Edit tour

Windows Analysis Report
xmrig.exe

Overview

General Information

Sample Name:	xmrig.exe
Analysis ID:	1315785
MD5:	4813fa6d610e180b097eae0ce636d2aa
SHA1:	1e9cd17ea32af1337dd9a664431c809dd8a64d76
SHA256:	9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc
Tags:	exe
Infos:

Detection

Xmrig

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Malicious sample detected (through community Yara rule)

Found strings related to Crypto-Mining

Machine Learning detection for sample

Yara signature match

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

PE file contains more sections than normal

Potential time zone aware malware

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

xmrig.exe (PID: 7316 cmdline: C:\Users\user\Desktop\xmrig.exe MD5: 4813FA6D610E180B097EAE0CE636D2AA)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 86191D9E0E30631DB3E78E4645804358)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xmrig.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
xmrig.exe	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x135558:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
xmrig.exe	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x6120a9:$a1: mining.set_target 0x603d4a:$a2: XMRIG_HOSTNAME 0x606978:$a3: Usage: xmrig [OPTIONS] 0x603d24:$a4: XMRIG_VERSION
xmrig.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x65b89e:$x1: donate.ssl.xmrig.com 0x65bd79:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6ecf13:$s2: \\?\pipe\uv\%p-%lu
xmrig.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x65cf28:$s1: %s/%s (Windows NT %lu.%lu 0x6616a8:$s3: \\.\WinRing0_ 0x608aa2:$s4: pool_wallet 0x603170:$s5: cryptonight 0x60317e:$s5: cryptonight 0x60318d:$s5: cryptonight 0x60319b:$s5: cryptonight 0x6031b0:$s5: cryptonight 0x6031bf:$s5: cryptonight 0x6031cd:$s5: cryptonight 0x6031e2:$s5: cryptonight 0x6031f1:$s5: cryptonight 0x603202:$s5: cryptonight 0x603219:$s5: cryptonight 0x603227:$s5: cryptonight 0x603235:$s5: cryptonight 0x603245:$s5: cryptonight 0x603257:$s5: cryptonight 0x603268:$s5: cryptonight 0x603278:$s5: cryptonight 0x603288:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1011555114.000002A962752000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.1012494760.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000000.1008449141.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.1011662894.000002A962895000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xfaa9:$a1: mining.set_target 0x174a:$a2: XMRIG_HOSTNAME 0x4378:$a3: Usage: xmrig [OPTIONS] 0x1724:$a4: XMRIG_VERSION
00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xfaa9:$a1: mining.set_target 0x174a:$a2: XMRIG_HOSTNAME 0x4378:$a3: Usage: xmrig [OPTIONS] 0x1724:$a4: XMRIG_VERSION
00000000.00000002.1011729196.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x134558:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
00000000.00000000.1007101636.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x134558:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
Process Memory Space: xmrig.exe PID: 7316	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: xmrig.exe PID: 7316	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x26747:$a1: mining.set_target 0x20ce3:$a2: XMRIG_HOSTNAME 0x232f2:$a3: Usage: xmrig [OPTIONS] 0x20cbd:$a4: XMRIG_VERSION
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.xmrig.exe.7ff77de30000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.0.xmrig.exe.7ff77de30000.0.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x135558:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
0.0.xmrig.exe.7ff77de30000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x6120a9:$a1: mining.set_target 0x603d4a:$a2: XMRIG_HOSTNAME 0x606978:$a3: Usage: xmrig [OPTIONS] 0x603d24:$a4: XMRIG_VERSION
0.0.xmrig.exe.7ff77de30000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x65b89e:$x1: donate.ssl.xmrig.com 0x65bd79:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6ecf13:$s2: \\?\pipe\uv\%p-%lu
0.0.xmrig.exe.7ff77de30000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x65cf28:$s1: %s/%s (Windows NT %lu.%lu 0x6616a8:$s3: \\.\WinRing0_ 0x608aa2:$s4: pool_wallet 0x603170:$s5: cryptonight 0x60317e:$s5: cryptonight 0x60318d:$s5: cryptonight 0x60319b:$s5: cryptonight 0x6031b0:$s5: cryptonight 0x6031bf:$s5: cryptonight 0x6031cd:$s5: cryptonight 0x6031e2:$s5: cryptonight 0x6031f1:$s5: cryptonight 0x603202:$s5: cryptonight 0x603219:$s5: cryptonight 0x603227:$s5: cryptonight 0x603235:$s5: cryptonight 0x603245:$s5: cryptonight 0x603257:$s5: cryptonight 0x603268:$s5: cryptonight 0x603278:$s5: cryptonight 0x603288:$s5: cryptonight
0.2.xmrig.exe.7ff77de30000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.2.xmrig.exe.7ff77de30000.0.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x135558:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
0.2.xmrig.exe.7ff77de30000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x6120a9:$a1: mining.set_target 0x603d4a:$a2: XMRIG_HOSTNAME 0x606978:$a3: Usage: xmrig [OPTIONS] 0x603d24:$a4: XMRIG_VERSION
0.2.xmrig.exe.7ff77de30000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x65b89e:$x1: donate.ssl.xmrig.com 0x65bd79:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6ecf13:$s2: \\?\pipe\uv\%p-%lu
0.2.xmrig.exe.7ff77de30000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x65cf28:$s1: %s/%s (Windows NT %lu.%lu 0x6616a8:$s3: \\.\WinRing0_ 0x608aa2:$s4: pool_wallet 0x603170:$s5: cryptonight 0x60317e:$s5: cryptonight 0x60318d:$s5: cryptonight 0x60319b:$s5: cryptonight 0x6031b0:$s5: cryptonight 0x6031bf:$s5: cryptonight 0x6031cd:$s5: cryptonight 0x6031e2:$s5: cryptonight 0x6031f1:$s5: cryptonight 0x603202:$s5: cryptonight 0x603219:$s5: cryptonight 0x603227:$s5: cryptonight 0x603235:$s5: cryptonight 0x603245:$s5: cryptonight 0x603257:$s5: cryptonight 0x603268:$s5: cryptonight 0x603278:$s5: cryptonight 0x603288:$s5: cryptonight
Click to see the 5 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Bitcoin Miner
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xmrig.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: xmrig.exe	ReversingLabs: Detection: 78%
Source: xmrig.exe	Virustotal: Detection: 77%			Perma Link

