xmrig | 174e46e72c29bc67906588fb3860fa28b368494a9dcae09850c31425fa507d59 | Triage

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 18:07

Sharing

Report Analysis Logs

General

Target

Start-Salvium.bat
Size

191B
MD5

83cdb39870b444d5cc499b9318567711
SHA1

c87327c471326341ac1ee095d824bf35e97e7b7a
SHA256

576761fbd2203cb3373f04dcd8b58c6730ffb4eb0bbe085a67e8fcdb48da0c1b
SHA512

57a646647cdf54c98311b418f7cab9495de714786b6f4f43732d9ffd8f9e7771850c73ce93cb061e32ae53dcb14ec0574fd30c7f08122d2f765c28a14bc88dbf

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

resource	yara_rule
behavioral3/memory/2072-0-0x000000013FF10000-0x0000000140B42000-memory.dmp	xmrig

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2072	2416	cmd.exe	32
PID 2416 wrote to memory of 2072	2416	cmd.exe	32
PID 2416 wrote to memory of 2072	2416	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Start-Salvium.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\xmrig.exe
  xmrig.exe -a rx/0 --url "sal.kryptex.network:7777" --user SaLvsCNbjABPoCfjoVjytHf5Jqfd28NTD9kmkYUfSG7D2uzksP1TbNeDZB7ibriXB7D5M3YxfNZ7ER9amRZw25hQBR8kgDrhLRf/MyFirstRig -p x -k
  2⤵
  PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2072-0-0x000000013FF10000-0x0000000140B42000-memory.dmp

Filesize
12.2MB

Download