Edit tour

Windows Analysis Report
xmrig.exe

Overview

General Information

Sample Name:xmrig.exe
Analysis ID:1315785
MD5:4813fa6d610e180b097eae0ce636d2aa
SHA1:1e9cd17ea32af1337dd9a664431c809dd8a64d76
SHA256:9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc
Tags:exe
Infos:

Detection

Xmrig
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Found strings related to Crypto-Mining
Machine Learning detection for sample
Yara signature match
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
PE file contains more sections than normal
Potential time zone aware malware
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • xmrig.exe (PID: 7316 cmdline: C:\Users\user\Desktop\xmrig.exe MD5: 4813FA6D610E180B097EAE0CE636D2AA)
    • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 86191D9E0E30631DB3E78E4645804358)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
No configs have been found
SourceRuleDescriptionAuthorStrings
xmrig.exeJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    xmrig.exeLinux_Trojan_Pornoasset_927f314funknownunknown
    • 0x135558:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
    xmrig.exeMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0x6120a9:$a1: mining.set_target
    • 0x603d4a:$a2: XMRIG_HOSTNAME
    • 0x606978:$a3: Usage: xmrig [OPTIONS]
    • 0x603d24:$a4: XMRIG_VERSION
    xmrig.exeMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
    • 0x65b89e:$x1: donate.ssl.xmrig.com
    • 0x65bd79:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
    • 0x6ecf13:$s2: \\?\pipe\uv\%p-%lu
    xmrig.exeMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
    • 0x65cf28:$s1: %s/%s (Windows NT %lu.%lu
    • 0x6616a8:$s3: \\.\WinRing0_
    • 0x608aa2:$s4: pool_wallet
    • 0x603170:$s5: cryptonight
    • 0x60317e:$s5: cryptonight
    • 0x60318d:$s5: cryptonight
    • 0x60319b:$s5: cryptonight
    • 0x6031b0:$s5: cryptonight
    • 0x6031bf:$s5: cryptonight
    • 0x6031cd:$s5: cryptonight
    • 0x6031e2:$s5: cryptonight
    • 0x6031f1:$s5: cryptonight
    • 0x603202:$s5: cryptonight
    • 0x603219:$s5: cryptonight
    • 0x603227:$s5: cryptonight
    • 0x603235:$s5: cryptonight
    • 0x603245:$s5: cryptonight
    • 0x603257:$s5: cryptonight
    • 0x603268:$s5: cryptonight
    • 0x603278:$s5: cryptonight
    • 0x603288:$s5: cryptonight
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1011555114.000002A962752000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000000.00000002.1012494760.00007FF77E924000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000000.00000000.1008449141.00007FF77E924000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000000.00000002.1011662894.000002A962895000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              Click to see the 7 entries
              SourceRuleDescriptionAuthorStrings
              0.0.xmrig.exe.7ff77de30000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                0.0.xmrig.exe.7ff77de30000.0.unpackLinux_Trojan_Pornoasset_927f314funknownunknown
                • 0x135558:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
                0.0.xmrig.exe.7ff77de30000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
                • 0x6120a9:$a1: mining.set_target
                • 0x603d4a:$a2: XMRIG_HOSTNAME
                • 0x606978:$a3: Usage: xmrig [OPTIONS]
                • 0x603d24:$a4: XMRIG_VERSION
                0.0.xmrig.exe.7ff77de30000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
                • 0x65b89e:$x1: donate.ssl.xmrig.com
                • 0x65bd79:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
                • 0x6ecf13:$s2: \\?\pipe\uv\%p-%lu
                0.0.xmrig.exe.7ff77de30000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
                • 0x65cf28:$s1: %s/%s (Windows NT %lu.%lu
                • 0x6616a8:$s3: \\.\WinRing0_
                • 0x608aa2:$s4: pool_wallet
                • 0x603170:$s5: cryptonight
                • 0x60317e:$s5: cryptonight
                • 0x60318d:$s5: cryptonight
                • 0x60319b:$s5: cryptonight
                • 0x6031b0:$s5: cryptonight
                • 0x6031bf:$s5: cryptonight
                • 0x6031cd:$s5: cryptonight
                • 0x6031e2:$s5: cryptonight
                • 0x6031f1:$s5: cryptonight
                • 0x603202:$s5: cryptonight
                • 0x603219:$s5: cryptonight
                • 0x603227:$s5: cryptonight
                • 0x603235:$s5: cryptonight
                • 0x603245:$s5: cryptonight
                • 0x603257:$s5: cryptonight
                • 0x603268:$s5: cryptonight
                • 0x603278:$s5: cryptonight
                • 0x603288:$s5: cryptonight
                Click to see the 5 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: xmrig.exeAvira: detected
                Source: xmrig.exeReversingLabs: Detection: 78%
                Source: xmrig.exeVirustotal: Detection: 77%Perma Link
                Source: xmrig.exeJoe Sandbox ML: detected

