xmrig | 9c2b49dde271accdeb74a011a6091c6d7ed432326d24d424bc547eb57c343a6f

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/7UlMpzX.exe
Size

7.2MB
MD5

e0a1a022d91e3dae3a9c14bbb4541a01
SHA1

2d98ea30dd016810f927ec71fa42bef317570248
SHA256

daa5a2f0707c44c65277c13161e7016e028fb77f87765ecc12203700b92742eb
SHA512

4bc7dc56d2700bad42b1a57830240b8008a1c25e28683d5fe6714fb18d0c6debe68912797975c0ff391cd95e8828ff6fa9fb99ed4fe0a60a317cb2f39d3fb4ba
SSDEEP

98304:Bh7bxT9owDrvzsex+ZX2vkPPAKMjOntYRmyzETNcsK:HJ3vzsA+kcwKZntYRmyzETK7

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/0x0005000000019284-60.dat	family_xmrig
behavioral1/files/0x0005000000019284-60.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 6 IoCs

pid	Process
2808	SettingsHandlers.OneDriveSaving.exe
2732	OneDriveSavingService.exe
2668	ShellKernelBridge.exe
1636	VirtualBoxNetworkBridge.exe
2912	winDriverChipsetService.exe
2112	Z9A6Elb8S.bin

Loads dropped DLL 13 IoCs

pid	Process
2676	7UlMpzX.exe
2808	SettingsHandlers.OneDriveSaving.exe
2732	OneDriveSavingService.exe
2732	OneDriveSavingService.exe
2732	OneDriveSavingService.exe
2732	OneDriveSavingService.exe
2732	OneDriveSavingService.exe
2732	OneDriveSavingService.exe
2732	OneDriveSavingService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe
2912	winDriverChipsetService.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2112	Z9A6Elb8S.bin

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2808	2676	7UlMpzX.exe	31
PID 2676 wrote to memory of 2808	2676	7UlMpzX.exe	31
PID 2676 wrote to memory of 2808	2676	7UlMpzX.exe	31
PID 2808 wrote to memory of 2732	2808	SettingsHandlers.OneDriveSaving.exe	32
PID 2808 wrote to memory of 2732	2808	SettingsHandlers.OneDriveSaving.exe	32
PID 2808 wrote to memory of 2732	2808	SettingsHandlers.OneDriveSaving.exe	32
PID 2732 wrote to memory of 2668	2732	OneDriveSavingService.exe	33
PID 2732 wrote to memory of 2668	2732	OneDriveSavingService.exe	33
PID 2732 wrote to memory of 2668	2732	OneDriveSavingService.exe	33
PID 2732 wrote to memory of 1636	2732	OneDriveSavingService.exe	34
PID 2732 wrote to memory of 1636	2732	OneDriveSavingService.exe	34
PID 2732 wrote to memory of 1636	2732	OneDriveSavingService.exe	34
PID 2732 wrote to memory of 2912	2732	OneDriveSavingService.exe	35
PID 2732 wrote to memory of 2912	2732	OneDriveSavingService.exe	35
PID 2732 wrote to memory of 2912	2732	OneDriveSavingService.exe	35
PID 2912 wrote to memory of 2112	2912	winDriverChipsetService.exe	36
PID 2912 wrote to memory of 2112	2912	winDriverChipsetService.exe	36
PID 2912 wrote to memory of 2112	2912	winDriverChipsetService.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\quarantine\7UlMpzX.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\7UlMpzX.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe
      "C:/Users/Admin/AppData/Local/Microsoft/ShellKernelBridge.exe"
      4⤵
      Executes dropped EXE
      PID:2668
  - - C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe
      "C:/Users/Admin/AppData/Roaming/Oracle/VirtualBoxNetworkBridge.exe"
      4⤵
      Executes dropped EXE
      PID:1636
  - - C:\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe
      "C:/Users/Admin/AppData/Local/DriverStore/winDriverChipsetService.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Local\NhNotifSys\Z9A6Elb8S.bin
        
        "C:\Users\Admin\AppData\Local\NhNotifSys\Z9A6Elb8S.bin"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\VCRUNTIME140.dll

Filesize
126KB

MD5
7af17bfd24be72d5376c9c5ce86bef54

SHA1
23bf5fa4c467f28990cc878ef945f9f5db616b75

SHA256
bf28f4d89ea74cb5cecbf42b951bf0629d71efa6525cc58aee71aa5e06f1198a

SHA512
0783c5dae87f110cc9bb61355c92c4ef3a96f484bbce6354d7f4130bb92ffb655974fcac4fe11c8923dd81ddade7fa92c8e3d9c43d0a3d0a24dd3d30e626fb5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\libcrypto-3-x64.dll

Filesize
6.3MB

MD5
8d9dc42ffefe2b3443add056784c98fb

SHA1
c2a97d2a372e4badacac196a1f6bcbecdcd35940

SHA256
d45ff6fdb2911d07efc3d47a2e0298534eab617d63e9eebd358d1686ed0992aa

SHA512
e04e07e7c7a8f9b9b98ca0e94767a64808295290a936b50786e06f6a65207dd6ee4fd423bc3e1639186005767e0522c3dd7ba23ac0cbe50116249717fd6c3b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\msvcp140.dll

