xmrig | 2b80e49ed86a673ba3bccd1b094173c7782bc8e76d017060cb4e083e77db5bb5

Analysis

max time kernel
3551s
max time network
3596s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-11-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NewTriage32/IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe
Size

2.5MB
MD5

dc4de596b27633f9835e6bcc3aee08eb
SHA1

e391f7ae9af449836b34b6c4b689cda02e53c71b
SHA256

6fe7e5d9b66bfa2a2d8fac07483f35f65520b6baef87cde3b99c513f7ade5cef
SHA512

ec6ac054952ae520e3e77a6edeed6cc0ae03acea68039aecfaf57cfffa64597bc3c2841d4abfa1fe9324f71bb6eb748c97201f9e70a9815c4514d975a609816f
SSDEEP

49152:Kgf5bRKh3xW0yvsohrvKwgsORbI6WtEaFTGFyCTBIHef:VQ30goFvKwHQbMpTGFIHef

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral11/memory/2764-7-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-6-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-9-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-12-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-13-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-11-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-10-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-14-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-17-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-18-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral11/memory/2764-19-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Suspicious use of SetThreadContext 1 IoCs

Processes:

IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe

description pid process target process

PID 4188 set thread context of 2764 4188 IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe explorer.exe

description	pid	process	target process
PID 4188 set thread context of 2764	4188	IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe	explorer.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral11/memory/2764-1-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-3-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-2-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-4-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-5-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-7-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-6-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-9-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-12-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-13-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-11-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-10-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-14-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-17-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-18-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral11/memory/2764-19-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\cachev3.dat svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-5f-f6-b6-53-b3\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-5f-f6-b6-53-b3	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-5f-f6-b6-53-b3\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-5f-f6-b6-53-b3\WpadDecisionTime = c4dcb75ca03fdb01	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe

pid process

4188 IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe

pid	process
4188	IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

explorer.exesvchost.exe

description	pid	process
Token: SeLockMemoryPrivilege	2764	explorer.exe
Token: SeLockMemoryPrivilege	2764	explorer.exe
Token: SeShutdownPrivilege	2412	svchost.exe
Token: SeCreatePagefilePrivilege	2412	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe

description	pid	process	target process
PID 4188 wrote to memory of 2764	4188	IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe	explorer.exe
PID 4188 wrote to memory of 2764	4188	IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe	explorer.exe
PID 4188 wrote to memory of 2764	4188	IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe	explorer.exe
PID 4188 wrote to memory of 2764	4188	IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe	explorer.exe
PID 4188 wrote to memory of 2764	4188	IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\NewTriage32\IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe
"C:\Users\Admin\AppData\Local\Temp\NewTriage32\IxXF7PeGlVVyHSXk9kYDLLDorJ5p7J_964969.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2764-1-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-3-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-2-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-4-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-5-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-7-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-8-0x0000000001490000-0x00000000014B0000-memory.dmp

Filesize
128KB

Download
memory/2764-6-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-9-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-12-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-13-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-11-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-10-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-14-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-16-0x00000000014B0000-0x00000000014D0000-memory.dmp

Filesize
128KB

Download
memory/2764-17-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-18-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-19-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2764-21-0x0000000002CC0000-0x0000000002CE0000-memory.dmp

Filesize
128KB

Download
memory/2764-22-0x0000000013F00000-0x0000000013F20000-memory.dmp

Filesize
128KB

Download
memory/2764-23-0x0000000002CC0000-0x0000000002CE0000-memory.dmp

Filesize
128KB

Download
memory/2764-24-0x0000000013F00000-0x0000000013F20000-memory.dmp

Filesize
128KB

Download