xmrig | c619f6d5019ed3fe466dfa66ef86013be1b9deec3770a2aee86c0789b5ae8f9e

Analysis

max time kernel
53s
max time network
42s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

microsoft-onedrive.exe
Size

9.5MB
MD5

59304e9a78243b260b3f04af007f62a5
SHA1

f57e5be6bf1f7081bc74f7f2610ec35353a4faa0
SHA256

c619f6d5019ed3fe466dfa66ef86013be1b9deec3770a2aee86c0789b5ae8f9e
SHA512

8b552608e6815edd33a905729de412ed7a3c89c1f48e4395eea1dfef77a2396d16229903e68dd7279cc646ac24f978f58ec031d6f72c8f9e5f3552c8e4a74c48
SSDEEP

196608:Myd4Wg9Hca3Db/e5DT+VefKOyEn1NRSHgZnnOgZg+ISIsaRMNu17tT/HWu3x9dJ:Myd4RT3DYDKVe/B1NqgZnO5WIsaRMY1i

Score

10^/10

xmrig defense_evasion discovery evasion execution miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2220-92-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2220-91-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2220-98-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2220-97-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2220-96-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2220-95-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2220-94-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2220-99-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2220-100-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2060	powershell.exe
2100	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2232	Built.exe
2804	onedrive.exe
3032	Built.exe
1284	Process not Found
480	Process not Found
636	vsrumanlxdbr.exe

Loads dropped DLL 6 IoCs

pid	Process
2376	microsoft-onedrive.exe
2376	microsoft-onedrive.exe
2376	microsoft-onedrive.exe
2232	Built.exe
3032	Built.exe
480	Process not Found

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	onedrive.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	vsrumanlxdbr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 636 set thread context of 1248	636	vsrumanlxdbr.exe	52
PID 636 set thread context of 2220	636	vsrumanlxdbr.exe	54

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019d8e-39.dat	upx
behavioral1/memory/3032-41-0x000007FEF62A0000-0x000007FEF6888000-memory.dmp	upx
behavioral1/memory/2220-87-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-90-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-86-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-92-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-91-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-88-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-89-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-97-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-96-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-95-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-94-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-99-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2220-100-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3040	sc.exe
1656	sc.exe
448	sc.exe
568	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsoft-onedrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60759c7aa545db01	powershell.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2880	powershell.exe
2804	onedrive.exe
2060	powershell.exe
2804	onedrive.exe
2804	onedrive.exe
2804	onedrive.exe
2804	onedrive.exe
2804	onedrive.exe
636	vsrumanlxdbr.exe
2100	powershell.exe
636	vsrumanlxdbr.exe
636	vsrumanlxdbr.exe
636	vsrumanlxdbr.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe
2220	conhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeLockMemoryPrivilege	2220	conhost.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2880	2376	microsoft-onedrive.exe	30
PID 2376 wrote to memory of 2880	2376	microsoft-onedrive.exe	30
PID 2376 wrote to memory of 2880	2376	microsoft-onedrive.exe	30
PID 2376 wrote to memory of 2880	2376	microsoft-onedrive.exe	30
PID 2376 wrote to memory of 2232	2376	microsoft-onedrive.exe	32
PID 2376 wrote to memory of 2232	2376	microsoft-onedrive.exe	32
PID 2376 wrote to memory of 2232	2376	microsoft-onedrive.exe	32
PID 2376 wrote to memory of 2232	2376	microsoft-onedrive.exe	32
PID 2376 wrote to memory of 2804	2376	microsoft-onedrive.exe	33
PID 2376 wrote to memory of 2804	2376	microsoft-onedrive.exe	33
PID 2376 wrote to memory of 2804	2376	microsoft-onedrive.exe	33
PID 2376 wrote to memory of 2804	2376	microsoft-onedrive.exe	33
PID 2232 wrote to memory of 3032	2232	Built.exe	34
PID 2232 wrote to memory of 3032	2232	Built.exe	34
PID 2232 wrote to memory of 3032	2232	Built.exe	34
PID 3000 wrote to memory of 2996	3000	cmd.exe	43
PID 3000 wrote to memory of 2996	3000	cmd.exe	43
PID 3000 wrote to memory of 2996	3000	cmd.exe	43
PID 636 wrote to memory of 1248	636	vsrumanlxdbr.exe	52
PID 636 wrote to memory of 1248	636	vsrumanlxdbr.exe	52
PID 636 wrote to memory of 1248	636	vsrumanlxdbr.exe	52
PID 636 wrote to memory of 1248	636	vsrumanlxdbr.exe	52
PID 636 wrote to memory of 1248	636	vsrumanlxdbr.exe	52
PID 636 wrote to memory of 1248	636	vsrumanlxdbr.exe	52
PID 636 wrote to memory of 1248	636	vsrumanlxdbr.exe	52
PID 636 wrote to memory of 1248	636	vsrumanlxdbr.exe	52
PID 636 wrote to memory of 1248	636	vsrumanlxdbr.exe	52
PID 636 wrote to memory of 2220	636	vsrumanlxdbr.exe	54
PID 636 wrote to memory of 2220	636	vsrumanlxdbr.exe	54
PID 636 wrote to memory of 2220	636	vsrumanlxdbr.exe	54
PID 636 wrote to memory of 2220	636	vsrumanlxdbr.exe	54
PID 636 wrote to memory of 2220	636	vsrumanlxdbr.exe	54
PID 832 wrote to memory of 1940	832	cmd.exe	55
PID 832 wrote to memory of 1940	832	cmd.exe	55
PID 832 wrote to memory of 1940	832	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\microsoft-onedrive.exe
"C:\Users\Admin\AppData\Local\Temp\microsoft-onedrive.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAYwBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAZwBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdwB5ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3032
- C:\Users\Admin\AppData\Local\Temp\onedrive.exe
  "C:\Users\Admin\AppData\Local\Temp\onedrive.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2996
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "KOPWGCIF"
    3⤵
    - Launches sc.exe
    PID:568
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "KOPWGCIF" binpath= "C:\ProgramData\gfmqvycsvzww\vsrumanlxdbr.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1656
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "KOPWGCIF"
    3⤵
    - Launches sc.exe
    PID:448