Machine Learning detection for sample

Source: xmrig.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: xmrig.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1011555114.000002A962752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1012494760.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1008449141.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1011662894.000002A962895000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xmrig.exe PID: 7316, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: xmrig.exe	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: xmrig.exe	String found in binary or memory: cryptonight-upx/2
Source: xmrig.exe	String found in binary or memory: -o, --url=URL URL of mining server
Source: xmrig.exe	String found in binary or memory: stratum+tcp://
Source: xmrig.exe	String found in binary or memory: Usage: xmrig [OPTIONS] Network:
Source: xmrig.exe	String found in binary or memory: Usage: xmrig [OPTIONS] Network:

Source: xmrig.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: xmrig.exe	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: xmrig.exe	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: xmrig.exe, ConDrv.0.dr	String found in binary or memory: https://xmrig.com/wizard
Source: xmrig.exe	String found in binary or memory: https://xmrig.com/wizard%s

System Summary

Malicious sample detected (through community Yara rule)

Source: xmrig.exe, type: SAMPLE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: xmrig.exe, type: SAMPLE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: xmrig.exe, type: SAMPLE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: xmrig.exe, type: SAMPLE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000000.00000002.1011729196.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 00000000.00000000.1007101636.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: xmrig.exe PID: 7316, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Source: xmrig.exe, type: SAMPLE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: xmrig.exe, type: SAMPLE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: xmrig.exe, type: SAMPLE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: xmrig.exe, type: SAMPLE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0.0.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0.2.xmrig.exe.7ff77de30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000000.00000002.1011729196.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 00000000.00000000.1007101636.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: xmrig.exe PID: 7316, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: xmrig.exe

