Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
05-11-2024 15:46
Static task
static1
Behavioral task
behavioral1
Sample
ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf
Resource
ubuntu2004-amd64-20240508-en
ubuntu-20.04-amd64
19 signatures
150 seconds
General
-
Target
ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf
-
Size
8.7MB
-
MD5
d25208063842ebf39e092d55e033f9e2
-
SHA1
3b945c29647d3681a953ce00e042293a156bb3d2
-
SHA256
ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c
-
SHA512
20cbec57b0a5ceb0670b1128d0b4aed20a516e8f57a91bae784544dc2274fd8527b6749f70d6c42f570c95417215b4c18a4f4fb145fbf18df67981ab1483b267
-
SSDEEP
98304:f9EkDvpp61mDmhBDq89YUEeiGWFD30GIc8:Vk1mKhBO8KtjGWyGw
Malware Config
Signatures
-
XMRig Miner payload 2 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_xmrig behavioral1/files/fstream-1.dat xmrig -
Xmrig family
-
Xmrig_linux family
-
Executes dropped EXE 29 IoCs
ioc pid Process /tmp/xmrig/xmrig-6.22.0/xmrig 1447 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1469 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1476 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1484 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1491 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1516 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1523 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1531 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1538 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1545 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1552 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1561 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1568 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1575 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1582 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1589 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1596 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1603 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1610 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1617 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1624 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1631 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1638 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1646 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1653 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1660 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1667 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1674 xmrig /tmp/xmrig/xmrig-6.22.0/xmrig 1681 xmrig -
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
description ioc Process File opened for modification /etc/hosts ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf -
OS Credential Dumping 1 TTPs 30 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
description ioc Process File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 30 IoCs
Abuse sudo or cached sudo credentials to execute code.
pid Process 1530 sudo 1666 sudo 1515 sudo 1551 sudo 1560 sudo 1581 sudo 1595 sudo 1616 sudo 1490 sudo 1522 sudo 1544 sudo 1574 sudo 1602 sudo 1680 sudo 1444 sudo 1446 sudo 1609 sudo 1652 sudo 1567 sudo 1623 sudo 1468 sudo 1475 sudo 1645 sudo 1673 sudo 1588 sudo 1483 sudo 1537 sudo 1630 sudo 1637 sudo 1659 sudo -
Checks hardware identifiers (DMI) 1 TTPs 64 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/sys_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_name xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/board_vendor xmrig -
Enumerates running processes
Discovers information about currently running processes on the system
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 15 raw.githubusercontent.com 16 raw.githubusercontent.com 17 raw.githubusercontent.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 3 api.ipify.org 4 api.ipify.org -
Reads hardware information 1 TTPs 64 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig File opened for reading /sys/devices/virtual/dmi/id/product_uuid xmrig File opened for reading /sys/devices/virtual/dmi/id/board_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig File opened for reading /sys/devices/virtual/dmi/id/board_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/product_version xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_version xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_date xmrig File opened for reading /sys/devices/virtual/dmi/id/board_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/product_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_type xmrig File opened for reading /sys/devices/virtual/dmi/id/board_name xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_type xmrig File opened for reading /sys/devices/virtual/dmi/id/product_uuid xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/board_name xmrig File opened for reading /sys/devices/virtual/dmi/id/board_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/board_name xmrig File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_type xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_date xmrig File opened for reading /sys/devices/virtual/dmi/id/product_uuid xmrig File opened for reading /sys/devices/virtual/dmi/id/product_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/product_uuid xmrig File opened for reading /sys/devices/virtual/dmi/id/product_version xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/product_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/product_uuid xmrig File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/board_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/product_version xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_date xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/product_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_version xmrig File opened for reading /sys/devices/virtual/dmi/id/product_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/board_name xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig File opened for reading /sys/devices/virtual/dmi/id/board_serial xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_version xmrig File opened for reading /sys/devices/virtual/dmi/id/bios_date xmrig File opened for reading /sys/devices/virtual/dmi/id/product_version xmrig File opened for reading /sys/devices/virtual/dmi/id/board_version xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_version xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor xmrig File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag xmrig File opened for reading /sys/devices/virtual/dmi/id/board_serial xmrig -
Reads list of loaded kernel modules 1 TTPs 1 IoCs
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
description ioc Process File opened for reading /proc/modules ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf -
Checks CPU configuration 1 TTPs 30 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig File opened for reading /proc/cpuinfo xmrig -
Reads CPU attributes 1 TTPs 64 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id xmrig File opened for reading /sys/devices/system/cpu/possible xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type xmrig File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/possible xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size xmrig File opened for reading /sys/devices/system/cpu/online xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map xmrig File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type xmrig -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/system/cpu xmrig File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages xmrig File opened for reading /sys/devices/system/node/online xmrig File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems xmrig File opened for reading /sys/devices/system/node/node0/cpumap xmrig File opened for reading /sys/devices/virtual/dmi/id xmrig File opened for reading /sys/devices/virtual/dmi/id xmrig File opened for reading /sys/devices/system/node/node0/cpumap xmrig File opened for reading /sys/bus/dax/devices xmrig File opened for reading /sys/devices/system/node/node0/hugepages xmrig File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/bus/soc/devices xmrig File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/devices/system/node/online xmrig File opened for reading /sys/kernel/mm/hugepages xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth xmrig File opened for reading /sys/firmware/dmi/tables/smbios_entry_point xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators xmrig File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems xmrig File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems xmrig File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus xmrig File opened for reading /sys/devices/cpu_core/cpus xmrig File opened for reading /sys/devices/system/node/node0/cpumap xmrig File opened for reading /sys/bus/soc/devices xmrig File opened for reading /sys/kernel/mm/hugepages xmrig File opened for reading /sys/kernel/mm/hugepages xmrig File opened for reading /sys/devices/system/cpu xmrig File opened for reading /sys/devices/system/node/online xmrig File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/devices/cpu_atom/cpus xmrig File opened for reading /sys/devices/system/node/node0/hugepages xmrig File opened for reading /sys/firmware/dmi/tables/DMI xmrig File opened for reading /sys/bus/soc/devices xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency xmrig File opened for reading /sys/kernel/mm/hugepages xmrig File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency xmrig File opened for reading /sys/devices/system/node/node0/meminfo xmrig File opened for reading /sys/devices/system/cpu xmrig File opened for reading /sys/devices/system/node/online xmrig File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/devices/system/node/node0/meminfo xmrig File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/free_hugepages xmrig File opened for reading /sys/kernel/mm/hugepages xmrig File opened for reading /sys/kernel/mm/hugepages xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth xmrig File opened for reading /sys/fs/cgroup/unified/cgroup.controllers xmrig File opened for reading /sys/devices/system/node/online xmrig File opened for reading /sys/devices/system/cpu xmrig File opened for reading /sys/devices/system/node/node0/cpumap xmrig File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/fs/cgroup/unified/cgroup.controllers xmrig File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems xmrig File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages xmrig File opened for reading /sys/firmware/dmi/tables/DMI xmrig File opened for reading /sys/devices/system/node/node0/meminfo xmrig File opened for reading /sys/bus/dax/devices xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency xmrig File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages xmrig File opened for reading /sys/devices/system/node/node0/access0/initiators xmrig -
