xmrig | 1c178d1f4290d4abc830797b690a00c038b4132ea1493ebbaf7bce85da7fc9d8

Analysis

max time kernel
110s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SheetRat.tar
Size

102.6MB
MD5

94aafa0ee17be68beaecaae97228234d
SHA1

d45788aae967ca91a54fdf1f7d7503e318e1553f
SHA256

1c178d1f4290d4abc830797b690a00c038b4132ea1493ebbaf7bce85da7fc9d8
SHA512

ffd6108264f611480d551cc87bbc927897f5bc52d2628d3ca7064a4daf2a35ba3544f4a21c658d1781948d57d4bece39f7e0b6522630b2b3df64e69022d82a33
SSDEEP

1572864:/GvbzPJt+gDl2YY4vu0Wmkt9YpG3fLh5cXBgAUJBBmT8LySqAxKQ:/cmskt9YpG3fLh5cxgAUJBBmT8m8KQ

Score

10^/10

xmrig discovery miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023d7e-294.dat	family_xmrig
behavioral2/files/0x0007000000023d7e-294.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 6 IoCs

pid	Process
3876	ethminer.exe
4300	xmrminer.exe
1608	Client.exe
940	Server.exe
4272	Server.exe
3392	Server.exe

Loads dropped DLL 30 IoCs

pid	Process
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
4272	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe
3392	Server.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
216	940	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4480	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4480	7zFM.exe
Token: 35	4480	7zFM.exe
Token: SeSecurityPrivilege	4480	7zFM.exe
Token: SeSecurityPrivilege	4480	7zFM.exe
Token: SeDebugPrivilege	4272	Server.exe
Token: SeDebugPrivilege	3392	Server.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4480	7zFM.exe
4480	7zFM.exe
4480	7zFM.exe
4272	Server.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SheetRat.tar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3192

C:\Users\Admin\Downloads\Stub\ethminer.exe
"C:\Users\Admin\Downloads\Stub\ethminer.exe"
1⤵
- Executes dropped EXE
PID:3876

C:\Users\Admin\Downloads\Stub\xmrminer.exe
"C:\Users\Admin\Downloads\Stub\xmrminer.exe"
1⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\Downloads\Stub\Client.exe
"C:\Users\Admin\Downloads\Stub\Client.exe"
1⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\Downloads\Confused\Server.exe
"C:\Users\Admin\Downloads\Confused\Server.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 896
  2⤵
  - Program crash
  PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 940 -ip 940
1⤵
PID:3964

C:\Users\Admin\Downloads\Server.exe
"C:\Users\Admin\Downloads\Server.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4272

C:\Users\Admin\Downloads\Server.exe
"C:\Users\Admin\Downloads\Server.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL

Filesize
1.3MB

MD5
14393eb908e072fa3164597414bb0a75

SHA1
5e04e084ec44a0b29196d0c21213201240f11ba0

SHA256
59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

SHA512
f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

Download Submit
C:\Users\Admin\AppData\Local\GMap.NET\TileDBv5\en\Data.gmdb

Filesize
32.2MB

MD5
c1908aa6edfec3602b63e89905c888c4

SHA1
aed61a7a8eada8ef92d91830802fb4ed5bd5e764

SHA256
380d75309abcf9bd7e980b61c41f9262f56c242b4403e555dc2ad18cd310a036

SHA512
99e1971093abca7124d214b6e6445ff5b6dcc6c7f2834fe4c5a4f99e0af0e71403b16c86e3c94b135f628e5632538b38c991a4af17601a9aee942348448a6acd

Download Submit
C:\Users\Admin\AppData\Local\GMap.NET\UrlCache\7A-37-FE-AF-96-76-33-1F-2C-6E-71-1B-6B-95-19-3C-D9-63-B4-06.txt

