xmrig | 9294c121323fdee121ca0dc25c6e284cfba69b5726f4e6e96ac90e38e3611bc2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9294c121323fdee121ca0dc25c6e284cfba69b5726f4e6e96ac90e38e3611bc2.exe
Size

3.6MB
MD5

e7dd06d1755e37f24bf7971c4a2b26b0
SHA1

0e52e6641b80a32c065d7c0b057be4e4e42c76f3
SHA256

9294c121323fdee121ca0dc25c6e284cfba69b5726f4e6e96ac90e38e3611bc2
SHA512

98f09450f9f6b1acdc5945912d7db68ea9f1543959ba897ad262408b5686cd15345108b68e6b21647a0685dfcc63f80c6929308b2d55cd1ffce7d6e2abf6e549
SSDEEP

49152:mM1J3BYJUY53ZzpN66OMkhsBA/YV5IY96tOoNyki3BcmNxh+PRmOMhR:mM1J36Jbp3bBA/8IYCbYtxcm5+ZS

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/3444-61-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3444-65-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3444-67-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3444-66-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3444-64-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3444-62-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3444-68-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3444-70-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3444-69-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3656	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	9294c121323fdee121ca0dc25c6e284cfba69b5726f4e6e96ac90e38e3611bc2.exe

Executes dropped EXE 1 IoCs

pid	Process
5080	miner.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	miner.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5080 set thread context of 3444	5080	miner.exe	103

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3444-56-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-57-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-61-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-65-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-67-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-66-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-64-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-62-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-60-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-59-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-58-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-68-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-70-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3444-69-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9294c121323fdee121ca0dc25c6e284cfba69b5726f4e6e96ac90e38e3611bc2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	miner.exe
3656	powershell.exe
3656	powershell.exe
5080	miner.exe
5080	miner.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe
3444	nslookup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeLockMemoryPrivilege	3444	nslookup.exe
Token: SeLockMemoryPrivilege	3444	nslookup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 5080	3424	9294c121323fdee121ca0dc25c6e284cfba69b5726f4e6e96ac90e38e3611bc2.exe	85
PID 3424 wrote to memory of 5080	3424	9294c121323fdee121ca0dc25c6e284cfba69b5726f4e6e96ac90e38e3611bc2.exe	85
PID 5080 wrote to memory of 3444	5080	miner.exe	103
PID 5080 wrote to memory of 3444	5080	miner.exe	103
PID 5080 wrote to memory of 3444	5080	miner.exe	103
PID 5080 wrote to memory of 3444	5080	miner.exe	103
PID 5080 wrote to memory of 3444	5080	miner.exe	103
PID 996 wrote to memory of 2344	996	cmd.exe	104
PID 996 wrote to memory of 2344	996	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\9294c121323fdee121ca0dc25c6e284cfba69b5726f4e6e96ac90e38e3611bc2.exe
"C:\Users\Admin\AppData\Local\Temp\9294c121323fdee121ca0dc25c6e284cfba69b5726f4e6e96ac90e38e3611bc2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Local\Temp\miner.exe
  "C:\Users\Admin\AppData\Local\Temp\miner.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2344
- - C:\Windows\system32\nslookup.exe
    nslookup.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_013z2gam.yly.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\miner.exe

Filesize
2.5MB

MD5
51008d7f16a1f789d0533fa1493f7612

SHA1
029ee8309574c2f7cda22fb9f39dc6d3d7823d59

SHA256
a4427bb9a4c25452834e177f7ba3c47f27c9782ef9e5bda753100aee306dee1a

SHA512
da4aca63a6401cad008474d13cf1ec42343bea5ea2deeef635b9cdade7e339029620522a43f258a23155fabc9cffc47da20d60c32e080b1e0b3cdafe3e87bb7d

Download Submit
memory/3424-1-0x0000000000430000-0x00000000007C6000-memory.dmp

Filesize
3.6MB

Download
memory/3424-2-0x000000001C770000-0x000000001C97E000-memory.dmp

Filesize
2.1MB

Download
memory/3424-5-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/3424-38-0x00007FFA89BB0000-0x00007FFA8A671000-memory.dmp

Filesize
10.8MB

Download
memory/3424-0-0x00007FFA89BB3000-0x00007FFA89BB5000-memory.dmp

Filesize
8KB

Download
memory/3444-66-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-65-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-69-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-70-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-68-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-56-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-63-0x000001F7FDA00000-0x000001F7FDA20000-memory.dmp

Filesize
128KB

Download
memory/3444-57-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-61-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-58-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-67-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-59-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-64-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-62-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3444-60-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3656-39-0x00007FFA89230000-0x00007FFA89CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-49-0x000001E76C610000-0x000001E76C632000-memory.dmp

Filesize
136KB

Download
memory/3656-54-0x00007FFA89230000-0x00007FFA89CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-51-0x00007FFA89230000-0x00007FFA89CF1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-50-0x00007FFA89230000-0x00007FFA89CF1000-memory.dmp

Filesize
10.8MB

Download