                Bitcoin Miner

                barindex
                Source: Yara matchFile source: xmrig.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1011555114.000002A962752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1012494760.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1008449141.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1011662894.000002A962895000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: xmrig.exe PID: 7316, type: MEMORYSTR
                Source: xmrig.exeString found in binary or memory: stratum+ssl://randomx.xmrig.com:443
                Source: xmrig.exeString found in binary or memory: cryptonight-upx/2
                Source: xmrig.exeString found in binary or memory: -o, --url=URL URL of mining server
                Source: xmrig.exeString found in binary or memory: stratum+tcp://
                Source: xmrig.exeString found in binary or memory: Usage: xmrig [OPTIONS] Network:
                Source: xmrig.exeString found in binary or memory: Usage: xmrig [OPTIONS] Network:
                Source: xmrig.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: xmrig.exeString found in binary or memory: https://xmrig.com/benchmark/%s
                Source: xmrig.exeString found in binary or memory: https://xmrig.com/docs/algorithms
                Source: xmrig.exe, ConDrv.0.drString found in binary or memory: https://xmrig.com/wizard
                Source: xmrig.exeString found in binary or memory: https://xmrig.com/wizard%s

                System Summary

                barindex
                Source: xmrig.exe, type: SAMPLEMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
                Source: xmrig.exe, type: SAMPLEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: xmrig.exe, type: SAMPLEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: xmrig.exe, type: SAMPLEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
                Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
                Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                Source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: 00000000.00000002.1011729196.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
                Source: 00000000.00000000.1007101636.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
                Source: Process Memory Space: xmrig.exe PID: 7316, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                Source: xmrig.exe, type: SAMPLEMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
                Source: xmrig.exe, type: SAMPLEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: xmrig.exe, type: SAMPLEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: xmrig.exe, type: SAMPLEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
                Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
                Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                Source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: 00000000.00000002.1011729196.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
                Source: 00000000.00000000.1007101636.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
                Source: Process Memory Space: xmrig.exe PID: 7316, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                Source: xmrig.exeStatic PE information: Number of sections : 11 > 10
                Source: xmrig.exeReversingLabs: Detection: 78%
                Source: xmrig.exeVirustotal: Detection: 77%
                Source: xmrig.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\xmrig.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\xmrig.exe C:\Users\user\Desktop\xmrig.exe
                Source: C:\Users\user\Desktop\xmrig.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
                Source: xmrig.exeString found in binary or memory: --help
                Source: xmrig.exeString found in binary or memory: --help
                Source: xmrig.exeString found in binary or memory: rget,jit_inst,jit_prefetch_vgpr_index,jit_vmcnt,batch_size); if(p-start_p>size_limit) { *(p++)=S_SETPC_B64_S12_13; return p; } } while (!done); } *(p++)=S_SETPC_B64_S12_13; return p; } __attribute__((reqd_work_group_size(64,1,1))) __kernel void randomx_jit(_
                Source: xmrig.exeString found in binary or memory: -h, --help display this help and exit
                Source: xmrig.exeString found in binary or memory: -h, --help display this help and exit
                Source: xmrig.exeString found in binary or memory: --help
                Source: xmrig.exeString found in binary or memory: --help
                Source: xmrig.exeString found in binary or memory: -h, --help display this help and exit
                Source: xmrig.exeString found in binary or memory: -h, --help display this help and exit
