xmrig | 0b73f3f47424d3a84d8fe9eda96b3e860d8004d60070a328d22ab82d0b68a3ef

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_29b9a3177286d75c54c2b5e47c9eae0a_frostygoop_poet-rat_snatch.exe
Size

7.2MB
MD5

29b9a3177286d75c54c2b5e47c9eae0a
SHA1

bd9e461f79fa739d9ec4882fba0ad970d990dca6
SHA256

0b73f3f47424d3a84d8fe9eda96b3e860d8004d60070a328d22ab82d0b68a3ef
SHA512

76fd106fe9ea66841f66b1e85301f922635f69af3c03ac4a3b62a4b94fbf07058129dc8488cc333e30b1b8e6ae1426be5c55980d8ae96cce542ebed286251f68
SSDEEP

98304:R+8WZoZY1nliyx2v9yfZrM2n8XEmFasiw7vJnmJGxJpJPM9Gj:uZJNU6BrM2ncFaRsZxbJPR

Score

10^/10

xmrig discovery miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023cb4-7.dat	family_xmrig
behavioral2/files/0x0007000000023cb4-7.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe	2024-11-18_29b9a3177286d75c54c2b5e47c9eae0a_frostygoop_poet-rat_snatch.exe

Executes dropped EXE 2 IoCs

pid	Process
4128	cloudb.exe
4952	golang-updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-18_29b9a3177286d75c54c2b5e47c9eae0a_frostygoop_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cloudb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe
4128	cloudb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4952	golang-updater.exe
Token: SeLockMemoryPrivilege	4952	golang-updater.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4952	golang-updater.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 4128	2224	2024-11-18_29b9a3177286d75c54c2b5e47c9eae0a_frostygoop_poet-rat_snatch.exe	87
PID 2224 wrote to memory of 4128	2224	2024-11-18_29b9a3177286d75c54c2b5e47c9eae0a_frostygoop_poet-rat_snatch.exe	87
PID 2224 wrote to memory of 4128	2224	2024-11-18_29b9a3177286d75c54c2b5e47c9eae0a_frostygoop_poet-rat_snatch.exe	87
PID 4128 wrote to memory of 4952	4128	cloudb.exe	92
PID 4128 wrote to memory of 4952	4128	cloudb.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-11-18_29b9a3177286d75c54c2b5e47c9eae0a_frostygoop_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_29b9a3177286d75c54c2b5e47c9eae0a_frostygoop_poet-rat_snatch.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\windows\Temp\golang-updater.exe
    C:/windows/Temp/golang-updater.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cloudb.exe

Filesize
2.4MB

MD5
201127bcc5d2c9c80506f3a764854aad

SHA1
94732cf4b8506b7d4c915123103017c16b82be6b

SHA256
4256c72eabdc5e2e4619ab42a4a7e9e638477a5507555971376e0ca1b2a3779b

SHA512
adfe60f72e89317381347f7f7ff963c7f4a4eb881e54a7baa78a86a5440db7f0c1e74b50e8e4111332891833befbdc4a4906ba3364287789bfca90f0f3074e19

Download Submit
C:\Windows\Temp\golang-updater.exe

Filesize
5.5MB

MD5
4055c2f21690a86aa71ddd9ce4aa5112

SHA1
5346ee531ae5b75651a3bdc3a26b5434a1894faa

SHA256
aff7e5faf63d3d1571b7b166e2423dcd287ca8f6c3afffa68c74be148981115e

SHA512
f60eaf7d27a62fe6a5b0acf53551e0c4d71ff01f1aa43f3256430e72ec85d2c255539679e58b334cfc5a2319b6420ddeb73597a4e9f7ffc083d393a3a8fe40bb

Download Submit
memory/4952-9-0x000001AF4C240000-0x000001AF4C260000-memory.dmp

Filesize
128KB

Download
memory/4952-12-0x000001AF4DB70000-0x000001AF4DB90000-memory.dmp

Filesize
128KB

Download
memory/4952-13-0x000001AFE1EE0000-0x000001AFE1F00000-memory.dmp

Filesize
128KB

Download
memory/4952-14-0x000001AFE1F00000-0x000001AFE1F20000-memory.dmp

Filesize
128KB

Download
memory/4952-16-0x000001AFE1F00000-0x000001AFE1F20000-memory.dmp

Filesize
128KB

Download
memory/4952-15-0x000001AFE1EE0000-0x000001AFE1F00000-memory.dmp

Filesize
128KB

Download