Filesize
238KB

MD5
b20409aed7813cf875d0d0011e891b93

SHA1
f0bc068937e6a55edac1d83334b11e8602eaa051

SHA256
2cbe36f805a903d3c5c6ccb988e1dafa9fe6b7b2cd5244c7fa8d3ef318fee5dc

SHA512
32336efe4b27b491c6865d8a8f9ac51efaaa4426b4db19f1eec27e93a844da7e2548bb69addc98dadbbe3dcba6080fe1b413bdda8cb12bf1d314809eea3fbacb

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_phqh0gncdah5bxsyjvz4hnyzs52ccelo\1.0.0.0\1jnxouqs.newcfg

Filesize
804B

MD5
64b487e656444f36f5d3d5e649ded5fe

SHA1
c7c9c32f8a326adf0d89a094660b817d29525dfc

SHA256
ac513ab0ab4ff39461b32df326286df46678d06a9cb02010921792f04351d1d4

SHA512
187301a235720b32919dde3ac23f5d33b7d24124585cb26f0027d6b8cc329aa385b59301da663db5be26835c8f40940af3ced9c652dc08311d1dbb72b613b39b

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_phqh0gncdah5bxsyjvz4hnyzs52ccelo\1.0.0.0\user.config

Filesize
311B

MD5
a35bc67d130a4fb76c2c2831cbdddd55

SHA1
66502423bba03870522e50608212b6ee27ebf4c5

SHA256
e94a97e512fbc8ed9f5691d921fdeddbff4cc16b024c5335adf66bff3a7a8192

SHA512
4401b234d7914afa860e356be1667cc5f44402255f7cc6cc3d8df80883167f6b55463e62156df57be697ee501897fac61a71f97911c6fdb6630272341ac8a07e

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_phqh0gncdah5bxsyjvz4hnyzs52ccelo\1.0.0.0\user.config

Filesize
561B

MD5
2e8ab7cdc2081c09a98f6c5593909409

SHA1
282769c943f8ab0429315869466d042a99de95f4

SHA256
17eee8708a1bbc35422e6ad9b6eff3bec4f8a8b8a87cce8e6cc0da2d94c9b3ae

SHA512
b815e0deaea5348d5ec68cdba3e4b5018e6224299f170859181f90961831b7d14deda144b32d64b11f8da7f4cbdb0b86a8d253b0ee179df68baac274a363ef2a

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_phqh0gncdah5bxsyjvz4hnyzs52ccelo\1.0.0.0\user.config

Filesize
434B

MD5
cfcf8e91857f364e002065c52ff8f91c

SHA1
8407ecb3c33a1f3fcf18a723e6884acf7e5a0f4a

SHA256
572dda8c7f211dc6a4efc7aecb4a54cb4e0ced1e4c9a4b9f96bb329c983c64e6

SHA512
364fecac3a051441b4fefcebb2cc9e38632f99dd04593cd5d9b148986afb09b195e88cdbfa2e778b8934564b76d04fe053f919f0a60769b023f2f753ede06d1e

Download Submit
C:\Users\Admin\AppData\Local\Server\Server.exe_Url_phqh0gncdah5bxsyjvz4hnyzs52ccelo\1.0.0.0\xo1eix0e.newcfg

Filesize
687B

MD5
b18785caae8834f89e34cde89b93cafc

SHA1
cee194149b484295ddba88111a251986bdc0c7af

SHA256
105971bbe15f24f50dad97d466b55222e52dfdb4a71b1b3a6452cfba28a10811

SHA512
fb108e2997a0ea7bce21113118997f358d73a43a40e2b4b9962738cd88dc6d9dfc17e17e63c8ba8c5a5504e5775fbe9e8084ee8e6086cf0eab709335ed8b282c

Download Submit
C:\Users\Admin\Downloads\ConfigBulid.json

Filesize
41KB

MD5
01a84fe18baf4f88a7dcab2798738079

SHA1
255cdab958d769252ebdec6335e1f2b77788c8d2

SHA256
f56dcd69405ba5873cee3fbabdc830b1f87853d1257048fe8cc0d0e30f83c2c7

SHA512
921bb1dc8ffa71c54fe06e9c29b573f5a74e788f531fbd0d9104bdfc0f748dce7e7417e535d1b7d8a1cb222eda4faa3ed870573b545a545a3f40685fcd72b328