                Source: xmrig.exeString found in binary or memory: a:c:kBp:Px:r:R:s:t:T:o:u:O:v:l:Sx:XMRig 6.20.0-h--help-V--version--versions--export-topology--print-platformsUsage: xmrig [OPTIONS]
                Source: xmrig.exeString found in binary or memory: a:c:kBp:Px:r:R:s:t:T:o:u:O:v:l:Sx:XMRig 6.20.0-h--help-V--version--versions--export-topology--print-platformsUsage: xmrig [OPTIONS]
                Source: xmrig.exeString found in binary or memory: if(p-start_p>size_limit)
                Source: xmrig.exeString found in binary or memory: id-cmc-addExtensions
                Source: xmrig.exeString found in binary or memory: set-addPolicy
                Source: xmrig.exeString found in binary or memory: crypto/store/loader_file.c
                Source: xmrig.exeString found in binary or memory: crypto/store/loader_file.cpass phrasePRIVATE KEYPUBLIC KEYPARAMETERSX509 CRLTRUSTED CERTIFICATEX509 CERTIFICATECERTIFICATEENCRYPTED PRIVATE KEYPKCS8 decrypt passwordPKCS12 import passwordfile:localhost/rb-----BEGIN %08lx/PEM'PEM type is 'file
                Source: xmrig.exeString found in binary or memory: %s: unexpected id `%s' not-starting with `obj', ignoring
                Source: classification engineClassification label: mal80.mine.winEXE@2/1@0/0
                Source: xmrig.exeStatic file information: File size 8251392 > 1048576
                Source: xmrig.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: xmrig.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: xmrig.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x5f1000
                Source: xmrig.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x15de00
                Source: xmrig.exeStatic PE information: More than 200 imports for KERNEL32.dll
                Source: xmrig.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: xmrig.exeStatic PE information: section name: .xdata
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\xmrig.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts2
                Command and Scripting Interpreter
                Path Interception1
                Process Injection
                1
                Process Injection
                OS Credential Dumping1
                System Time Discovery
                Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
                System Information Discovery
                Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1315785 Sample: xmrig.exe Startdate: 28/09/2023 Architecture: WINDOWS Score: 80 10 Malicious sample detected (through community Yara rule) 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 3 other signatures 2->16 6 xmrig.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                xmrig.exe78%ReversingLabsWin64.Trojan.Minerva
                xmrig.exe100%AviraTR/YAV.Minerva.qosyp
                xmrig.exe77%VirustotalBrowse
                xmrig.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                https://xmrig.com/benchmark/%s0%VirustotalBrowse
                https://xmrig.com/wizard0%VirustotalBrowse
                https://xmrig.com/docs/algorithms0%VirustotalBrowse
                https://xmrig.com/wizard%s0%VirustotalBrowse
                https://xmrig.com/benchmark/%s0%Avira URL Cloudsafe
                https://xmrig.com/docs/algorithms0%Avira URL Cloudsafe
                https://xmrig.com/wizard0%Avira URL Cloudsafe
                https://xmrig.com/wizard%s0%Avira URL Cloudsafe
                No contacted domains info
                NameSourceMaliciousAntivirus DetectionReputation
                https://xmrig.com/benchmark/%sxmrig.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                https://xmrig.com/wizardxmrig.exe, ConDrv.0.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                https://xmrig.com/wizard%sxmrig.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                https://xmrig.com/docs/algorithmsxmrig.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                No contacted IP infos
                Joe Sandbox Version:38.0.0 Beryl
                Analysis ID:1315785
                Start date and time:2023-09-28 12:55:13 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 2m 39s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10, Office Professional Plus 2016, Chrome 115, Firefox 115, Adobe Reader 23, Java 8 Update 381
                Number of analysed new started processes analysed:3
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample file name:xmrig.exe
                Detection:MAL
                Classification:mal80.mine.winEXE@2/1@0/0
                EGA Information:Failed
                HCA Information:Failed
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated
