xmrig | 08c2de9da96a9659f95e6165d5edac0fc63d86f352963006fbf0f7942372aca9

Analysis

max time kernel
34s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adivina.exe
Size

1.1MB
MD5

af5da19a79e9e320c95617de8ce637e0
SHA1

67e35d7d633d262f587342afbc508cdf8319d4c8
SHA256

08c2de9da96a9659f95e6165d5edac0fc63d86f352963006fbf0f7942372aca9
SHA512

a03949fb551bb70f71f17045a89b538398ff1018f7ce477670631787df193f297390ad79b15f6bec0bd943aafe4d00d5ef15c450064d8afc12aaa8ad19508d89
SSDEEP

24576:L5WSWbZuFbWHS8Zti1tauerlxK+sf0N8zHM/F0GBP87xaVUhffp10NwyG8:LUSQZuFai3aLrHK+fN8zHM2hf70NwyG8

Score

10^/10

xmrig execution miner

Malware Config

Signatures

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/files/0x000c000000023b3f-15.dat	family_xmrig_powershell_dropper

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	1456	powershell.exe
18	1456	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1456	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.ps1	adivina.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\xmrig.zip	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1456	powershell.exe
1456	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1456	5032	adivina.exe	84
PID 5032 wrote to memory of 1456	5032	adivina.exe	84

C:\Users\Admin\AppData\Local\Temp\adivina.exe
"C:\Users\Admin\AppData\Local\Temp\adivina.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming/Microsoft/Windows/Start Menu/Programs/Startup\temp.ps1" -Verb RunAs
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jiizb3tp.lfc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.ps1

Filesize
2KB

MD5
4c59dccd5e94fa645fbae1d5e1d8ae2e

SHA1
63e020ad387e5aed855f933644dcfa1f3a4a270f

SHA256
453ad2634b5f8097b3535b59cbcd5e8819df842066d6f3d4ddc441cf491309e4

SHA512
45fec6758fffc8b89729da0eec11e841ea4a10012aec6214c9fc70be22709fb3a382a34ca7fadd376b7fe51b024e88de05c06d185637fd33a1d663b9852b7744

Download Submit
memory/1456-2-0x00007FFA5ACB3000-0x00007FFA5ACB5000-memory.dmp

Filesize
8KB

Download
memory/1456-8-0x000002434D210000-0x000002434D232000-memory.dmp

Filesize
136KB

Download
memory/1456-13-0x00007FFA5ACB0000-0x00007FFA5B771000-memory.dmp

Filesize
10.8MB

Download
memory/1456-14-0x00007FFA5ACB0000-0x00007FFA5B771000-memory.dmp

Filesize
10.8MB

Download
memory/1456-16-0x00007FFA5ACB0000-0x00007FFA5B771000-memory.dmp

Filesize
10.8MB

Download
memory/1456-17-0x000002434D240000-0x000002434D45C000-memory.dmp

Filesize
2.1MB

Download
memory/1456-19-0x00007FFA5ACB0000-0x00007FFA5B771000-memory.dmp

Filesize
10.8MB

Download
memory/1456-20-0x00007FFA5ACB0000-0x00007FFA5B771000-memory.dmp

Filesize
10.8MB

Download
memory/1456-22-0x00007FFA5ACB0000-0x00007FFA5B771000-memory.dmp

Filesize
10.8MB

Download
memory/5032-1-0x00007FF74F0B0000-0x00007FF74F18F000-memory.dmp

Filesize
892KB

Download