Static PE information: Number of sections : 11 > 10

Source: xmrig.exe	ReversingLabs: Detection: 78%
Source: xmrig.exe	Virustotal: Detection: 77%

Source: xmrig.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xmrig.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xmrig.exe C:\Users\user\Desktop\xmrig.exe
Source: C:\Users\user\Desktop\xmrig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03

Source: xmrig.exe	String found in binary or memory: --help
Source: xmrig.exe	String found in binary or memory: --help
Source: xmrig.exe	String found in binary or memory: rget,jit_inst,jit_prefetch_vgpr_index,jit_vmcnt,batch_size); if(p-start_p>size_limit) { (p++)=S_SETPC_B64_S12_13; return p; } } while (!done); } (p++)=S_SETPC_B64_S12_13; return p; } __attribute__((reqd_work_group_size(64,1,1))) __kernel void randomx_jit(_
Source: xmrig.exe	String found in binary or memory: -h, --help display this help and exit
Source: xmrig.exe	String found in binary or memory: -h, --help display this help and exit
Source: xmrig.exe	String found in binary or memory: --help
Source: xmrig.exe	String found in binary or memory: --help
Source: xmrig.exe	String found in binary or memory: -h, --help display this help and exit
Source: xmrig.exe	String found in binary or memory: -h, --help display this help and exit
Source: xmrig.exe	String found in binary or memory: a:c:kBp:Px:r:R:s:t:T:o:u:O:v:l:Sx:XMRig 6.20.0-h--help-V--version--versions--export-topology--print-platformsUsage: xmrig [OPTIONS]
Source: xmrig.exe	String found in binary or memory: a:c:kBp:Px:r:R:s:t:T:o:u:O:v:l:Sx:XMRig 6.20.0-h--help-V--version--versions--export-topology--print-platformsUsage: xmrig [OPTIONS]
Source: xmrig.exe	String found in binary or memory: if(p-start_p>size_limit)
Source: xmrig.exe	String found in binary or memory: id-cmc-addExtensions
Source: xmrig.exe	String found in binary or memory: set-addPolicy
Source: xmrig.exe	String found in binary or memory: crypto/store/loader_file.c
Source: xmrig.exe	String found in binary or memory: crypto/store/loader_file.cpass phrasePRIVATE KEYPUBLIC KEYPARAMETERSX509 CRLTRUSTED CERTIFICATEX509 CERTIFICATECERTIFICATEENCRYPTED PRIVATE KEYPKCS8 decrypt passwordPKCS12 import passwordfile:localhost/rb-----BEGIN %08lx/PEM'PEM type is 'file
Source: xmrig.exe	String found in binary or memory: %s: unexpected id `%s' not-starting with `obj', ignoring

Source: classification engine

Classification label: mal80.mine.winEXE@2/1@0/0

Source: xmrig.exe

Static file information: File size 8251392 > 1048576

Source: xmrig.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: xmrig.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: xmrig.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5f1000
Source: xmrig.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x15de00

Source: xmrig.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: xmrig.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: xmrig.exe

Static PE information: section name: .xdata

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\xmrig.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xmrig.exe	78%	ReversingLabs	Win64.Trojan.Minerva
xmrig.exe	100%	Avira	TR/YAV.Minerva.qosyp
xmrig.exe	77%	Virustotal		Browse
xmrig.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://xmrig.com/benchmark/%s	0%	Virustotal		Browse
https://xmrig.com/wizard	0%	Virustotal		Browse
https://xmrig.com/docs/algorithms	0%	Virustotal		Browse
https://xmrig.com/wizard%s	0%	Virustotal		Browse
https://xmrig.com/benchmark/%s	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://xmrig.com/wizard%s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://xmrig.com/benchmark/%s	xmrig.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	xmrig.exe, ConDrv.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/wizard%s	xmrig.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	xmrig.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1315785
Start date and time:	2023-09-28 12:55:13 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10, Office Professional Plus 2016, Chrome 115, Firefox 115, Adobe Reader 23, Java 8 Update 381
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	xmrig.exe
Detection:	MAL
Classification:	mal80.mine.winEXE@2/1@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target xmrig.exe, PID 7316 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\xmrig.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.234772167479006
Encrypted:	false
SSDEEP:	6:o9WCnCRRRG25zZvtrhCRM5zZvtrT4xTCRJ4FzZvtrT4Mpg6QIR/BJrXMnGTJzey:o0CnarhtrT4pRxrT4SRJJTMGgy
MD5:	DF1958A8AA1825D42A88B050268056AC
SHA1:	838975AF87B2F77844866F35B7B8CD521DBEEBC6
SHA-256:	96378E92A446739C1F99E466A485DDF17A1CE50EBA592CB1A3746202C84B73F4
SHA-512:	E5A6DAC2A61304187850F589CF35DCF161D681A5DEAAAE47C4AF7A1D0341F8DC18A47513F2C6CACA49BC50BA7947D170D73767A8675D2B480CE53C64D141B1E0
Malicious:	false
Reputation:	low
Preview:	[2023-09-28 14:21:42.487] unable to open "C:\Users\user\Desktop\config.json"....[2023-09-28 14:21:42.493] unable to open "C:\Users\user\.xmrig.json"....[2023-09-28 14:21:42.496] unable to open "C:\Users\user\.config\xmrig.json"....[2023-09-28 14:21:42.496] no valid configuration found, try https://xmrig.com/wizard...

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.631241366168512
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	xmrig.exe
File size:	8'251'392 bytes
MD5:	4813fa6d610e180b097eae0ce636d2aa
SHA1:	1e9cd17ea32af1337dd9a664431c809dd8a64d76
SHA256:	9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc
SHA512:	5463e61b9583dd7e73fc4c0f14252ce06bb1b24637fdf5c4b96b3452cf486b147c980e365ca6633d89e7cfe245131f528a7ecab2340251cef11cdeb49dac36aa
SSDEEP:	98304:ZLsUYfB9pOp/BWLbrkShfa+XQD/YPLTDtU5SXXMQHJw7ZB87TtIeUK+MzfL7cybS:Kgp/NQ7rfWOlb1paSbkJFsxfKLNIS
TLSH:	A8866C17F19350ECC56BC170861BA673F671F8691234BE6F2764DB342E22F905A2EB24
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....c.d...............&.._...}...2............@.............................0......L\|~...`... ............................

File Icon


Icon Hash:	0f3774c95856230f

Static PE Info

General

Entrypoint:	0x1400014d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x64A263DB [Mon Jul 3 05:59:55 2023 UTC]
TLS Callbacks:	0x4041d060, 0x1, 0x4041d030, 0x1, 0x404302c0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	16bb67d62ee484974f9392fc52c45722