                • Exclude process from analysis (whitelisted): dllhost.exe
                • Execution Graph export aborted for target xmrig.exe, PID 7316 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                No simulations
                No context
                No context
                No context
                No context
                No context
                Process:C:\Users\user\Desktop\xmrig.exe
                File Type:ASCII text, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):321
                Entropy (8bit):5.234772167479006
                Encrypted:false
                SSDEEP:6:o9WCnCRRRG25zZvtrhCRM5zZvtrT4xTCRJ4FzZvtrT4Mpg6QIR/BJrXMnGTJzey:o0CnarhtrT4pRxrT4SRJJTMGgy
                MD5:DF1958A8AA1825D42A88B050268056AC
                SHA1:838975AF87B2F77844866F35B7B8CD521DBEEBC6
                SHA-256:96378E92A446739C1F99E466A485DDF17A1CE50EBA592CB1A3746202C84B73F4
                SHA-512:E5A6DAC2A61304187850F589CF35DCF161D681A5DEAAAE47C4AF7A1D0341F8DC18A47513F2C6CACA49BC50BA7947D170D73767A8675D2B480CE53C64D141B1E0
                Malicious:false
                Reputation:low
                Preview:[2023-09-28 14:21:42.487] unable to open "C:\Users\user\Desktop\config.json"....[2023-09-28 14:21:42.493] unable to open "C:\Users\user\.xmrig.json"....[2023-09-28 14:21:42.496] unable to open "C:\Users\user\.config\xmrig.json"....[2023-09-28 14:21:42.496] no valid configuration found, try https://xmrig.com/wizard...
                File type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                Entropy (8bit):6.631241366168512
                TrID:
                • Win64 Executable (generic) (12005/4) 74.95%
                • Generic Win/DOS Executable (2004/3) 12.51%
                • DOS Executable Generic (2002/1) 12.50%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                File name:xmrig.exe
                File size:8'251'392 bytes
                MD5:4813fa6d610e180b097eae0ce636d2aa
                SHA1:1e9cd17ea32af1337dd9a664431c809dd8a64d76
                SHA256:9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc
                SHA512:5463e61b9583dd7e73fc4c0f14252ce06bb1b24637fdf5c4b96b3452cf486b147c980e365ca6633d89e7cfe245131f528a7ecab2340251cef11cdeb49dac36aa
                SSDEEP:98304:ZLsUYfB9pOp/BWLbrkShfa+XQD/YPLTDtU5SXXMQHJw7ZB87TtIeUK+MzfL7cybS:Kgp/NQ7rfWOlb1paSbkJFsxfKLNIS
                TLSH:A8866C17F19350ECC56BC170861BA673F671F8691234BE6F2764DB342E22F905A2EB24
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....c.d...............&.._...}...2............@.............................0......L|~...`... ............................
                Icon Hash:0f3774c95856230f
                Entrypoint:0x1400014d0
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x140000000
                Subsystem:windows cui
                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x64A263DB [Mon Jul 3 05:59:55 2023 UTC]
                TLS Callbacks:0x4041d060, 0x1, 0x4041d030, 0x1, 0x404302c0, 0x1
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:16bb67d62ee484974f9392fc52c45722
                Instruction
                dec eax
                sub esp, 28h
                dec eax
                mov eax, dword ptr [00743265h]
                mov dword ptr [eax], 00000000h
                call 00007F845D34211Fh
                nop
                nop
                dec eax
                add esp, 28h
                ret
                nop dword ptr [eax]
                dec eax
                sub esp, 28h
                call 00007F845D76E51Ch
                dec eax
                cmp eax, 01h
                sbb eax, eax
                dec eax
                add esp, 28h
                ret
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                dec eax
                lea ecx, dword ptr [00000009h]
                jmp 00007F845D342459h
                nop dword ptr [eax+00h]
                ret
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                nop
                inc ecx
                push ebp
                inc ecx
                push esp
                push ebp
                push edi
                push esi
                push ebx
                dec eax
                sub esp, 28h
                inc ecx
                mov eax, dword ptr [eax]
                dec ecx
                cmp dword ptr [ecx+18h], 00000000h
                dec esp
                mov ebp, dword ptr [esp+00000080h]
                dec eax
                mov ebp, dword ptr [esp+00000090h]
                mov dword ptr [ecx], eax
                inc ecx
                mov eax, dword ptr [ecx+04h]
                dec eax
                mov ebx, ecx
                dec esp
                mov esi, ecx
                setne byte ptr [ecx+08h]
