Play interactive tour

Edit tour

Windows Analysis Report xmrig.exe

Overview

General Information

Sample Name:	xmrig.exe
Analysis ID:	495011
MD5:	0e2431a09f5aae6d9f436e62eb41ed69
SHA1:	72952d136bbcb52b690dbc1abae72141068cc824
SHA256:	f1bf0e4475a869d62580e17be7add63ba1407f8afc6c01dd203f7dfe05914950
Infos:
Most interesting Screenshot:

Detection

Xmrig

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Malicious sample detected (through community Yara rule)

Found strings related to Crypto-Mining

Potential time zone aware malware

Yara signature match

Sample file is different than original file name gathered from version info

PE file contains strange resources

PE file contains sections with non-standard names

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

xmrig.exe (PID: 1052 cmdline: 'C:\Users\user\Desktop\xmrig.exe' MD5: 0E2431A09F5AAE6D9F436E62EB41ED69)

conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
xmrig.exe	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth	0x1e4988:$x1: xmrig.exe 0x1e4878:$x2: xmrig.com 0x1e494c:$x2: xmrig.com
xmrig.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x1a7631:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
xmrig.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.648069559.00007FF69ED76000.00000002.00020000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.649585296.000001BB9ED16000.00000004.00000020.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.650401118.00007FF69ED76000.00000002.00020000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.649570365.000001BB9ED00000.00000004.00000020.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.650259516.00007FF69EA80000.00000002.00020000.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1c938:$s1: stratum+tcp://
00000000.00000002.650259516.00007FF69EA80000.00000002.00020000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1c938:$s1: stratum+tcp://
00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: xmrig.exe PID: 1052	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18f19:$s1: stratum+tcp:// 0x18f41:$s1: stratum+tcp://
Process Memory Space: xmrig.exe PID: 1052	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.xmrig.exe.7ff69e900000.0.unpack	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth	0x1e4988:$x1: xmrig.exe 0x1e4878:$x2: xmrig.com 0x1e494c:$x2: xmrig.com
0.2.xmrig.exe.7ff69e900000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x1a7631:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
0.2.xmrig.exe.7ff69e900000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.0.xmrig.exe.7ff69e900000.0.unpack	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth	0x1e4988:$x1: xmrig.exe 0x1e4878:$x2: xmrig.com 0x1e494c:$x2: xmrig.com
0.0.xmrig.exe.7ff69e900000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x1a7631:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
0.0.xmrig.exe.7ff69e900000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

• AV Detection
• Bitcoin Miner
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: xmrig.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: xmrig.exe	Virustotal: Detection: 70%	Perma Link
Source: xmrig.exe	Metadefender: Detection: 35%	Perma Link
Source: xmrig.exe	ReversingLabs: Detection: 74%

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: xmrig.exe, type: SAMPLE
Source: Yara match	File source: 0.2.xmrig.exe.7ff69e900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.xmrig.exe.7ff69e900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.648069559.00007FF69ED76000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649585296.000001BB9ED16000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.650401118.00007FF69ED76000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649570365.000001BB9ED00000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.650259516.00007FF69EA80000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xmrig.exe PID: 1052, type: MEMORYSTR

Found strings related to Crypto-Mining

Show sources

Source: xmrig.exe, 00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp	String found in binary or memory: stratum+tcp://
Source: xmrig.exe, 00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp	String found in binary or memory: cryptonight/0
Source: xmrig.exe, 00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp	String found in binary or memory: stratum+tcp://
Source: xmrig.exe, 00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: xmrig.exe, 00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: xmrig.exe	String found in binary or memory: XMRig miner

Source: xmrig.exe

Static PE information: certificate valid

Source: xmrig.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: xmrig.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSAExtendedValidationCodeSigningCA.crl0
Source: xmrig.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSAExtendedValidationCodeSigningCA.crt0#
Source: xmrig.exe	String found in binary or memory: http://ocsp.sectigo.com0&
Source: xmrig.exe	String found in binary or memory: https://sectigo.com/CPS0U
Source: xmrig.exe	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: xmrig.exe	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: xmrig.exe, ConDrv.0.dr	String found in binary or memory: https://xmrig.com/wizard
Source: xmrig.exe	String found in binary or memory: https://xmrig.com/wizard%s

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: xmrig.exe, type: SAMPLE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.2.xmrig.exe.7ff69e900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.0.xmrig.exe.7ff69e900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth

Source: xmrig.exe, type: SAMPLE	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: xmrig.exe, type: SAMPLE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0.2.xmrig.exe.7ff69e900000.0.unpack, type: UNPACKEDPE	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 0.2.xmrig.exe.7ff69e900000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0.0.xmrig.exe.7ff69e900000.0.unpack, type: UNPACKEDPE	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth, description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 0.0.xmrig.exe.7ff69e900000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 00000000.00000002.650259516.00007FF69EA80000.00000002.00020000.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: Process Memory Space: xmrig.exe PID: 1052, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address

