	cmd.exe
89	2668	cmd.exe
90	2668	cmd.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2668-5-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-8-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-9-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-10-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-11-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-12-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-13-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-14-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-15-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-16-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-17-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-18-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-19-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-20-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx
behavioral2/memory/2668-21-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp	upx

Power Settings 1 TTPs 5 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2160	powercfg.exe
752	powercfg.exe
852	cmd.exe
3512	powercfg.exe
1684	powercfg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2668	2672	nslookup.exe	105

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1072	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	nslookup.exe
2672	nslookup.exe
2672	nslookup.exe
2672	nslookup.exe
2672	nslookup.exe
2672	nslookup.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3512	powercfg.exe
Token: SeCreatePagefilePrivilege	3512	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1072	WMIC.exe
Token: SeSecurityPrivilege	1072	WMIC.exe
Token: SeTakeOwnershipPrivilege	1072	WMIC.exe
Token: SeLoadDriverPrivilege	1072	WMIC.exe
Token: SeSystemProfilePrivilege	1072	WMIC.exe
Token: SeSystemtimePrivilege	1072	WMIC.exe
Token: SeProfSingleProcessPrivilege	1072	WMIC.exe
Token: SeIncBasePriorityPrivilege	1072	WMIC.exe
Token: SeCreatePagefilePrivilege	1072	WMIC.exe
Token: SeBackupPrivilege	1072	WMIC.exe
Token: SeRestorePrivilege	1072	WMIC.exe
Token: SeShutdownPrivilege	1072	WMIC.exe
Token: SeDebugPrivilege	1072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1072	WMIC.exe
Token: SeRemoteShutdownPrivilege	1072	WMIC.exe
Token: SeUndockPrivilege	1072	WMIC.exe
Token: SeManageVolumePrivilege	1072	WMIC.exe
Token: 33	1072	WMIC.exe
Token: 34	1072	WMIC.exe
Token: 35	1072	WMIC.exe
Token: 36	1072	WMIC.exe
Token: SeShutdownPrivilege	1684	powercfg.exe
Token: SeCreatePagefilePrivilege	1684	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1072	WMIC.exe
Token: SeSecurityPrivilege	1072	WMIC.exe
Token: SeTakeOwnershipPrivilege	1072	WMIC.exe
Token: SeLoadDriverPrivilege	1072	WMIC.exe
Token: SeSystemProfilePrivilege	1072	WMIC.exe
Token: SeSystemtimePrivilege	1072	WMIC.exe
Token: SeProfSingleProcessPrivilege	1072	WMIC.exe
Token: SeIncBasePriorityPrivilege	1072	WMIC.exe
Token: SeCreatePagefilePrivilege	1072	WMIC.exe
Token: SeBackupPrivilege	1072	WMIC.exe
Token: SeRestorePrivilege	1072	WMIC.exe
Token: SeShutdownPrivilege	1072	WMIC.exe
Token: SeDebugPrivilege	1072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1072	WMIC.exe
Token: SeRemoteShutdownPrivilege	1072	WMIC.exe
Token: SeUndockPrivilege	1072	WMIC.exe
Token: SeManageVolumePrivilege	1072	WMIC.exe
Token: 33	1072	WMIC.exe
Token: 34	1072	WMIC.exe
Token: 35	1072	WMIC.exe
Token: 36	1072	WMIC.exe
Token: SeShutdownPrivilege	2160	powercfg.exe
Token: SeCreatePagefilePrivilege	2160	powercfg.exe
Token: SeShutdownPrivilege	752	powercfg.exe
Token: SeCreatePagefilePrivilege	752	powercfg.exe
Token: SeLockMemoryPrivilege	2668	cmd.exe
Token: SeLockMemoryPrivilege	2668	cmd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 1072	3508	cmd.exe	100
PID 3508 wrote to memory of 1072	3508	cmd.exe	100
PID 852 wrote to memory of 3512	852	cmd.exe	101
PID 852 wrote to memory of 3512	852	cmd.exe	101
PID 852 wrote to memory of 1684	852	cmd.exe	102
PID 852 wrote to memory of 1684	852	cmd.exe	102
PID 852 wrote to memory of 2160	852	cmd.exe	103
PID 852 wrote to memory of 2160	852	cmd.exe	103
PID 852 wrote to memory of 752	852	cmd.exe	104
PID 852 wrote to memory of 752	852	cmd.exe	104
PID 2672 wrote to memory of 2668	2672	nslookup.exe	105

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\nslookup.exe
  "C:\Users\Admin\AppData\Local\Temp\nslookup.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe cdzvkjfteomgpfjf 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkU7CEqIVD1830dRZ9AHiIZIS6SoL2f58xJTTD3J7lIBRqw903/YMefPjKNBQheGE9/LnU9FrP36+OtWS/JiRyw6CeIxt2J6jwRsi9jR2KwmIInu8nYDWhhMHKM0AIA1xUsa1pB/+aKase6FeLUwR7ya9Xf7i6bQ7yxPdzFujJiGAmdxp71RojGSwzjis33epCXTYvqYQ0TLB9Zop5WYoiZpI39CNTkdCgLOgnPufcQLcftTZTSOcGB0Q27hAGimUIfSer+gh2aUrLUNgWUXWYWDoxn9UeKex4DQ7QF3tr8U/pASiM/xLZpttlPzZO9qhiEtyLn8y0AeaHAjUY+CT96Nw6N5Dn/6Dp0KuGRKGmXdba2AtsRfdMfXyThR0tGhyucJUQ34ihX773uuNkYPc00wEzxdeUTSXskftBG1bYYRm5VpzE+pldoYlsAYb34tXBeFXmrEWjsoopduCPk5VmXtUQ2sNMD/lqaq0SNiVQgng1v5nfNvPNR8F6RBjh14oeFbseQJmQSg45ltrDfJ6PLkrd3fgbijOJPiFYhtPKn/6Y=
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
memory/2668-11-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-14-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-5-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-7-0x00000241ADDF0000-0x00000241ADE10000-memory.dmp

Filesize
128KB

Download
memory/2668-8-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-9-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-10-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-21-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-20-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-12-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-13-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-15-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-16-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-17-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-18-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2668-19-0x00007FF7F18B0000-0x00007FF7F20A4000-memory.dmp

Filesize
8.0MB

Download
memory/2672-6-0x00007FF772E00000-0x00007FF773183000-memory.dmp

Filesize
3.5MB

Download
memory/2672-0-0x00007FF772E00000-0x00007FF773183000-memory.dmp

Filesize
3.5MB

Download