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00743265h]
mov dword ptr [eax], 00000000h
call 00007F845D34211Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F845D76E51Ch
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F845D342459h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
inc ecx
push ebp
inc ecx
push esp
push ebp
push edi
push esi
push ebx
dec eax
sub esp, 28h
inc ecx
mov eax, dword ptr [eax]
dec ecx
cmp dword ptr [ecx+18h], 00000000h
dec esp
mov ebp, dword ptr [esp+00000080h]
dec eax
mov ebp, dword ptr [esp+00000090h]
mov dword ptr [ecx], eax
inc ecx
mov eax, dword ptr [ecx+04h]
dec eax
mov ebx, ecx
dec esp
mov esi, ecx
setne byte ptr [ecx+08h]
dec ecx
mov esp, edx
dec esp
mov edi, eax
mov dword ptr [ecx+04h], eax
dec esp
mov ecx, ecx
call 00007F845D3CA9F0h
dec esp
mov dword ptr [ebx+18h], esp
mov byte ptr [ebx+09h], al
movzx eax, byte ptr [esi+0Bh]
mov byte ptr [ebx+0Ah], al
mov eax, dword ptr [esi+10h]
mov dword ptr [ebx+0Ch], eax
dec ecx
mov eax, dword ptr [ebp+00h]
dec eax
mov dword ptr [ebx+10h], eax
dec eax
mov eax, dword ptr [esp+00000088h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaed000	0x46d8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaf4000	0x5ce8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x761000	0x2ee9c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xafa000	0x8e6c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x741960	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xaee01c	0xf40	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5f0aa0	0x5f1000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x5f2000	0x10460	0x10600	False	0.20272244751908397	data	3.295673930644331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x603000	0x15dce0	0x15de00	False	0.3762720781975706	data	6.453643246818058	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x761000	0x2ee9c	0x2f000	False	0.5192039976728723	data	6.366354446992787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x790000	0x3b914	0x3ba00	False	0.22357344077568134	data	5.059190391956642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x7cc000	0x320ae0	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xaed000	0x46d8	0x4800	False	0.2824978298611111	data	4.800961618809213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xaf2000	0x68	0x200	False	0.078125	data	0.40665232183492983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xaf3000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xaf4000	0x5ce8	0x5ce8	False	0.3824840228725193	data	5.536267098733225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xafa000	0x8e6c	0x9000	False	0.2554524739583333	data	5.451438735644192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xaf41c0	0x18fb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.965598123534011
RT_ICON	0xaf5ac0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.1004149377593361
RT_ICON	0xaf8068	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.1472795497185741
RT_ICON	0xaf9110	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3076241134751773
RT_GROUP_ICON	0xaf9578	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0xaf95b8	0x28c	PGP symmetric key encrypted data - Plaintext or unencrypted data	English	United States	0.49233128834355827
RT_MANIFEST	0xaf9848	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
ADVAPI32.dll	AdjustTokenPrivileges, AllocateAndInitializeSid, CloseServiceHandle, ControlService, CreateServiceW, CryptAcquireContextW, CryptCreateHash, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptEnumProvidersW, CryptExportKey, CryptGenRandom, CryptGetProvParam, CryptGetUserKey, CryptReleaseContext, CryptSetHashParam, CryptSignHashW, DeleteService, DeregisterEventSource, FreeSid, GetSecurityInfo, GetTokenInformation, GetUserNameW, LookupPrivilegeValueW, LsaAddAccountRights, LsaClose, LsaOpenPolicy, OpenProcessToken, OpenSCManagerW, OpenServiceW, QueryServiceConfigA, QueryServiceStatus, RegCloseKey, RegGetValueW, RegOpenKeyExW, RegQueryValueExW, RegisterEventSourceW, ReportEventW, SetEntriesInAclA, SetSecurityInfo, StartServiceW, SystemFunction036
CRYPT32.dll	CertCloseStore, CertDuplicateCertificateContext, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenStore
IPHLPAPI.DLL	ConvertInterfaceIndexToLuid, ConvertInterfaceLuidToNameW, GetAdaptersAddresses