Source: xmrig.exe

Binary or memory string: OriginalFilename vs xmrig.exe

Source: xmrig.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: xmrig.exe	Virustotal: Detection: 70%
Source: xmrig.exe	Metadefender: Detection: 35%
Source: xmrig.exe	ReversingLabs: Detection: 74%

Source: C:\Users\user\Desktop\xmrig.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xmrig.exe 'C:\Users\user\Desktop\xmrig.exe'
Source: C:\Users\user\Desktop\xmrig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01

Source: xmrig.exe	String found in binary or memory: -h, --help display this help and exit
Source: xmrig.exe	String found in binary or memory: -h, --help display this help and exit
Source: xmrig.exe	String found in binary or memory: --help
Source: xmrig.exe	String found in binary or memory: --help
Source: xmrig.exe	String found in binary or memory: --help--version--export-topology%s
Source: xmrig.exe	String found in binary or memory: --help--version--export-topology%s

Source: classification engine

Classification label: mal80.evad.mine.winEXE@2/1@0/0

Source: xmrig.exe

Static file information: File size 1998512 > 1048576

Source: xmrig.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: xmrig.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: xmrig.exe

Static PE information: certificate valid

Source: xmrig.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x17ea00

Source: xmrig.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: xmrig.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: xmrig.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: xmrig.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xmrig.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: xmrig.exe	Static PE information: section name: _RANDOMX
Source: xmrig.exe	Static PE information: section name: _TEXT_CN
Source: xmrig.exe	Static PE information: section name: _TEXT_CN
Source: xmrig.exe	Static PE information: section name: _RDATA

Malware Analysis System Evasion:

Potential time zone aware malware

Show sources

Source: C:\Users\user\Desktop\xmrig.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\xmrig.exe

Code function: 0_2_00007FF69EA2E318 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF69EA2E318

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	System Time Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xmrig.exe	71%	Virustotal		Browse
xmrig.exe	35%	Metadefender		Browse
xmrig.exe	74%	ReversingLabs	Win64.Trojan.Miner
xmrig.exe	100%	Avira	HEUR/AGEN.1134782

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.xmrig.exe.7ff69e900000.0.unpack	100%	Avira	HEUR/AGEN.1134782		Download File
0.2.xmrig.exe.7ff69e900000.0.unpack	100%	Avira	HEUR/AGEN.1134782		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoRSAExtendedValidationCodeSigningCA.crl0	1%	Virustotal		Browse
http://crl.sectigo.com/SectigoRSAExtendedValidationCodeSigningCA.crl0	0%	Avira URL Cloud	safe
https://xmrig.com/benchmark/%s	0%	URL Reputation	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
http://ocsp.sectigo.com0&	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0U	0%	URL Reputation	safe
https://xmrig.com/wizard%s	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSAExtendedValidationCodeSigningCA.crt0#	3%	Virustotal		Browse
http://crt.sectigo.com/SectigoRSAExtendedValidationCodeSigningCA.crt0#	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSAExtendedValidationCodeSigningCA.crl0	xmrig.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/benchmark/%s	xmrig.exe	false	URL Reputation: safe	unknown
https://xmrig.com/wizard	xmrig.exe, ConDrv.0.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0&	xmrig.exe	false	Avira URL Cloud: safe	low
https://sectigo.com/CPS0U	xmrig.exe	false	URL Reputation: safe	unknown
https://xmrig.com/wizard%s	xmrig.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSAExtendedValidationCodeSigningCA.crt0#	xmrig.exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	xmrig.exe	false	URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	495011
Start date:	01.10.2021
Start time:	10:23:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	xmrig.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.evad.mine.winEXE@2/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 50%) Quality average: 50% Quality standard deviation: 50%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 23.54.113.53 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com, arc.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com Execution Graph export aborted for target xmrig.exe, PID 1052 because there are no executed function Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\xmrig.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.1227010002372255
Encrypted:	false
SSDEEP:	6:o9U9dQfzCwvG25zZvv9dQUCwM5zZvv9dQ9CwZIFzZvv9dQNKpg6QIR/BJrXMnGTJ:oGmzttbt2utZIfWKpxRJJTMGgy
MD5:	DF60062C25B76E74BF2456B10128622A
SHA1:	A418E201FCA1327329B4625E2C78FE07C96394D9
SHA-256:	9CAAA74F7E42863A28330BAA11A772DD17A517F48824BAD5032952D63B55788B
SHA-512:	3061EF2A32000B378D174C1D8F10614D7784C917E7DB3013B3D2216078CF07D6B2BB46961F95D0E10439056B927070C5B4EF5446370155DCC559F14BAA4B1C27
Malicious:	false
Reputation:	low
Preview:	[2021-10-01 11:30:34.871] unable to open "C:\Users\user\Desktop\config.json"....[2021-10-01 11:30:34.874] unable to open "C:\Users\user\.xmrig.json"....[2021-10-01 11:30:34.877] unable to open "C:\Users\user\.config\xmrig.json"....[2021-10-01 11:30:34.877] no valid configuration found, try https://xmrig.com/wizard...