Filesize
569KB

MD5
d424100821374848f3c22d0acd55ad69

SHA1
8e4f879faece2d5171b3d398202c74b7286c50b1

SHA256
a6e45d08e347eddc955e5074354fc9e98a48ee75587b73a18d01943527cf05a8

SHA512
f78085cbba49c4c2c4441d1483e63e9222ec5b4282b89c1e0c1ea0790972e5de452f82e61ceae7324c7466d33b9a5fc6224594cf574068c69bf949e94fb86ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\vcruntime140_1.dll

Filesize
58KB

MD5
e2520906be67a9bde01ebe9e0a53aab5

SHA1
9a9e445a47508ba5e1126791a863107060d258a1

SHA256
fd8ee0936d0380962830e9c1a132b8b7bf25084cb342bb064f699a2daa343bc4

SHA512
6616df46da37f656ac3e1fe7b371792b249e3ff97f2cbcefc19e7854e384aba88f63e7afc7c81ba14d3d15d309146986b23e25c071f4d0150429009de110e9c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\SettingsHandlers.OneDriveSaving.exe

Filesize
7.1MB

MD5
73913f6963f89dbf98c4f716ee545b8f

SHA1
c343d9b82c0680131ded13626029b65092276486

SHA256
fadbefdced9db4132541cca2fdb0a8da8d35757900150404c626cae9ab81d61a

SHA512
ccd744dad29ff8e98e7370cbb5f23b2a2f3b6c51f6afb12c2f84e85a1b71a7393ece650d26862569b0190d71a2e53a49f3b85b386fa3214fc4fa03300be80df2

Download Submit
C:\Users\Admin\AppData\Local\NhNotifSys\Z9A6Elb8S.bin

Filesize
7.1MB

MD5
7e34d2d140ef1a30edc86f38740ac4dc

SHA1
c24ebc49edc449c1d13654af4250ba068a02e40c

SHA256
6f4c245f3f7f2b591f8e8ef254e017b99a6b6c9381bfe0b16e2bde0170d242be

SHA512
d26fc00bf161127d9ce83708b18a2dee1d85f94ca7f4cd065a2153ab9c7754926851211ca643e0cd330dece4c86ca4ac01abfac26bd72933d84b51f51c3f4ec9

Download Submit
C:\Users\Admin\AppData\Local\NhNotifSys\config.json

Filesize
259B

MD5
93fd8b513a142f97037826e300804f60

SHA1
07f061d4748e7daf66ae37e8503bfe5db598af0e

SHA256
f87865e5bd6b4419f4c8ea682bcbbbabcc029eefad1381b181e79324f202aea4

SHA512
f7511023530e1466b50b98a8f21ff0f23af94be3c5c6d23ab00ed1de618ef255eda3eee59165d7e2f1474dcf650a2bbac7592860202a6389d0971d322b8b64e3

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\VirtualBoxNetworkBridge.exe

Filesize
8.1MB

MD5
71fab897d51e93631b6f713dc0bc2c1d

SHA1
bff7f15042cb21d985fa128bf64406b755b8a2ae

SHA256
6a3764bee4d71c38181689ebc31fa2e78c268b43aff50bd07d0002429a4f49d9

SHA512
40b1de1a05ab68aea8bf83fe2f46ee795add6d788dc6fb4a8628481f22db7fa200729c002eca6c08b496ed747e8f96380e8f3b7f843f4ec915d1a669bba9a8e7

Download Submit
\Users\Admin\AppData\Local\DriverStore\winDriverChipsetService.exe

Filesize
7.2MB

MD5
264b039e4b1a2357945ef11b21d8e0e2

SHA1
048ac96891a2c27606b020c48a48f3af1691f95a

SHA256
a265f252b49514cfeadbe0b707ca2bb49147040b1893f9b8ddc81d2746bb6c9b

SHA512
4fa9d3a02d0d893e5de9f1661be0e759f4c57dce479d0126050c4baf24f9bd0cc5de6cb297a11668fdbb6801bdf90293402eac7027c228f5ba09f4f25f75a517

Download Submit
\Users\Admin\AppData\Local\Microsoft\OneDrive\SavingsSync\OneDriveSavingService.exe

Filesize
27KB

MD5
37af0a4faa5b323e4cb04bdbd8cca117

SHA1
4aaa6e6994e4ef5f55a155a6c561a3873c2b8e84

SHA256
61a30d43b723b8b2921bc7016325b45b0c055cb28ba83b1364164a4a3df6206f

SHA512
0a6e993e51fd9383c9e813145e8004892618156d45b94741dcf7cf9814214d7c8f8fca295dc639431098758dbd5e241980502f18ca2838c505cce4d0c4c32422

Download Submit
\Users\Admin\AppData\Local\Microsoft\ShellKernelBridge.exe

Filesize
7.2MB

MD5
190087de930ce9c533c4604443f5cabd

SHA1
55d528b565c618d85498ad3fd985dedcb2ed69ae

SHA256
48ce94f595dd7a5749abac13bc30acc30c7136aa315f227dafd99d659bb04d36

SHA512
264bf65deba869e179035eb19d7da6127a718c50a2d70f90b3f03de1167b82d27549811dc0a6cd4947fae8107d94de0a9e32685e3735208e6005576c641e073e

Download Submit
memory/2112-61-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download