xmrig | acdcc9515147f1691ddb2c7cbd352a67ef6f0e57cb72ea593df2bd2fe01f0509 | Triage

Submit
Reports

Overview

overview

Static

static

1

acdcc95151...09.vbs

windows7-x64

8

acdcc95151...09.vbs

windows10-2004-x64

Sharing

General

Target

acdcc9515147f1691ddb2c7cbd352a67ef6f0e57cb72ea593df2bd2fe01f0509.vbs
Size

12.7MB
Sample

250131-eyn6kayjhz
MD5

f7650386857dd0d31fb2a1e984dfd3b5
SHA1

f273746309e4dff543059ec934895108dd2b6244
SHA256

acdcc9515147f1691ddb2c7cbd352a67ef6f0e57cb72ea593df2bd2fe01f0509
SHA512

e8421e56ed514f38780d4c4d3261810c3b7374c3afad7016de0ef50905dba12d2661206162865da93ada5eeb733d9ed985fd2a4f205ee248a2ca3a3fa5607616
SSDEEP

49152:BnxqEP6D/zp8K91y5+30k5xTZq+4+EtVGnKTSB4IpQsBtK+gvA9hZKwPBdko9cgD:C

Score

10^/10

xmrig execution miner persistence

Static task

static1

Behavioral task

behavioral1

Sample

acdcc9515147f1691ddb2c7cbd352a67ef6f0e57cb72ea593df2bd2fe01f0509.vbs

Resource

win7-20241010-en

execution persistence

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

acdcc9515147f1691ddb2c7cbd352a67ef6f0e57cb72ea593df2bd2fe01f0509.vbs

Resource

win10v2004-20250129-en

xmrig execution miner persistence

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  acdcc9515147f1691ddb2c7cbd352a67ef6f0e57cb72ea593df2bd2fe01f0509.vbs
- Size
  
  12.7MB
- MD5
  
  f7650386857dd0d31fb2a1e984dfd3b5
- SHA1
  
  f273746309e4dff543059ec934895108dd2b6244
- SHA256
  
  acdcc9515147f1691ddb2c7cbd352a67ef6f0e57cb72ea593df2bd2fe01f0509
- SHA512
  
  e8421e56ed514f38780d4c4d3261810c3b7374c3afad7016de0ef50905dba12d2661206162865da93ada5eeb733d9ed985fd2a4f205ee248a2ca3a3fa5607616
- SSDEEP
  
  49152:BnxqEP6D/zp8K91y5+30k5xTZq+4+EtVGnKTSB4IpQsBtK+gvA9hZKwPBdko9cgD:C
Score

10^/10

execution persistence xmrig miner
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Power Settings

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

executionpersistence

behavioral2

xmrigexecutionminerpersistence

© 2018-2025

Terms | Privacy