KERNEL32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, AddVectoredExceptionHandler, AssignProcessToJobObject, CancelIo, CancelIoEx, CancelSynchronousIo, CloseHandle, ConnectNamedPipe, ConvertFiberToThread, ConvertThreadToFiber, CopyFileW, CreateDirectoryW, CreateEventA, CreateFiber, CreateFileA, CreateFileMappingA, CreateFileW, CreateHardLinkW, CreateIoCompletionPort, CreateJobObjectW, CreateNamedPipeA, CreateNamedPipeW, CreateProcessW, CreateSemaphoreA, CreateSymbolicLinkW, CreateToolhelp32Snapshot, DebugBreak, DeleteCriticalSection, DeleteFiber, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExpandEnvironmentStringsA, FileTimeToSystemTime, FillConsoleOutputAttribute, FillConsoleOutputCharacterW, FindClose, FindFirstFileW, FindNextFileW, FindResourceW, FlushFileBuffers, FlushInstructionCache, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetComputerNameA, GetConsoleCursorInfo, GetConsoleMode, GetConsoleScreenBufferInfo, GetConsoleTitleW, GetConsoleWindow, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDiskFreeSpaceW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesA, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileSizeEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetHandleInformation, GetLargePageMinimum, GetLastError, GetLongPathNameW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNamedPipeHandleStateA, GetNativeSystemInfo, GetNumberOfConsoleInputEvents, GetPriorityClass, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetQueuedCompletionStatus, GetShortPathNameW, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetSystemFirmwareTable, GetSystemInfo, GetSystemPowerStatus, GetSystemTime, GetSystemTimeAdjustment, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadPriority, GetThreadTimes, GetTickCount, GetTickCount64, GetVersion, GetVersionExA, GetVersionExW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, InitializeConditionVariable, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSRWLock, IsDBCSLeadByteEx, IsDebuggerPresent, K32GetProcessMemoryInfo, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LoadResource, LocalAlloc, LocalFree, LockResource, MapViewOfFile, MoveFileExW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PeekNamedPipe, PostQueuedCompletionStatus, Process32First, Process32Next, QueryPerformanceCounter, QueryPerformanceFrequency, QueueUserWorkItem, RaiseException, ReOpenFile, ReadConsoleA, ReadConsoleInputW, ReadConsoleW, ReadDirectoryChangesW, ReadFile, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSRWLockShared, ReleaseSemaphore, RemoveDirectoryW, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetConsoleCtrlHandler, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleMode, SetConsoleTextAttribute, SetConsoleTitleA, SetConsoleTitleW, SetCurrentDirectoryW, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFileCompletionNotificationModes, SetFilePointerEx, SetFileTime, SetHandleInformation, SetInformationJobObject, SetLastError, SetNamedPipeHandleState, SetPriorityClass, SetProcessAffinityMask, SetSystemTime, SetThreadAffinityMask, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SizeofResource, Sleep, SleepConditionVariableCS, SuspendThread, SwitchToFiber, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, TryAcquireSRWLockShared, TryEnterCriticalSection, UnmapViewOfFile, UnregisterWait, UnregisterWaitEx, VerSetConditionMask, VerifyVersionInfoA, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitNamedPipeW, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleInputW, WriteConsoleW, WriteFile, __C_specific_handler
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __argv, __doserrno, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _assert, _beginthreadex, _cexit, _close, _close, _commode, _endthreadex, _errno, _exit, _fdopen, _filelengthi64, _fileno, _findclose, _fileno, _findfirst64, _findnext64, _fmode, _fstat64, _fullpath, _get_osfhandle, _gmtime64, _initterm, _isatty, _localtime64, _lock, _lseeki64, _mkdir, _onexit, _open, _open_osfhandle, _read, _read, _setjmp, _setmode, _snwprintf, _stat64, _stricmp, _strdup, _strdup, _strnicmp, _time64, _ultoa, _unlock, _umask, _vscprintf, _vsnprintf, _vsnwprintf, _wchmod, _wcsdup, _wcsnicmp, _wcsrev, _wfopen, _wopen, _write, _wrmdir, abort, atof, atoi, calloc, exit, fclose, feof, ferror, fflush, fgetpos, fgets, fopen, fprintf, fputc, fputs, fread, free, fseek, fsetpos, ftell, fwrite, getc, getenv, getwc, islower, isspace, isupper, iswctype, isxdigit, _write, localeconv, longjmp, malloc, memchr, memcmp, memcpy, memmove, memset, printf, putc, putwc, qsort, raise, realloc, rand, setlocale, setvbuf, signal, sprintf, srand, strcat, strchr, strcmp, strcoll, strcpy, strcspn, strerror, strftime, strlen, strncmp, strncpy, strrchr, strspn, strstr, strtol, strtoul, strxfrm, tolower, toupper, towlower, towupper, ungetc, vfprintf, ungetwc, wcschr, wcscmp, wcscoll, wcscpy, wcsftime, wcslen, wcsncmp, wcsncpy, wcspbrk, wcsrchr, wcsstr, wcstombs, wcsxfrm
ole32.dll	CoCreateInstance, CoInitializeEx, CoUninitialize
SHELL32.dll	SHGetSpecialFolderPathA
USER32.dll	DispatchMessageA, GetLastInputInfo, GetMessageA, GetProcessWindowStation, GetSystemMetrics, GetUserObjectInformationW, MapVirtualKeyW, MessageBoxW, ShowWindow, TranslateMessage
USERENV.dll	GetUserProfileDirectoryW
WS2_32.dll	FreeAddrInfoW, GetAddrInfoW, WSACleanup, WSADuplicateSocketW, WSAGetLastError, WSAGetOverlappedResult, WSAIoctl, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSASetLastError, WSASocketW, WSAStartup, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyname, gethostname, getnameinfo, getpeername, getsockname, getsockopt, htonl, htons, ioctlsocket, listen, ntohs, recv, select, send, setsockopt, shutdown, socket