Static File Info

General
File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.56842313823887
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xmrig.exe
File size:	1998512
MD5:	0e2431a09f5aae6d9f436e62eb41ed69
SHA1:	72952d136bbcb52b690dbc1abae72141068cc824
SHA256:	f1bf0e4475a869d62580e17be7add63ba1407f8afc6c01dd203f7dfe05914950
SHA512:	3f05782c7b6d8548a9265c662fc058089f2b912ac0847b5d03cd64ea99c03ee62631768533a6df09be41028abef53641044b6e2efe60cea6252c02dadc6da179
SSDEEP:	49152:LdM2G2PRCj8LkSHe9zJ3dJYxkLgmeYknvCMndZmdI0uS:hDGJYGLgme7vHdZqdR
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$..........L[.y.[.y.[.y.4.}.A.y.4.z.V.y.4.\|...y..:.._.y...}.I.y...z.Q.y...\|...y...}.I.y.4.x.T.y.[.x.j.y...}.E.y...p...y...z.X.y.....Z.y

File Icon


Icon Hash:	e8b6b4c958d6c6e8

Static PE Info

General
Entrypoint:	0x14012ddc8
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x600E9FB6 [Mon Jan 25 10:38:46 2021 UTC]
TLS Callbacks:	0x4012daf0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c63ee349950c5add3bd78c668f7c463b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo RSA Extended Validation Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	5/23/2019 2:00:00 AM 5/30/2021 1:59:59 AM
Subject Chain	CN=Cudo Ventures Ltd, O=Cudo Ventures Ltd, STREET=18 Christchurch Road, L=Bournemouth, S=Dorset, PostalCode=BH1 3NE, C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=11065412
Version:	3
Thumbprint MD5:	A7B1698B3E29525EF24E8960F121AA57
Thumbprint SHA-1:	0849317604DA03D9F1BE012A579CB07DB4C27442
Thumbprint SHA-256:	F9A1BD3498A3B26A99ABD7D46D8DC4BAFF7FE5551A987C4EAAC0C5233CAD326C
Serial:	00964262E2E46AFA6D1315F835DB9DB964

