Edit tour

Windows Analysis Report
xmrig.exe

Overview

General Information

Sample name:	xmrig.exe
Analysis ID:	1374095
MD5:	edbbe60d5fc43c859be7363de9eb5798
SHA1:	7234f3293e278fea274d64e7872bd7b6aaf3a0ee
SHA256:	cbc0c90dfd9f0a4c60d50b18802a3b62724706d819a6cb7940c73f4f6cb7b319
Tags:	CoinMinerexexmrig
Infos:

Detection

Xmrig

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Found strings related to Crypto-Mining

Machine Learning detection for sample

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

xmrig.exe (PID: 6836 cmdline: C:\Users\user\Desktop\xmrig.exe MD5: EDBBE60D5FC43C859BE7363DE9EB5798)

conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xmrig.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
xmrig.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x290ef8:$x1: donate.ssl.xmrig.com
xmrig.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x292598:$s1: %s/%s (Windows NT %lu.%lu 0x28e7b0:$s4: pool_wallet 0x28acd8:$s5: cryptonight 0x28ace8:$s5: cryptonight 0x28acf8:$s5: cryptonight 0x28ad08:$s5: cryptonight 0x28ad20:$s5: cryptonight 0x28ad30:$s5: cryptonight 0x28ad40:$s5: cryptonight 0x28ad58:$s5: cryptonight 0x28ad68:$s5: cryptonight 0x28ad80:$s5: cryptonight 0x28ad98:$s5: cryptonight 0x28ada8:$s5: cryptonight 0x28adb8:$s5: cryptonight 0x28adc8:$s5: cryptonight 0x28ade0:$s5: cryptonight 0x28adf8:$s5: cryptonight 0x28ae08:$s5: cryptonight 0x28ae18:$s5: cryptonight 0x28ae28:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1680856802.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000000.1677812078.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: xmrig.exe PID: 6836	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.xmrig.exe.7ff77bf10000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.2.xmrig.exe.7ff77bf10000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.0.xmrig.exe.7ff77bf10000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x290ef8:$x1: donate.ssl.xmrig.com
0.0.xmrig.exe.7ff77bf10000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x292598:$s1: %s/%s (Windows NT %lu.%lu 0x28e7b0:$s4: pool_wallet 0x28acd8:$s5: cryptonight 0x28ace8:$s5: cryptonight 0x28acf8:$s5: cryptonight 0x28ad08:$s5: cryptonight 0x28ad20:$s5: cryptonight 0x28ad30:$s5: cryptonight 0x28ad40:$s5: cryptonight 0x28ad58:$s5: cryptonight 0x28ad68:$s5: cryptonight 0x28ad80:$s5: cryptonight 0x28ad98:$s5: cryptonight 0x28ada8:$s5: cryptonight 0x28adb8:$s5: cryptonight 0x28adc8:$s5: cryptonight 0x28ade0:$s5: cryptonight 0x28adf8:$s5: cryptonight 0x28ae08:$s5: cryptonight 0x28ae18:$s5: cryptonight 0x28ae28:$s5: cryptonight
0.2.xmrig.exe.7ff77bf10000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x290ef8:$x1: donate.ssl.xmrig.com
0.2.xmrig.exe.7ff77bf10000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x292598:$s1: %s/%s (Windows NT %lu.%lu 0x28e7b0:$s4: pool_wallet 0x28acd8:$s5: cryptonight 0x28ace8:$s5: cryptonight 0x28acf8:$s5: cryptonight 0x28ad08:$s5: cryptonight 0x28ad20:$s5: cryptonight 0x28ad30:$s5: cryptonight 0x28ad40:$s5: cryptonight 0x28ad58:$s5: cryptonight 0x28ad68:$s5: cryptonight 0x28ad80:$s5: cryptonight 0x28ad98:$s5: cryptonight 0x28ada8:$s5: cryptonight 0x28adb8:$s5: cryptonight 0x28adc8:$s5: cryptonight 0x28ade0:$s5: cryptonight 0x28adf8:$s5: cryptonight 0x28ae08:$s5: cryptonight 0x28ae18:$s5: cryptonight 0x28ae28:$s5: cryptonight
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xmrig.exe	ReversingLabs: Detection: 66%
Source: xmrig.exe	Virustotal: Detection: 65%			Perma Link