Download Submit
C:\Users\Admin\Downloads\Confused\Server.exe

Filesize
1.8MB

MD5
2f4953747860b6b9f5e2d281ad7b33ed

SHA1
b3c494f18efc33201bfeb70c46a20305e9e6a4c1

SHA256
b497e24534343529d5393ebdbb2d9f7418ee984621a1ac17c61f6b69a19ea548

SHA512
e64337f8cb3491b0962c9caa6a44fb6dbeb4d439b1ea9959475b85244537ada732a894199c77f56c92fa28f676ffac371c84769acdcac7400493f9042710c765

Download Submit
C:\Users\Admin\Downloads\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Downloads\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Downloads\Maps.json

Filesize
233B

MD5
bb8d322795b10b15ff030c4e4398e2ce

SHA1
c9907348cee1f64164c4c80ce296385677b8877f

SHA256
bc563aa602af092bf0d18c24e090a0478bc62f71abf684069abaf933b09e3541

SHA512
934ff9cd97c6726be393df1a0384d01b75cbbf9216ae3ae05ee7b1da1ac6ae7b88d9b80345b6582136d380f16e05aea2a5d50b64fbe892f01fe6c4c7a216f807

Download Submit
C:\Users\Admin\Downloads\MetroFramework.Fonts.dll

Filesize
656KB

MD5
65ef4b23060128743cef937a43b82aa3

SHA1
cc72536b84384ec8479b9734b947dce885ef5d31

SHA256
c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26

SHA512
d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7

Download Submit
C:\Users\Admin\Downloads\MetroFramework.dll

Filesize
345KB

MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Users\Admin\Downloads\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Downloads\Server.exe

Filesize
1.3MB

MD5
dd6667db55acaefa2d7e99dcf5d97a26

SHA1
c1b281ef573df4da584294c61b5322edfed589ad

SHA256
ce8fd5ec0b2ee4e5d87d35622eeaa022ee971801c97bcb3726ca6ebe4b576238

SHA512
916c8b63400c0a8e495fc59d8e348499a6f04421e79599803c7ac4cd828c82f389bfd733471de27cc1643c03723429f8544446d9adc69082e6a5032139a1f1f1

Download Submit
C:\Users\Admin\Downloads\Server.exe.config

Filesize
7KB

MD5
2083876ec03ad06e5c16490fcb4ab8b6

SHA1
b8f50f08abd53225c046912471dfd271a98cf15a

SHA256
28026de2c65972cb8fac1ff2865c33e24d1086f7242b2fe951cef172909ad128

SHA512
b16f1fbe8e10b66079d83a46818423fb2e2e8619cbdc1427ce0cd27f06092af52bcc003755e939320cf84f8cc5a26c92e43041013fe3ef60c7d73d8624ee6096

Download Submit
C:\Users\Admin\Downloads\Stub\Client.exe

Filesize
47KB

MD5
a0e04bf9b43f0b442bd3193f06dc52b5

SHA1
30bb0c17640c414d948ed3e2fdf571b98f125efb

SHA256
71824238c3baec179911bd6e4655ebff234e15d0f14248077e2c388ef4337009

SHA512
d7015f5c8223ba0f4e3b478185fa3e4de0831aee949302185fdc8b3afe59105fe096a3e5ee23219a1c16dfcbc77d169a82774ecd727ef98bdb94a878583a2ae2

Download Submit
C:\Users\Admin\Downloads\Stub\ethminer.exe

Filesize
4.4MB

MD5
38cfdd6cac508c40137ee45dc6857a59

SHA1
199f87fd7bb827b75543141acf580f4e53417595

SHA256
7ca69c624f9745a11ece45baaec80a3e7b596199d4997b4a3a07caecb0cb02d7

SHA512
d4dc8f03288c09c82308025e138c027335067cd6b88ef078ae6a6ec2a79f12e69628ca52a08c19cf0b985acee301c0b823b42ef9830fa94c305f2377c29deb50