description ioc Process File opened for reading /proc/1074/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/self/fd sudo File opened for reading /proc/93/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/79/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/270/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/397/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/669/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/102/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1602/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/self/fd sudo File opened for reading /proc/cmdline xmrig File opened for reading /proc/102/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/87/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/105/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/mounts xmrig File opened for reading /proc/mounts xmrig File opened for reading /proc/13/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1117/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1073/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/driver/nvidia/gpus xmrig File opened for reading /proc/440/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/950/status ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1075/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1515/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/bus/pci/devices ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/163/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/73/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/926/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1079/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1574/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/self/fd sudo File opened for reading /proc/24/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/118/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/498/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1030/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1435/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/987/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/10/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/264/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/509/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/meminfo xmrig File opened for reading /proc/mounts xmrig File opened for reading /proc/self/cpuset xmrig File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/164/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/603/stat ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/439/status ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/filesystems sudo File opened for reading /proc/self/fd sudo File opened for reading /proc/1673/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/439/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1025/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/sys/vm/nr_hugepages xmrig File opened for reading /proc/cmdline xmrig File opened for reading /proc/filesystems sudo File opened for reading /proc/498/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/579/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1051/cmdline ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/1154/status ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/969/status ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/cmdline xmrig File opened for reading /proc/71/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/201/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for reading /proc/2/comm ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/xmrig/xmrig-6.22.0/xmrig ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf File opened for modification /tmp/xmrig/xmrig-6.22.0/config.json ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf
Processes
-
/tmp/ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf/tmp/ad09939a999ace146e122de0082bbf2a3c3d64aedaf844421ba21276b1280b2c.elf1⤵
- Modifies hosts file
- Reads list of loaded kernel modules
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1395 -
/usr/bin/sudosudo -n true2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1444 -
/usr/bin/truetrue3⤵PID:1445
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1446 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
PID:1447
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1468 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1469
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1475 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1476
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1483 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1484
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1490 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1491
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1515 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1516
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1522 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1523
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1530 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1531
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1537 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1538
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1544 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1545
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1551 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1552
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1560 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1561
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1567 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1568
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1574 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1575
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1581 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1582
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1588 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1589
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1595 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1596
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1602 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1603
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1609 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1610
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1616 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1617
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1623 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1624
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1630 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1631
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1637 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1638
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1645 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
PID:1646
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1652 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1653
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1659 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1660
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1666 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1667
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1673 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1674
-
-
-
/usr/bin/sudosudo -n /tmp/xmrig/xmrig-6.22.0/xmrig2⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1680 -
/tmp/xmrig/xmrig-6.22.0/xmrig/tmp/xmrig/xmrig-6.22.0/xmrig3⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1681
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55c6108e6bc4e612dd59aa1ce9ac909ff
SHA1b66515c379ee4ebaf312b1d453d147527d3a83b2
SHA256fa70f1a297f3ed7d2ef75598d4a1da3fb82d68fc14322fdcc0f29c909882a599
SHA512b69b4b6f73e03f82854f449737a9a24a489b1231681a62a3853037443489ccc52a576f85a5acd4ab21c612c8768f7b0ade6815785293926e195dc93a46d2670b
-
Filesize
4KB
MD5108447a19021f0fcdde187aa52ddbd71
SHA19f2729c3b4c093d2acb00faa1596407300da0a61
SHA256dc562084726d67bb85ba291436d3dd49cd7474d9a238000adbab38937fc37a3a
SHA51298f3fe47df9c111215d9aef6abc7d57ac228bee264b6f420a38b9a085bcbad70f007daa8bc7b565b8a9e769779befeb38efddd6a0822b4c2661818eecd27ff8f
-
Filesize
9.0MB
MD53d1f6bd959a6bdc423d43342dde28b56
SHA179266b5cc7c3762998e87411c56b6bd1a573b91f
SHA2560d861bf1eafe3cd5d47197b2def17efb6853f2d0a5a46cafb289c013c449b33b
SHA512b660cfad542a18a82f06080a51976ab7a355080572728f814b1b927e6956918b73172ecd58c5a9dcfe1af6759dc8bf9acbaa2595e6c10e0e44e7ade903e87439