xmrig | 4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158d

Analysis

max time kernel
111s
max time network
116s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe
Size

2.8MB
MD5

696933093026a17b449aad7f37c53f50
SHA1

e76ea1f3b5f5b6c6fcdd6a1e75be1b2ee586188e
SHA256

4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158d
SHA512

db13f7aac7089701757dff507f4670e64de264637bfae549397838db4b1e5020bafbdeea154b798a01e64a8eecbabdc37e45505ddadf36cfa832a5ea258fdcd8
SSDEEP

49152:hYnbuqL/W+N5ql4Ix+I410WhPP+a/SLAY0c4PFqwXuqT75VSU8rL/FyVbfUfe:hYnfL/W+NUl4Ix+IKHv/S0Y0nqcN8rrQ

Score

10^/10

xmrig discovery miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral1/files/0x00310000000173e4-36.dat	xmrig
behavioral1/memory/2936-49-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig
behavioral1/memory/2936-50-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig
behavioral1/memory/2936-51-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig
behavioral1/memory/2936-52-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig
behavioral1/memory/2936-53-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig
behavioral1/memory/2936-54-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig
behavioral1/memory/2936-55-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig
behavioral1/memory/2936-56-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig
behavioral1/memory/2936-57-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig
behavioral1/memory/2936-58-0x0000000000400000-0x0000000000D24000-memory.dmp	xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.lnk	gcc-win32.exe

Executes dropped EXE 2 IoCs

pid	Process
2652	gcc-win32.exe
2936	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2652	gcc-win32.exe
2652	gcc-win32.exe
2952	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcc-win32.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2564	taskkill.exe
2480	taskkill.exe
2536	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2964	regedit.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2652	gcc-win32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeLockMemoryPrivilege	2936	svchost.exe
Token: SeLockMemoryPrivilege	2936	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2712	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	30
PID 2844 wrote to memory of 2712	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	30
PID 2844 wrote to memory of 2712	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	30
PID 2844 wrote to memory of 2780	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	31
PID 2844 wrote to memory of 2780	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	31
PID 2844 wrote to memory of 2780	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	31
PID 2844 wrote to memory of 852	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	32
PID 2844 wrote to memory of 852	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	32
PID 2844 wrote to memory of 852	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	32
PID 2712 wrote to memory of 2668	2712	WScript.exe	33
PID 2712 wrote to memory of 2668	2712	WScript.exe	33
PID 2712 wrote to memory of 2668	2712	WScript.exe	33
PID 2668 wrote to memory of 2564	2668	cmd.exe	35
PID 2668 wrote to memory of 2564	2668	cmd.exe	35
PID 2668 wrote to memory of 2564	2668	cmd.exe	35
PID 2844 wrote to memory of 2964	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	37
PID 2844 wrote to memory of 2964	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	37
PID 2844 wrote to memory of 2964	2844	4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe	37
PID 2780 wrote to memory of 2208	2780	WScript.exe	38
PID 2780 wrote to memory of 2208	2780	WScript.exe	38
PID 2780 wrote to memory of 2208	2780	WScript.exe	38
PID 2208 wrote to memory of 2652	2208	cmd.exe	40
PID 2208 wrote to memory of 2652	2208	cmd.exe	40
PID 2208 wrote to memory of 2652	2208	cmd.exe	40
PID 2208 wrote to memory of 2652	2208	cmd.exe	40
PID 2652 wrote to memory of 2936	2652	gcc-win32.exe	41
PID 2652 wrote to memory of 2936	2652	gcc-win32.exe	41
PID 2652 wrote to memory of 2936	2652	gcc-win32.exe	41
PID 2652 wrote to memory of 2936	2652	gcc-win32.exe	41
PID 852 wrote to memory of 788	852	WScript.exe	43
PID 852 wrote to memory of 788	852	WScript.exe	43
PID 852 wrote to memory of 788	852	WScript.exe	43
PID 788 wrote to memory of 2480	788	cmd.exe	45
PID 788 wrote to memory of 2480	788	cmd.exe	45
PID 788 wrote to memory of 2480	788	cmd.exe	45
PID 2208 wrote to memory of 2536	2208	cmd.exe	46
PID 2208 wrote to memory of 2536	2208	cmd.exe	46
PID 2208 wrote to memory of 2536	2208	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe
"C:\Users\Admin\AppData\Local\Temp\4543499b6e5a195abecbfbb8b2d00227fe6fe3932c22c535f49fe0e9b0d2158dN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\system32\updatessm.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c startupdate.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\system32\taskkill.exe
      Taskkill /IM svchost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2564
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\system32\updatemssm.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c startmupdate.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Roaming\system32\gcc-win32.exe
      gcc-win32.exe -p123
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Roaming\system32\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
  - - C:\Windows\system32\taskkill.exe
      Taskkill /IM odbcad32.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2536
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\system32\exitg.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c startgc.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\system32\taskkill.exe
      Taskkill /F /IM gcc-win32.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2480
- C:\Windows\regedit.exe
  "regedit.exe" "C:\Users\Admin\AppData\Roaming\system32\Register.reg"
  2⤵
  - Runs .reg file with regedit
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\system32\Register.reg

Filesize
628B

MD5
84a9659cb9564afc6791eca70c066422

SHA1
d5d7e32f76d75cc57d83e123f033fa00558f05cd

SHA256
c966ecadcbcbb2c0d5bf976d289d889b539ad894bd7bae8ad014fde087244af7

SHA512
115feba3cce086044b3ce837e6dd4c14c1a2d925eb21c8237be75a75969bc33d5c7fa1fdccf30045ce4a99e5d2f654562ed3d1f04b633d9489fafc5e6b074141