                dec ecx
                mov esp, edx
                dec esp
                mov edi, eax
                mov dword ptr [ecx+04h], eax
                dec esp
                mov ecx, ecx
                call 00007F845D3CA9F0h
                dec esp
                mov dword ptr [ebx+18h], esp
                mov byte ptr [ebx+09h], al
                movzx eax, byte ptr [esi+0Bh]
                mov byte ptr [ebx+0Ah], al
                mov eax, dword ptr [esi+10h]
                mov dword ptr [ebx+0Ch], eax
                dec ecx
                mov eax, dword ptr [ebp+00h]
                dec eax
                mov dword ptr [ebx+10h], eax
                dec eax
                mov eax, dword ptr [esp+00000088h]
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xaed0000x46d8.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xaf40000x5ce8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7610000x2ee9c.pdata
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xafa0000x8e6c.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x7419600x28.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0xaee01c0xf40.idata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x5f0aa00x5f1000unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .data0x5f20000x104600x10600False0.20272244751908397data3.295673930644331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rdata0x6030000x15dce00x15de00False0.3762720781975706data6.453643246818058IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .pdata0x7610000x2ee9c0x2f000False0.5192039976728723data6.366354446992787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .xdata0x7900000x3b9140x3ba00False0.22357344077568134data5.059190391956642IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .bss0x7cc0000x320ae00x0unknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata0xaed0000x46d80x4800False0.2824978298611111data4.800961618809213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .CRT0xaf20000x680x200False0.078125data0.40665232183492983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .tls0xaf30000x100x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0xaf40000x5ce80x5ce8False0.3824840228725193data5.536267098733225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .reloc0xafa0000x8e6c0x9000False0.2554524739583333data5.451438735644192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0xaf41c00x18fbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.965598123534011
                RT_ICON0xaf5ac00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.1004149377593361
                RT_ICON0xaf80680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.1472795497185741
                RT_ICON0xaf91100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3076241134751773
                RT_GROUP_ICON0xaf95780x3edataEnglishUnited States0.8064516129032258
                RT_VERSION0xaf95b80x28cPGP symmetric key encrypted data - Plaintext or unencrypted dataEnglishUnited States0.49233128834355827
                RT_MANIFEST0xaf98480x48fXML 1.0 document, ASCII text0.40102827763496146
                DLLImport
                ADVAPI32.dllAdjustTokenPrivileges, AllocateAndInitializeSid, CloseServiceHandle, ControlService, CreateServiceW, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetProvParam, CryptGetUserKey, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeleteService, DeregisterEventSource, FreeSid, GetSecurityInfo, GetTokenInformation, GetUserNameW, LookupPrivilegeValueW, LsaAddAccountRights, LsaClose, LsaOpenPolicy, OpenProcessToken, OpenSCManagerW, OpenServiceW, QueryServiceConfigA, QueryServiceStatus, RegCloseKey, RegGetValueW, RegOpenKeyExW, RegQueryValueExW, RegisterEventSourceW, ReportEventW, SetEntriesInAclA, SetSecurityInfo, StartServiceW, SystemFunction036
                CRYPT32.dllCertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenStore
                IPHLPAPI.DLLConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameW, GetAdaptersAddresses
                KERNEL32.dllAcquireSRWLockExclusive, AcquireSRWLockShared, AddVectoredExceptionHandler, AssignProcessToJobObject, CancelIo, CancelIoEx, CancelSynchronousIo, CloseHandle, ConnectNamedPipe, ConvertFiberToThread, ConvertThreadToFiber, CopyFileW, CreateDirectoryW, CreateEventA, CreateFiber, CreateFileA, CreateFileMappingA, CreateFileW, CreateHardLinkW, CreateIoCompletionPort, CreateJobObjectW, CreateNamedPipeA, CreateNamedPipeW, CreateProcessW, CreateSemaphoreA, CreateSymbolicLinkW, CreateToolhelp32Snapshot, DebugBreak, DeleteCriticalSection, DeleteFiber, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExpandEnvironmentStringsA, FileTimeToSystemTime, FillConsoleOutputAttribute, FillConsoleOutputCharacterW, FindClose, FindFirstFileW, FindNextFileW, FindResourceW, FlushFileBuffers, FlushInstructionCache, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetComputerNameA, GetConsoleCursorInfo, GetConsoleMode, GetConsoleScreenBufferInfo, GetConsoleTitleW, GetConsoleWindow, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDiskFreeSpaceW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesA, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileSizeEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetHandleInformation, GetLargePageMinimum, GetLastError, GetLongPathNameW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNamedPipeHandleStateA, GetNativeSystemInfo, GetNumberOfConsoleInputEvents, GetPriorityClass, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetQueuedCompletionStatus, GetShortPathNameW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetSystemFirmwareTable, GetSystemInfo, GetSystemPowerStatus, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount, GetTickCount64, GetVersion, GetVersionExA, GetVersionExW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, K32GetProcessMemoryInfo, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LoadResource, LocalAlloc, LocalFree, LockResource, MapViewOfFile, MoveFileExW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryPerformanceCounter, QueryPerformanceFrequency, QueueUserWorkItem, RaiseException, ReOpenFile, ReadConsoleA, ReadConsoleInputW, ReadConsoleW, ReadDirectoryChangesW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSRWLockShared, ReleaseSemaphore, RemoveDirectoryW, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetConsoleCtrlHandler, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleMode, SetConsoleTextAttribute, SetConsoleTitleA, SetConsoleTitleW, SetCurrentDirectoryW, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFileCompletionNotificationModes, SetFilePointerEx, SetFileTime, SetHandleInformation, SetInformationJobObject, SetLastError, SetNamedPipeHandleState, SetPriorityClass, SetProcessAffinityMask, SetSystemTime, SetThreadAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SizeofResource, Sleep, SleepConditionVariableCS, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, TryAcquireSRWLockShared, TryEnterCriticalSection, UnmapViewOfFile, UnregisterWait, UnregisterWaitEx, VerSetConditionMask, VerifyVersionInfoA, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeW, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleInputW, WriteConsoleW, WriteFile, __C_specific_handler
                msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __argv, __doserrno, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _assert, _beginthreadex, _cexit, _close, _close, _commode, _endthreadex, _errno, _exit, _fdopen, _filelengthi64, _fileno, _findclose, _fileno, _findfirst64, _findnext64, _fmode, _fstat64, _fullpath, _get_osfhandle, _gmtime64, _initterm, _isatty, _localtime64, _lock, _lseeki64, _mkdir, _onexit, _open, _open_osfhandle, _read, _read, _setjmp, _setmode, _snwprintf, _stat64, _stricmp, _strdup, _strdup, _strnicmp, _time64, _ultoa, _unlock, _umask, _vscprintf, _vsnprintf, _vsnwprintf, _wchmod, _wcsdup, _wcsnicmp, _wcsrev, _wfopen, _wopen, _write, _wrmdir, abort, atof, atoi, calloc, exit, fclose, feof, ferror, fflush, fgetpos, fgets, fopen, fprintf, fputc, fputs, fread, free, fseek, fsetpos, ftell, fwrite, getc, getenv, getwc, islower, isspace, isupper, iswctype, isxdigit, _write, localeconv, longjmp, malloc, memchr, memcmp, memcpy, memmove, memset, printf, putc, putwc, qsort, raise, realloc, rand, setlocale, setvbuf, signal, sprintf, srand, strcat, strchr, strcmp, strcoll, strcpy, strcspn, strerror, strftime, strlen, strncmp, strncpy, strrchr, strspn, strstr, strtol, strtoul, strxfrm, tolower, toupper, towlower, towupper, ungetc, vfprintf, ungetwc, wcschr, wcscmp, wcscoll, wcscpy, wcsftime, wcslen, wcsncmp, wcsncpy, wcspbrk, wcsrchr, wcsstr, wcstombs, wcsxfrm
                ole32.dllCoCreateInstance, CoInitializeEx, CoUninitialize
                SHELL32.dllSHGetSpecialFolderPathA
                USER32.dllDispatchMessageA, GetLastInputInfo, GetMessageA, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, MapVirtualKeyW, MessageBoxW, ShowWindow, TranslateMessage
                USERENV.dllGetUserProfileDirectoryW
                WS2_32.dllFreeAddrInfoW, GetAddrInfoW, WSACleanup, WSADuplicateSocketW, WSAGetLastError, WSAGetOverlappedResult, WSAIoctl, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSASetLastError, WSASocketW, WSAStartup, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyname, gethostname, getnameinfo, getpeername, getsockname, getsockopt, htonl, htons, ioctlsocket, listen, ntohs, recv, select, send, setsockopt, shutdown, socket
                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States
                No network behavior found
                0246810s020406080100