C:\ProgramData\gfmqvycsvzww\vsrumanlxdbr.exe
C:\ProgramData\gfmqvycsvzww\vsrumanlxdbr.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1940
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1248
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22322\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\onedrive.exe

Filesize
2.5MB

MD5
cc23600e896342e8d4086178b2f57b2f

SHA1
8588238e481bfabcd8d832ff1e06ff05ee9afd4b

SHA256
de28354336aff91e295da45fc95d80ccdee6f1f6d0e552699e376db906551614

SHA512
4e7ebfd51e2cd30c336ca21ef9fc3318abab72a1aaedead5fc1de750ef3e63e20b11adac9a1a5a786a77f30ec257c0c36736944896cd6ce4d3f0ae6afff7b10c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\51Q0CH8WGCGV3ERNRK46.temp

Filesize
7KB

MD5
dac56c8862944a43130a456fc1d114bc

SHA1
0695731c033c1d1cb0e21b971c1147ea4f758f5f

SHA256
108831f0af015f81375ba0b3970ecb41619e0adf26700ccb14104a691282d4cd

SHA512
0c1c6d6733c5ba7fc3f0f26515a705033115ab03ff5dabe324f950923a54f06daad7c23e92f4893e58d1d03ba5cb70a4d3b6a1f26da6dd199de47f4724010e69

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
6.9MB

MD5
b9a0cf1020dcdb5626c3360003456ab0

SHA1
d21946d5f6b448659c65f17eeae504ef1cae32d3

SHA256
396dcfdfa4b2bc2f01f2e0d68f31eb0713b3912ed36f4c3d39fcb3156a62fbfa

SHA512
bc2d9dfe8278fab426f2aca3f5f9a89c1295558365cbe2ef54728d40ff8910e1893aa274d9c85eb1c6f134f7bec27842d61f27b0192ca990946e8c3caa5149a7

Download Submit
memory/1248-80-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1248-83-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1248-77-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1248-78-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1248-79-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1248-81-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2060-69-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2060-68-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2100-76-0x0000000001140000-0x0000000001148000-memory.dmp

Filesize
32KB

Download
memory/2100-75-0x0000000019FF0000-0x000000001A2D2000-memory.dmp

Filesize
2.9MB

Download
memory/2220-92-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-88-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-90-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-86-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-93-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2220-100-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-91-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-87-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-89-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-97-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-96-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-95-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-94-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2220-99-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3032-41-0x000007FEF62A0000-0x000007FEF6888000-memory.dmp

Filesize
5.9MB

Download