Analysis
-
max time kernel
845s -
max time network
1198s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 22:05
Behavioral task
behavioral1
Sample
xmrig-6.22.0/pool_mine_example.cmd
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
xmrig-6.22.0/pool_mine_example.cmd
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
xmrig-6.22.0/pool_mine_example.cmd
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
xmrig-6.22.0/pool_mine_example.cmd
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
xmrig-6.22.0/pool_mine_example.cmd
Resource
win7-20241010-en
General
-
Target
xmrig-6.22.0/pool_mine_example.cmd
-
Size
1KB
-
MD5
20f1482a6b8c4b2550e91d804179ec7b
-
SHA1
b29eac3009c5fcf5a543a4c86ad86c2b6a9b5ba2
-
SHA256
360a14d3a09a126423686a63375c813f226243a5942cd3e30e31e76a0f975f54
-
SHA512
5cbcf3838827d70cf60f686c9e2ed57aa7fb43ce43d3a7be57c4c8f6f5ea0c2bffd52a3082317f520a5f00fbf98080a0d73d0913f70488d60091bb2753eaf55c
Malware Config
Signatures
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid Process 464 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xmrig.exedescription pid Process Token: SeLockMemoryPrivilege 1268 xmrig.exe Token: SeLockMemoryPrivilege 1268 xmrig.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
xmrig.exepid Process 1268 xmrig.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 2044 wrote to memory of 1268 2044 cmd.exe 31 PID 2044 wrote to memory of 1268 2044 cmd.exe 31 PID 2044 wrote to memory of 1268 2044 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\xmrig-6.22.0\pool_mine_example.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\xmrig-6.22.0\xmrig.exexmrig.exe -o gulf.moneroocean.stream:10032 -u 8AwagLhMr8DeT4qvEnLNVG7QMxU6UgqwjMPCeSQZjRNWHSYYYb26JvnMrxzZNVf6iySFrb7S6327v8ckkK73D31T7grqngR -p x2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1268
-