Machine Learning detection for sample

Source: xmrig.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: xmrig.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1680856802.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1677812078.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xmrig.exe PID: 6836, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: xmrig.exe, 00000000.00000000.1677812078.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: stratum+tcp://
Source: xmrig.exe, 00000000.00000000.1677812078.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: cryptonight/0
Source: xmrig.exe, 00000000.00000000.1677812078.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: stratum+tcp://
Source: xmrig.exe, 00000000.00000000.1677812078.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: xmrig.exe	String found in binary or memory: XMRig Stratum proxy

Source: xmrig.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: xmrig.exe

String found in binary or memory: https://xmrig.com/docs/algorithms

System Summary

Malicious sample detected (through community Yara rule)

Source: xmrig.exe, type: SAMPLE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: xmrig.exe, type: SAMPLE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.0.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.0.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.2.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.2.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen

Source: xmrig.exe	Binary or memory string: OriginalFilename vs xmrig.exe
Source: xmrig.exe, 00000000.00000002.1681169396.00007FF77C472000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexmrig-proxy.exe8 vs xmrig.exe
Source: xmrig.exe	Binary or memory string: OriginalFilenamexmrig-proxy.exe8 vs xmrig.exe

Source: xmrig.exe, type: SAMPLE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: xmrig.exe, type: SAMPLE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.0.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0.0.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.2.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0.2.xmrig.exe.7ff77bf10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: classification engine

Classification label: mal72.mine.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03

Source: xmrig.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xmrig.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xmrig.exe	ReversingLabs: Detection: 66%
Source: xmrig.exe	Virustotal: Detection: 65%

Source: xmrig.exe	String found in binary or memory: id-cmc-addExtensions
Source: xmrig.exe	String found in binary or memory: set-addPolicy
Source: xmrig.exe	String found in binary or memory: -h, --help display this help and exit
Source: xmrig.exe	String found in binary or memory: -h, --help display this help and exit
Source: xmrig.exe	String found in binary or memory: --help
Source: xmrig.exe	String found in binary or memory: --help
Source: xmrig.exe	String found in binary or memory: --help--version--versions%s
Source: xmrig.exe	String found in binary or memory: --help--version--versions%s

Source: unknown	Process created: C:\Users\user\Desktop\xmrig.exe C:\Users\user\Desktop\xmrig.exe
Source: C:\Users\user\Desktop\xmrig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: xmrig.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: xmrig.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: xmrig.exe

Static file information: File size 3026944 > 1048576

Source: xmrig.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f5600

Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: xmrig.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: xmrig.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: xmrig.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\xmrig.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\xmrig.exe

Code function: 0_2_00007FF77C0D5340 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF77C0D5340

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	11 System Time Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xmrig.exe	67%	ReversingLabs	Win64.Trojan.Generic
xmrig.exe	65%	Virustotal		Browse
xmrig.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://xmrig.com/docs/algorithms	xmrig.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1374095
Start date and time:	2024-01-13 02:00:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xmrig.exe
Detection:	MAL
Classification:	mal72.mine.winEXE@2/1@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target xmrig.exe, PID 6836 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\xmrig.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	304
Entropy (8bit):	5.011873788441259
Encrypted:	false
SSDEEP:	6:o9ZX9S5MCwvG25zZvcXxCwMbyvcXkpCwZgyvcXk6g6QIR/BLln:oLX9S5MtiXxtSDXkptZgDXkSRJR
MD5:	83E3B66B76959693FDFF9154BED34D6B
SHA1:	0727BD9F7263CEAC5ADC37001D6D623232EE2C39
SHA-256:	98E7BB343B1C17621CDFFD10D47CAA23C01F1F56AE2456C82398025DE9586DCF
SHA-512:	95DFB34EE53AAAAD9E09E674EA91A521198C4BE6C92FF8091D9C9BA7C65ECE7A19622EF3B9871E53F70E97176641401671FC9F7FB6493C96345E608E86B92DE1
Malicious:	false
Reputation:	low
Preview:	[2024-01-13 03:02:39.997] unable to open "C:\Users\user\Desktop\config.json"....[2024-01-13 03:02:40.003] unable to open "C:\Users\user\.xmrig-proxy.json"....[2024-01-13 03:02:40.006] unable to open "C:\Users\user\.config\xmrig-proxy.json"....[2024-01-13 03:02:40.006] no valid configuration found....