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• xmrig.exe
• conhost.exe

Click to jump to process

Memory Usage

• xmrig.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

System Behavior

Analysis Process: xmrig.exePID: 7316, Parent PID: 4884

Function Logs

General

Target ID:	0
Start time:	12:55:57
Start date:	28/09/2023
Path:	C:\Users\user\Desktop\xmrig.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\xmrig.exe
Imagebase:	0x7ff77de30000
File size:	8'251'392 bytes
MD5 hash:	4813FA6D610E180B097EAE0CE636D2AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1011555114.000002A962752000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1012494760.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.1008449141.00007FF77E924000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1011662894.000002A962895000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000000.1008242130.00007FF77E433000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 00000000.00000002.1011729196.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 00000000.00000000.1007101636.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Value Queried

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Queried

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7356, Parent PID: 7316

Function Logs

General

Target ID:	2
Start time:	12:55:58
Start date:	28/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff78b990000
File size:	873'472 bytes
MD5 hash:	86191D9E0E30631DB3E78E4645804358
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: xmrig.exePID: 7316, Parent PID: 4884COMMON

Executed Functions

Function 00007FF77DE314D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1011729196.00007FF77DE31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77DE30000, based on PE: true

Associated: 00000000.00000002.1011698225.00007FF77DE30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012144562.00007FF77E422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012167438.00007FF77E42D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012186167.00007FF77E432000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012215480.00007FF77E433000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012348647.00007FF77E5FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012348647.00007FF77E89B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012460305.00007FF77E91D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012478249.00007FF77E91E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012494760.00007FF77E91F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012494760.00007FF77E924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1012524759.00007FF77E92A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77de30000_xmrig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca39de5f7ef5deae20502e6537778a1cc9962f35da2dcf194c9026bd8ea978b
Instruction ID: f44d718a5f35f4a53c17a5392ff80902343f9347a2b5df8caff3ce61b1ebfe86
Opcode Fuzzy Hash: 3ca39de5f7ef5deae20502e6537778a1cc9962f35da2dcf194c9026bd8ea978b
Instruction Fuzzy Hash: E5B0122293C349C0E7013F05EC4137C6220AB05B42FC04030C40C03351CEBC50114730

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xmrig.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: xmrig.exePID: 7316, Parent PID: 4884

General

File Activities

File Opened

Windows Analysis Report
xmrig.exe