Download Submit
C:\Users\Admin\Downloads\Stub\xmrminer.exe

Filesize
4.9MB

MD5
f97406a10af445519bbb391b22366978

SHA1
400339e335bc0352a9a342008c1d146cddb1b2d2

SHA256
4766966b4c125dcdbba55f6d9beacc371ee9700e0f10900a35ef9f15b3357022

SHA512
1df48a68e2458109d4cbc0331ab11c1c76558d617c2a70d6f60ca3783aea7c895f05204d647986d28b8d6e48f6479e68c4b9e87176a8761219ae4b636a37c6f0

Download Submit
C:\Users\Admin\Downloads\Themes.json

Filesize
33B

MD5
fdf6d963491b41d9ba798f60fe27ef8c

SHA1
4908bfc78d191f60ab583fe093bc579fd5ff06a3

SHA256
bfe1437218dd94ccd078a8683f59b65e28d8d63defa7f419b2cef81bc031a7bf

SHA512
96e5981739a3328387aaf80b6b6a071dc7a2135d5bdaa99b638527b9cd82eb514d21d27a26445a01082a4ba8811ac130a671690e51cf780fd66acdd3a12a3c25

Download Submit
C:\Users\Admin\Downloads\cGeoIp.dll

Filesize
2.3MB

MD5
6d6e172e7965d1250a4a6f8a0513aa9f

SHA1
b0fd4f64e837f48682874251c93258ee2cbcad2b

SHA256
d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

SHA512
35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

Download Submit
memory/940-302-0x0000000000A90000-0x0000000000C72000-memory.dmp

Filesize
1.9MB

Download
memory/940-303-0x0000000007BA0000-0x0000000007C5A000-memory.dmp

Filesize
744KB

Download
memory/1608-299-0x0000000000700000-0x0000000000712000-memory.dmp

Filesize
72KB

Download
memory/4272-307-0x0000000000760000-0x00000000008A8000-memory.dmp

Filesize
1.3MB

Download
memory/4272-308-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/4272-349-0x0000000009540000-0x000000000958C000-memory.dmp

Filesize
304KB

Download
memory/4272-312-0x0000000005100000-0x000000000515C000-memory.dmp

Filesize
368KB

Download
memory/4272-332-0x00000000094F0000-0x0000000009512000-memory.dmp

Filesize
136KB

Download
memory/4272-331-0x0000000009C10000-0x0000000009F64000-memory.dmp

Filesize
3.3MB

Download
memory/4272-330-0x0000000009640000-0x0000000009922000-memory.dmp

Filesize
2.9MB

Download
memory/4272-387-0x000000000A110000-0x000000000A14C000-memory.dmp

Filesize
240KB

Download
memory/4272-388-0x000000000A0D0000-0x000000000A0F1000-memory.dmp

Filesize
132KB

Download
memory/4272-337-0x0000000009930000-0x0000000009A7B000-memory.dmp

Filesize
1.3MB

Download
memory/4272-401-0x000000000E450000-0x000000000E502000-memory.dmp

Filesize
712KB

Download
memory/4272-326-0x0000000009320000-0x000000000934C000-memory.dmp

Filesize
176KB

Download
memory/4272-322-0x0000000008200000-0x00000000082AA000-memory.dmp

Filesize
680KB

Download
memory/4272-318-0x0000000005540000-0x000000000554A000-memory.dmp

Filesize
40KB

Download
memory/4272-317-0x0000000005EC0000-0x0000000006112000-memory.dmp

Filesize
2.3MB

Download
memory/4272-313-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/4300-296-0x00000237AE230000-0x00000237AE250000-memory.dmp

Filesize
128KB

Download