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.499610732874672
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xmrig.exe
File size:	3'026'944 bytes
MD5:	edbbe60d5fc43c859be7363de9eb5798
SHA1:	7234f3293e278fea274d64e7872bd7b6aaf3a0ee
SHA256:	cbc0c90dfd9f0a4c60d50b18802a3b62724706d819a6cb7940c73f4f6cb7b319
SHA512:	03c3e5ec331ef85179d3e9415ced244debe849654cb966d3a8937692d4609132ff82d22eaf1f58c18801bb93090c87b897c5418b2933c423827778abc775eba6
SSDEEP:	49152:UI3SAT1kBuJ+ybYpqYOBFOpTqj9l2WjGoWjymlhvCjPyFkbyPFLFZWZ:PMybY6QymlhGPyKeLFZE
TLSH:	ADE59E66A3A800E8D9B7C17CC9529613E7F2B8551370ABDB17B45B7A0F236E51E3E700
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........U.T.4...4...4...\...4...\...4...\...4...[...4...A...4...A...4...A...4...\...4...4...5...A...6...A...4...A...4...4b..4...A...4.

File Icon


Icon Hash:	0f3774c95856230f

Static PE Info

General

Entrypoint:	0x1401c4dfc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x655F562F [Thu Nov 23 13:39:59 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	84c9afe62381050c8e60fdde0555e7e2

