xmrig | 8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704

Analysis

max time kernel
137s
max time network
147s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe
Size

4.9MB
MD5

3d375d10b594f69c51b80948ec0e4c03
SHA1

439779b78363df27d5874efb256aa5e415e0b8b3
SHA256

8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704
SHA512

635d39a32aa3c01cf2d7c5910639da9dbc7f661daba92d0b6c6d543123aa84bfac86dc7c72d6f88ace93d4d2b520e5020094d11f8d78c6859ea68265e8dad560
SSDEEP

98304:VlPQoHOVR78LR77DWaPL+RbDQuAv9QyhT/UxEdmrm:VGoHWB6Uaz+RfQBlhL8Edf

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2656-7-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2656-6-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2656-10-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2656-11-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2656-9-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2656-12-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2656-13-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2656-14-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2656-15-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2748	powercfg.exe
1548	powercfg.exe
2668	powercfg.exe
2764	powercfg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1596 set thread context of 2656	1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe	36

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2656-7-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-6-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-5-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-4-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-2-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-3-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-1-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-10-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-11-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-9-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-12-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-13-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-14-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2656-15-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe
1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe
1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe
1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe
1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2668	powercfg.exe
Token: SeShutdownPrivilege	1548	powercfg.exe
Token: SeShutdownPrivilege	2748	powercfg.exe
Token: SeShutdownPrivilege	2764	powercfg.exe
Token: SeLockMemoryPrivilege	2656	explorer.exe
Token: SeLockMemoryPrivilege	2656	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2656	1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe	36
PID 1596 wrote to memory of 2656	1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe	36
PID 1596 wrote to memory of 2656	1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe	36
PID 1596 wrote to memory of 2656	1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe	36
PID 1596 wrote to memory of 2656	1596	8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe	36

C:\Users\Admin\AppData\Local\Temp\8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe
"C:\Users\Admin\AppData\Local\Temp\8f861c2089520549eb6c1eb3cba713a8316ffe9f3573199e27cb48bd5e1ca704.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2656-7-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-8-0x0000000000040000-0x0000000000060000-memory.dmp

Filesize
128KB

Download
memory/2656-6-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-5-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-4-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-2-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-3-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-1-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-10-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-11-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-9-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-12-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-13-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-14-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2656-15-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download