xmrig | 79a52cb25a58cf08e11b46bc743cea2df4d5097bf1c80d5ec58c1abd2015b5a8

Analysis

max time kernel
34s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quasar Golden Edition 1.4.1.0/Quasar Golden Editionx.exe
Size

7.7MB
MD5

bb8b1f45d98a13e966973ca0eeefad9d
SHA1

f9393120df22a00ac7d4cdaad466d337b891bbec
SHA256

650f145e45a4b6f9a953f69df1d919bceaa3962c29d0a07ab7102afcf85a6930
SHA512

592c541a6dbf9aa02ffd6566f49bfe7b30ec6d51f116e3a36af10beb4412666b4f5ad7a75716af11757e7f5bd22fc909db18ab38df26af0e0e093e09ce9489e1
SSDEEP

196608:7JWQb/GQDd3JjPOVXRzPHGHR/kGlZ1I8GXPYl:9WQbr5uX5PHGx/P13Gf

Score

10^/10

xmrig defense_evasion evasion miner persistence privilege_escalation

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral12/memory/3856-28-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/3856-29-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/3856-30-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/3856-32-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/3856-31-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/3856-33-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/3856-45-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/3856-46-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/3856-47-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig
behavioral12/memory/3856-53-0x0000000000400000-0x0000000000DCB000-memory.dmp	xmrig

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4688	netsh.exe
4568	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Quasar Golden Editionx.exe

Executes dropped EXE 2 IoCs

pid	Process
3856	TiWorker.exe
2952	Quasar Golden Edition.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
2080	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TiWorker.exe	Quasar Golden Editionx.exe
File created	C:\Windows\SysWOW64\config.json	Quasar Golden Editionx.exe
File opened for modification	C:\Windows\SysWOW64\config.json	Quasar Golden Editionx.exe
File created	C:\Windows\SysWOW64\MicrosoftWindows.xml	Quasar Golden Editionx.exe
File opened for modification	C:\Windows\SysWOW64\MicrosoftWindows.xml	Quasar Golden Editionx.exe
File created	C:\Windows\SysWOW64\TiWorker.exe	Quasar Golden Editionx.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4116	Quasar Golden Editionx.exe
4116	Quasar Golden Editionx.exe
4116	Quasar Golden Editionx.exe
4116	Quasar Golden Editionx.exe
4116	Quasar Golden Editionx.exe
4116	Quasar Golden Editionx.exe
4116	Quasar Golden Editionx.exe
4116	Quasar Golden Editionx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2952	Quasar Golden Edition.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3856	TiWorker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	Quasar Golden Edition.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2952	Quasar Golden Edition.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 2064	4116	Quasar Golden Editionx.exe	83
PID 4116 wrote to memory of 2064	4116	Quasar Golden Editionx.exe	83
PID 2064 wrote to memory of 3972	2064	cmd.exe	85
PID 2064 wrote to memory of 3972	2064	cmd.exe	85
PID 2064 wrote to memory of 4044	2064	cmd.exe	86
PID 2064 wrote to memory of 4044	2064	cmd.exe	86
PID 4116 wrote to memory of 2080	4116	Quasar Golden Editionx.exe	87
PID 4116 wrote to memory of 2080	4116	Quasar Golden Editionx.exe	87
PID 2080 wrote to memory of 1872	2080	cmd.exe	89
PID 2080 wrote to memory of 1872	2080	cmd.exe	89
PID 4116 wrote to memory of 4032	4116	Quasar Golden Editionx.exe	90
PID 4116 wrote to memory of 4032	4116	Quasar Golden Editionx.exe	90
PID 4032 wrote to memory of 4688	4032	cmd.exe	92
PID 4032 wrote to memory of 4688	4032	cmd.exe	92
PID 4116 wrote to memory of 1548	4116	Quasar Golden Editionx.exe	93
PID 4116 wrote to memory of 1548	4116	Quasar Golden Editionx.exe	93
PID 1548 wrote to memory of 4568	1548	cmd.exe	95
PID 1548 wrote to memory of 4568	1548	cmd.exe	95
PID 4116 wrote to memory of 1944	4116	Quasar Golden Editionx.exe	96
PID 4116 wrote to memory of 1944	4116	Quasar Golden Editionx.exe	96
PID 1944 wrote to memory of 2768	1944	cmd.exe	98
PID 1944 wrote to memory of 2768	1944	cmd.exe	98
PID 4116 wrote to memory of 3984	4116	Quasar Golden Editionx.exe	99
PID 4116 wrote to memory of 3984	4116	Quasar Golden Editionx.exe	99
PID 3984 wrote to memory of 1628	3984	cmd.exe	101
PID 3984 wrote to memory of 1628	3984	cmd.exe	101
PID 3984 wrote to memory of 3380	3984	cmd.exe	102
PID 3984 wrote to memory of 3380	3984	cmd.exe	102
PID 4116 wrote to memory of 432	4116	Quasar Golden Editionx.exe	105
PID 4116 wrote to memory of 432	4116	Quasar Golden Editionx.exe	105
PID 432 wrote to memory of 4488	432	cmd.exe	107
PID 432 wrote to memory of 4488	432	cmd.exe	107
PID 4116 wrote to memory of 2952	4116	Quasar Golden Editionx.exe	111
PID 4116 wrote to memory of 2952	4116	Quasar Golden Editionx.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Quasar Golden Edition 1.4.1.0\Quasar Golden Editionx.exe
"C:\Users\Admin\AppData\Local\Temp\Quasar Golden Edition 1.4.1.0\Quasar Golden Editionx.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:3972
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "WindowsUpdate"
    3⤵
    PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit
  2⤵
  - Indicator Removal: Clear Persistence
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\schtasks.exe
    schtasks /Delete /TN "WindowsUpdate" /F
    3⤵
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"
    3⤵
    PID:1628
- - C:\Windows\system32\schtasks.exe
    schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\system32\certutil.exe
    certutil –addstore –f root MicrosoftWindows.crt
    3⤵
    PID:4488
- C:\Users\Admin\AppData\Local\Temp\Quasar Golden Edition 1.4.1.0\Quasar Golden Edition.exe
  "C:\Users\Admin\AppData\Local\Temp\Quasar Golden Edition 1.4.1.0\Quasar Golden Edition.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2952