Download Submit
C:\Users\Admin\AppData\Roaming\system32\config.json

Filesize
512B

MD5
7565e7b9b83ab1a3b4230eba708669f9

SHA1
ae728af65b69136887421218af77567ef46de185

SHA256
8f411d9765787fef843c8126cbcbd495dbce6d80f7967ab92c9390863e5056d6

SHA512
6917742855ea956b3a712b25bfe114e62ed7c263132df2579fbe861a17cb3c0164ce4e516d21e37170193aa2e8d4d8bad000828859cf1a5385ff052588c5d772

Download Submit
C:\Users\Admin\AppData\Roaming\system32\exitg.vbs

Filesize
142B

MD5
028636276bf1231239637b92c3f17135

SHA1
ba73b5d0bbee1fa9f28e37169a9d9033763d1292

SHA256
888c29b7635b31109fb5f05970aa5d3ad617a6aed9a5d82a652ecaccba89b419

SHA512
941fed68c0cdc46eedc3616428fc9811c52d5f34890ffa2e51e9b4e6d269657c38701ea18bcf539a4b4f0d89891e556896e3ce1fd79743eaf11c954b455d50b0

Download Submit
C:\Users\Admin\AppData\Roaming\system32\gcc-win32.exe

Filesize
2.3MB

MD5
b8302ee6be78a9a6698a57c6f045ccdb

SHA1
16341b63d0ad84a2b8804029ff0ba5fbe268cbae

SHA256
d7a350b4de0cbc0168cbd53c5530e1a8d77fee4649017158e5ded7fc40f59d15

SHA512
139877898912767ad68a69ea80da66f41ea53829624ba79311a59f0ebb366ca945122fe6903bad31277996d46aee4cf8fafe816352ab76d5d8949cafe57fc72e

Download Submit
C:\Users\Admin\AppData\Roaming\system32\startgc.cmd

Filesize
29B

MD5
cd14f4b9e63b1c9a707444a94c73fe68

SHA1
4ae31292aedb09f6b0e779954ee4b351590ab7ef

SHA256
dc6dbbfbc949b385d506735df2c4c3a261a11f79deec90b66fa5d114f9795eeb

SHA512
3fa1c64f7385a20770b03260837b86d6a13459ac241ac0aa4e11c716923b8ed196f23682064dd548a8647ff70015c1ee8baeafb7a78b6bdc4748379eeb72bd69

Download Submit
C:\Users\Admin\AppData\Roaming\system32\startmupdate.cmd

Filesize
46B

MD5
074bead13aaaa43e90ba2a47b598f9f2

SHA1
deb20a175247957ca6e8a7753e2a5ef90f4aa15e

SHA256
847bbdd96e6e60b2e5404ab2e68daa6c7d6d903f357858eb71be17d2e1dfdf0f

SHA512
c7685aa7b594d3ffffded9537c4822d7919ae1a603950b4f33d6727902d4807eb1ad879b271da65268423a7de359b3b4ce5d78582035b6fb1b12120486c08447

Download Submit
C:\Users\Admin\AppData\Roaming\system32\startupdate.cmd

Filesize
26B

MD5
d431bd74740daf8f8ebfde0353001ec0

SHA1
a99342840dc82ea8a2e38511217c65b0993bc977

SHA256
d975ba98edbdebac625fb9263026a4467fbf2050939dac9ca196e71b33339682

SHA512
55a141a3e0e3d8b3f534711b35ba7a1d6aa804b79d5598cad3600e47766061ce8e4da13f3dcc2211973524aa350e96e5474a9be3b402d62a660f203fea9d3404

Download Submit
C:\Users\Admin\AppData\Roaming\system32\updatemssm.vbs

Filesize
147B

MD5
9a1254894c7df70b648538b8b25cbfac

SHA1
8edf34fab610b54a0da74bd4ca6de86f5688b54c

SHA256
2949dc7e32bece4017eaa9198a6dfdfe1edc19222007c350b771d646e2855143

SHA512
bf3b75038da35ce62aa22c441d9eb60ee546cc9900eea537852d14cf198fb4892af19060c260d59df040ea27dc90744fced5a6462674c96fc5caf4a94541aba3

Download Submit
C:\Users\Admin\AppData\Roaming\system32\updatessm.vbs

Filesize
144B

MD5
ab001f69d685ec36982e3cb4b4b07441

SHA1
05afae7d51f76a85199b63663d20a48640ed8d36

SHA256
89a974d23b45ef34df5a4559a71aa967bca1e9deb82bb42ef81ec74e3f2e133f

SHA512
279de2639652d49e232b8d131c590728e12fa51461eccba4330599f7af030e6df608056cd8913b4aea7639d6cc087fc3dc542855374748cf98ab11a48d4f10a5

Download Submit
\Users\Admin\AppData\Roaming\system32\svchost.exe

Filesize
6.0MB

MD5
530ae05c71d23d6433da64d4ca16e2b6

SHA1
705cc0c314ab3fd16ff19b31c4503e4fb3ec252d

SHA256
c030b525aeaac97878fad878c50028efbaf160d7a0fa35d7d9a381c38a105d5a

SHA512
3285829c5bb69c6b15426904f57880cad2388380ae096dd6930cced08595ccae94352dbb951aba5737b5d46dd881900a590a65c70d5d212d3f3370889cbdb7b5

Download Submit
memory/2844-25-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2936-46-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2936-49-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/2936-50-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/2936-51-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/2936-52-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/2936-53-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/2936-54-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/2936-55-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/2936-56-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/2936-57-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download
memory/2936-58-0x0000000000400000-0x0000000000D24000-memory.dmp

Filesize
9.1MB

Download