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F21692D99D0h
dec eax
add esp, 28h
jmp 00007F21692D9307h
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007F21692D94A8h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b4f8c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57c000	0x59f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x562000	0x18474	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x582000	0x712c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2944a8	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x294680	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2944d0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f7000	0x890	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f5430	0x1f5600	False	0.5046152377835951	zlib compressed data	6.442213834626741	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1f7000	0xbfc62	0xbfe00	False	0.4385306392508143	data	5.797275888746014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b7000	0x2aa094	0x8400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x562000	0x18474	0x18600	False	0.481229967948718	data	6.228042946168975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x57b000	0xf4	0x200	False	0.3125	data	2.4605873927629287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x57c000	0x59f0	0x5a00	False	0.38255208333333335	data	5.43336567966129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x582000	0x712c	0x7200	False	0.27175849780701755	data	5.4461421685030205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x57c1c0	0x18fb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.965598123534011
RT_ICON	0x57dac0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.1004149377593361
RT_ICON	0x580068	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.1472795497185741
RT_ICON	0x581110	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3076241134751773
RT_GROUP_ICON	0x581578	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x5815b8	0x2b4	data	English	United States	0.48121387283236994
RT_MANIFEST	0x581870	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
WS2_32.dll	getpeername, htons, ntohs, select, WSARecvFrom, WSASocketW, WSASend, WSARecv, WSAIoctl, WSADuplicateSocketW, shutdown, gethostname, FreeAddrInfoW, GetAddrInfoW, htonl, socket, setsockopt, listen, closesocket, bind, WSACleanup, WSAStartup, getsockopt, getsockname, ioctlsocket, WSAGetLastError, WSASetLastError, send, recv
IPHLPAPI.DLL	GetAdaptersAddresses
USERENV.dll	GetUserProfileDirectoryW
CRYPT32.dll	CertGetCertificateContextProperty, CertFreeCertificateContext, CertDuplicateCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore
KERNEL32.dll	RtlPcToFileHeader, RtlUnwindEx, InitializeSListHead, IsDebuggerPresent, RaiseException, LoadLibraryExW, SetStdHandle, GetCommandLineA, GetCommandLineW, GetDriveTypeW, WriteConsoleW, SetConsoleTitleA, GetStdHandle, SetConsoleMode, GetConsoleMode, QueryPerformanceFrequency, QueryPerformanceCounter, SizeofResource, LockResource, LoadResource, FindResourceW, MultiByteToWideChar, GetCurrentProcess, Sleep, GetCurrentThread, GetProcAddress, GetModuleHandleW, CloseHandle, FreeConsole, GetConsoleWindow, SetLastError, GetLastError, GetSystemTime, SystemTimeToFileTime, GetModuleHandleExW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetCurrentThreadId, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SwitchToFiber, DeleteFiber, CreateFiber, FindClose, FindFirstFileW, FindNextFileW, WideCharToMultiByte, GetFileType, WriteFile, ConvertFiberToThread, ConvertThreadToFiber, GetCurrentProcessId, GetSystemTimeAsFileTime, FreeLibrary, LoadLibraryA, LoadLibraryW, GetEnvironmentVariableW, ReadConsoleA, ReadConsoleW, PostQueuedCompletionStatus, CreateFileA, CreateFileW, DuplicateHandle, SetEvent, ResetEvent, WaitForSingleObject, CreateEventA, QueueUserWorkItem, RegisterWaitForSingleObject, UnregisterWait, GetNumberOfConsoleInputEvents, ReadConsoleInputW, FillConsoleOutputCharacterW, FillConsoleOutputAttribute, GetConsoleCursorInfo, SetConsoleCursorInfo, GetConsoleScreenBufferInfo, SetConsoleCursorPosition, SetConsoleTextAttribute, WriteConsoleInputW, CreateDirectoryW, FlushFileBuffers, SystemTimeToTzSpecificLocalTime, GetFileAttributesW, GetFileInformationByHandle, GetFileSizeEx, GetFinalPathNameByHandleW, GetFullPathNameW, ReadFile, RemoveDirectoryW, SetFilePointerEx, SetFileTime, DeviceIoControl, GetSystemInfo, MapViewOfFile, FlushViewOfFile, UnmapViewOfFile, CreateFileMappingA, ReOpenFile, CopyFileW, MoveFileExW, CreateHardLinkW, GetFileInformationByHandleEx, CreateSymbolicLinkW, InitializeCriticalSection, SetConsoleCtrlHandler, GetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, CreateIoCompletionPort, ReadDirectoryChangesW, VerSetConditionMask, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetCurrentDirectoryW, GetTempPathW, GlobalMemoryStatusEx, RtlUnwind, VerifyVersionInfoA, FileTimeToSystemTime, K32GetProcessMemoryInfo, SetHandleInformation, CancelIoEx, CancelIo, SwitchToThread, SetFileCompletionNotificationModes, SetErrorMode, GetQueuedCompletionStatus, ConnectNamedPipe, SetNamedPipeHandleState, PeekNamedPipe, CreateNamedPipeW, CancelSynchronousIo, LocalFree, GetNamedPipeHandleStateA, TerminateProcess, GetExitCodeProcess, UnregisterWaitEx, LCMapStringW, DebugBreak, FormatMessageA, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryEnterCriticalSection, InitializeConditionVariable, WakeConditionVariable, SleepConditionVariableCS, ReleaseSemaphore, ResumeThread, GetNativeSystemInfo, CreateSemaphoreA, GetModuleHandleA, LoadLibraryExA, GetStartupInfoW, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, CreateEventW, GetStringTypeW, ExitProcess, GetFileAttributesExW, SetFileAttributesW, GetConsoleCP, CreateThread, ExitThread, FreeLibraryAndExitThread, HeapAlloc, HeapFree, CompareStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetProcessHeap, HeapSize, SetEndOfFile, GetDiskFreeSpaceW, GetModuleFileNameW, InitializeCriticalSectionEx, WaitForSingleObjectEx, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo
USER32.dll	MessageBoxW, ShowWindow, GetSystemMetrics, MapVirtualKeyW, DispatchMessageA, TranslateMessage, GetMessageA, GetProcessWindowStation, GetUserObjectInformationW
ADVAPI32.dll	SystemFunction036, GetUserNameW, OpenProcessToken, CryptEnumProvidersW, CryptSignHashW, CryptDestroyHash, CryptCreateHash, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextW, ReportEventW, RegisterEventSourceW, DeregisterEventSource
bcrypt.dll	BCryptGenRandom

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• xmrig.exe
• conhost.exe

Click to jump to process

Memory Usage

• xmrig.exe
• conhost.exe

Click to jump to process

Click to jump to process

System Behavior

Analysis Process: xmrig.exePID: 6836, Parent PID: 2580

Function Logs

General

Target ID:	0
Start time:	02:01:01
Start date:	13/01/2024
Path:	C:\Users\user\Desktop\xmrig.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\xmrig.exe
Imagebase:	0x7ff77bf10000
File size:	3'026'944 bytes
MD5 hash:	EDBBE60D5FC43C859BE7363DE9EB5798
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.1680856802.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.1677812078.00007FF77C107000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6860, Parent PID: 6836

Function Logs

General

Target ID:	1
Start time:	02:01:01
Start date:	13/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xmrig.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: xmrig.exePID: 6836, Parent PID: 2580

General

File Activities

File Opened

File Created

Windows Analysis Report
xmrig.exe