C:\Windows\SysWOW64\TiWorker.exe
C:\Windows\SysWOW64\TiWorker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt

Filesize
1KB

MD5
1bb617d3aab1dbe2ec2e4a90bf824846

SHA1
bbe179f1bdc4466661da3638420e6ca862bd50ca

SHA256
1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580

SHA512
ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quasar Golden Edition 1.4.1.0\Quasar Golden Edition.exe

Filesize
11.0MB

MD5
d49e5e8dd0e5e347b9bb061aa9c328dc

SHA1
d97c692a5c927f2db65c6ef9a240b061bdd668ed

SHA256
f157877dacee3384192d3438d6d6c4dd7f25eb313a45bd0799e15d90b4eb3114

SHA512
251b589318a39395dd8c40c0b54e6d000d60ce76710105d46059ede584ed939280c7f4d82ed513a5de224deb81f1213b2993301fd6134ebc796dd9b4283baef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA1DD.tmp

Filesize
3.2MB

MD5
ecede3c32ce83ff76ae584c938512c5a

SHA1
090b15025e131cc03098f6f0d8fa5366bc5fa1f0

SHA256
366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d

SHA512
61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

Download Submit
C:\Windows\SysWOW64\MicrosoftWindows.xml

Filesize
4KB

MD5
b1cbfcc7b7a5716a30b77f5dc5bb6135

SHA1
5c397ffd7a845b2fdf9e82ff73698784a91a2fb9

SHA256
96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430

SHA512
d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7

Download Submit
C:\Windows\SysWOW64\config.json

Filesize
1011B

MD5
3da156f2d3307118a8e2c569be30bc87

SHA1
335678ca235af3736677bd8039e25a6c1ee5efca

SHA256
f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb

SHA512
59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0

Download Submit
memory/2952-51-0x00000289ACAF0000-0x00000289ACB00000-memory.dmp

Filesize
64KB

Download
memory/2952-44-0x000002898F650000-0x000002899015A000-memory.dmp

Filesize
11.0MB

Download
memory/3856-20-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-32-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-53-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-19-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-30-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-29-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-28-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-45-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-46-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-47-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-33-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download
memory/3856-31-0x0000000000400000-0x0000000000DCB000-memory.dmp

Filesize
9.8MB

Download