                Click to jump to process

                0246810sMB

                Click to jump to process

                • File
                • Registry

                Click to dive into process behavior distribution

                Click to jump to process

                Target ID:0
                Start time:12:55:57
                Start date:28/09/2023
                Path:C:\Users\user\Desktop\xmrig.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\Desktop\xmrig.exe
                Imagebase:0x7ff77de30000
                File size:8'251'392 bytes
                MD5 hash:4813FA6D610E180B097EAE0CE636D2AA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1011555114.000002A962752000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1012494760.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.1008449141.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1011662894.000002A962895000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 00000000.00000002.1011729196.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                • Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 00000000.00000000.1007101636.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                Reputation:low
                Has exited:true

                Target ID:2
                Start time:12:55:58
                Start date:28/09/2023
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff78b990000
                File size:873'472 bytes
                MD5 hash:86191D9E0E30631DB3E78E4645804358
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                Executed Functions

                Memory Dump Source
                • Source File: 00000000.00000002.1011729196.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77DE30000, based on PE: true
                • Associated: 00000000.00000002.1011698225.00007FF77DE30000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012144562.00007FF77E422000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012167438.00007FF77E42D000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012186167.00007FF77E432000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012348647.00007FF77E5FC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012348647.00007FF77E89B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012460305.00007FF77E91D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012478249.00007FF77E91E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012494760.00007FF77E91F000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012494760.00007FF77E924000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1012524759.00007FF77E92A000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff77de30000_xmrig.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3ca39de5f7ef5deae20502e6537778a1cc9962f35da2dcf194c9026bd8ea978b
                • Instruction ID: f44d718a5f35f4a53c17a5392ff80902343f9347a2b5df8caff3ce61b1ebfe86
                • Opcode Fuzzy Hash: 3ca39de5f7ef5deae20502e6537778a1cc9962f35da2dcf194c9026bd8ea978b
                • Instruction Fuzzy Hash: E5B0122293C349C0E7013F05EC4137C6220AB05B42FC04030C40C03351CEBC50114730
                Uniqueness

                Uniqueness Score: -1.00%