xmrig | 241795ffe4c6263f79c969214c7f2ff712ff1209bacd823e1423700ab8e0c841

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XeonV1.exe
Size

55KB
MD5

27cf43587e38d4f262ae7324d09db221
SHA1

746ef1082175139efadd9316cbd2bb98e5c6b41e
SHA256

241795ffe4c6263f79c969214c7f2ff712ff1209bacd823e1423700ab8e0c841
SHA512

db0ea94dbfeda5c3eeff2c7e1f8d7a5e22a55b55fce9cf30b3a96795b0b185713ab64d16bc74d8bcc2f26ff13cc97dddcf9fa5613e1f2343a8609d81b60ba0d9
SSDEEP

768:oBFKm7cEFqzf0nQ5K++6TOAOCZ8vLDVr6Ypa2AvzKt3Df2UAG6F:oBFN7Szf1YlEOnCCvLp1pGC3D+UAGO

Score

10^/10

xmrig agilenet miner persistence

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/4964-19-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-21-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-18-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-17-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-16-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-28-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-31-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-32-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-30-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-29-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-25-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-23-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-22-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-20-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-33-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/4964-34-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/816-4-0x000000001EA50000-0x000000001F2BC000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XeonV1 = "C:\\Users\\Admin\\Documents\\XeonV1.pif"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
52	pastebin.com
53	pastebin.com

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2692	powercfg.exe
4988	powercfg.exe
1804	powercfg.exe
2084	powercfg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 816 set thread context of 2028	816	XeonV1.exe	91
PID 2028 set thread context of 4964	2028	XeonV1.exe	114

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
816	XeonV1.exe
2028	XeonV1.exe
2028	XeonV1.exe
2028	XeonV1.exe
2028	XeonV1.exe
2028	XeonV1.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	XeonV1.exe
Token: SeShutdownPrivilege	2084	powercfg.exe
Token: SeCreatePagefilePrivilege	2084	powercfg.exe
Token: SeShutdownPrivilege	1804	powercfg.exe
Token: SeCreatePagefilePrivilege	1804	powercfg.exe
Token: SeShutdownPrivilege	4988	powercfg.exe
Token: SeCreatePagefilePrivilege	4988	powercfg.exe
Token: SeShutdownPrivilege	2692	powercfg.exe
Token: SeCreatePagefilePrivilege	2692	powercfg.exe
Token: SeLockMemoryPrivilege	4964	explorer.exe
Token: SeLockMemoryPrivilege	4964	explorer.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe
4964	explorer.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 3460	816	XeonV1.exe	83
PID 816 wrote to memory of 3460	816	XeonV1.exe	83
PID 3460 wrote to memory of 1764	3460	cmd.exe	85
PID 3460 wrote to memory of 1764	3460	cmd.exe	85
PID 816 wrote to memory of 1872	816	XeonV1.exe	87
PID 816 wrote to memory of 1872	816	XeonV1.exe	87
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 816 wrote to memory of 2028	816	XeonV1.exe	91
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114
PID 2028 wrote to memory of 4964	2028	XeonV1.exe	114

C:\Users\Admin\AppData\Local\Temp\XeonV1.exe
"C:\Users\Admin\AppData\Local\Temp\XeonV1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "XeonV1" /t REG_SZ /F /D "C:\Users\Admin\Documents\XeonV1.pif"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "XeonV1" /t REG_SZ /F /D "C:\Users\Admin\Documents\XeonV1.pif"
    3⤵
    - Adds Run key to start application
    PID:1764
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\XeonV1.exe" "C:\Users\Admin\Documents\XeonV1.pif"
  2⤵
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\XeonV1.exe
  C:\Users\Admin\AppData\Local\Temp\XeonV1.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-0-0x00007FFD35BC3000-0x00007FFD35BC5000-memory.dmp

Filesize
8KB

Download
memory/816-1-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/816-2-0x000000001C140000-0x000000001C1B6000-memory.dmp

Filesize
472KB

Download
memory/816-3-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

Filesize
10.8MB

Download
memory/816-4-0x000000001EA50000-0x000000001F2BC000-memory.dmp

Filesize
8.4MB

Download
memory/816-5-0x00000000010B0000-0x00000000010CE000-memory.dmp

Filesize
120KB

Download
memory/816-13-0x00007FFD35BC0000-0x00007FFD36681000-memory.dmp

Filesize
10.8MB

Download
memory/2028-10-0x0000000140000000-0x0000000140C83000-memory.dmp

Filesize
12.5MB

Download
memory/2028-9-0x0000000140000000-0x0000000140C83000-memory.dmp

Filesize
12.5MB

Download
memory/2028-12-0x0000000140000000-0x0000000140C83000-memory.dmp

Filesize
12.5MB

Download
memory/2028-27-0x0000000140000000-0x0000000140C83000-memory.dmp

Filesize
12.5MB

Download
memory/4964-15-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-30-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-17-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-21-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-16-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-26-0x0000000000BC0000-0x0000000000BE0000-memory.dmp

Filesize
128KB

Download
memory/4964-28-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-31-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-32-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-18-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-29-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-19-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-25-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-23-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-22-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-20-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-33-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4964-34-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download