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F4484B0295Ch
dec eax
add esp, 28h
jmp 00007F4484B02287h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F4484B02422h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F4484B02425h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F4484B0241Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F4484B0174Eh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [eax+eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c6b64	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x477000	0x59c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x462000	0xe328	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1e7000	0xeb0	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x47d000	0x23f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1aa200	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1aa380	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1aa220	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x180000	0x890	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17e91f	0x17ea00	False	0.456258550106	data	6.5372513139	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x180000	0x48850	0x48a00	False	0.423024688038	data	5.58244774848	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c9000	0x298b94	0x5c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x462000	0xe328	0xe400	False	0.490011650219	data	6.10300182473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RANDOMX	0x471000	0xbd6	0xc00	False	0.527018229167	data	6.21135202089	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_TEXT_CN	0x472000	0x18ce	0x1a00	False	0.328575721154	data	6.00096849672	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_TEXT_CN	0x474000	0x1184	0x1200	False	0.533203125	data	6.04792421687	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x476000	0x94	0x200	False	0.208984375	data	1.43741768711	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x477000	0x59c0	0x5a00	False	0.381684027778	data	5.42818311759	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x47d000	0x23f0	0x2400	False	0.300564236111	data	5.44660216404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x4771c0	0x18fb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x478ac0	0x25a8	data	English	United States
RT_ICON	0x47b068	0x10a8	data	English	United States
RT_ICON	0x47c110	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0x47c578	0x3e	data	English	United States
RT_VERSION	0x47c5b8	0x284	data	English	United States
RT_MANIFEST	0x47c840	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
WS2_32.dll	ntohs, WSASetLastError, WSAStartup, select, WSARecvFrom, WSASocketW, WSASend, WSARecv, WSAIoctl, WSADuplicateSocketW, socket, shutdown, setsockopt, listen, getsockopt, getsockname, getpeername, ioctlsocket, closesocket, bind, FreeAddrInfoW, GetAddrInfoW, WSAGetLastError, gethostname, htonl, htons
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	GetAdaptersAddresses
USERENV.dll	GetUserProfileDirectoryW
KERNEL32.dll	RaiseException, SetStdHandle, GetCommandLineA, RtlPcToFileHeader, RtlUnwindEx, WriteConsoleW, SetConsoleTitleA, GetStdHandle, SetConsoleMode, GetConsoleMode, SizeofResource, LockResource, LoadResource, FindResourceW, MultiByteToWideChar, SetPriorityClass, GetCurrentProcess, SetThreadPriority, GetSystemPowerStatus, GetCurrentThread, GetProcAddress, GetModuleHandleW, CloseHandle, FreeConsole, GetConsoleWindow, VirtualProtect, VirtualFree, VirtualAlloc, GetLargePageMinimum, LocalAlloc, GetLastError, LocalFree, FlushInstructionCache, DeviceIoControl, GetModuleFileNameW, CreateFileW, GetCurrentThreadId, AddVectoredExceptionHandler, GetFileType, PostQueuedCompletionStatus, CreateFileA, DuplicateHandle, SetEvent, ResetEvent, WaitForSingleObject, CreateEventA, Sleep, QueueUserWorkItem, RegisterWaitForSingleObject, UnregisterWait, WideCharToMultiByte, GetNumberOfConsoleInputEvents, ReadConsoleInputW, ReadConsoleW, FillConsoleOutputCharacterW, FillConsoleOutputAttribute, GetConsoleCursorInfo, SetConsoleCursorInfo, GetConsoleScreenBufferInfo, SetConsoleCursorPosition, SetConsoleTextAttribute, WriteConsoleInputW, VerSetConditionMask, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentVariableW, SetEnvironmentVariableW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetTempPathW, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCurrentProcessId, GlobalMemoryStatusEx, GetSystemInfo, GetSystemTimeAsFileTime, GetVersionExW, VerifyVersionInfoA, FileTimeToSystemTime, GetCommandLineW, CreateDirectoryW, FindClose, FindFirstFileW, FindNextFileW, FlushFileBuffers, GetDiskFreeSpaceW, GetFileAttributesW, GetFileInformationByHandle, GetFileSizeEx, GetFinalPathNameByHandleW, GetFullPathNameW, ReadFile, RemoveDirectoryW, SetFilePointerEx, SetFileTime, WriteFile, MapViewOfFile, FlushViewOfFile, UnmapViewOfFile, CreateFileMappingA, ReOpenFile, CopyFileW, MoveFileExW, CreateHardLinkW, GetFileInformationByHandleEx, CreateSymbolicLinkW, SetConsoleCtrlHandler, GetLongPathNameW, GetShortPathNameW, CreateIoCompletionPort, ReadDirectoryChangesW, SetHandleInformation, RtlUnwind, SetFileCompletionNotificationModes, SetErrorMode, GetQueuedCompletionStatus, ConnectNamedPipe, PeekNamedPipe, CreateNamedPipeW, CancelIoEx, CancelSynchronousIo, DeleteCriticalSection, SwitchToThread, TerminateProcess, GetExitCodeProcess, UnregisterWaitEx, LCMapStringW, DebugBreak, FormatMessageA, TryEnterCriticalSection, InitializeConditionVariable, WakeConditionVariable, SleepConditionVariableCS, ReleaseSemaphore, ResumeThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetNativeSystemInfo, CreateSemaphoreA, GetModuleHandleA, LoadLibraryA, GetStartupInfoW, GetModuleFileNameA, GetVersionExA, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, GetComputerNameA, LoadLibraryW, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, LoadLibraryExW, FreeLibraryAndExitThread, ExitThread, GetModuleHandleExW, GetFileAttributesExW, SetFileAttributesW, GetConsoleCP, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, ExitProcess, HeapAlloc, HeapFree, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, GetTimeZoneInformation, HeapSize, SetEndOfFile, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetProcessHeap, CancelIo, WaitForSingleObjectEx, GetExitCodeThread, EncodePointer, DecodePointer, GetCPInfo, InitializeCriticalSectionAndSpinCount, CreateEventW, GetTickCount, CompareStringW, GetLocaleInfoW, GetStringTypeW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, IsDebuggerPresent, InitializeSListHead, CreateTimerQueue, SignalObjectAndWait, CreateThread, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetThreadTimes, FreeLibrary
USER32.dll	MapVirtualKeyW, GetMessageA, ShowWindow, GetSystemMetrics, TranslateMessage, DispatchMessageA
ADVAPI32.dll	SystemFunction036, GetUserNameW, CreateServiceW, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, QueryServiceConfigA, DeleteService, ControlService, StartServiceW, OpenServiceW, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenProcessToken, LsaOpenPolicy, LsaAddAccountRights, LsaClose, GetTokenInformation

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2016-2021 xmrig.com
FileVersion	6.7.2
CompanyName	www.xmrig.com
ProductName	XMRig
ProductVersion	6.7.2
FileDescription	XMRig miner
OriginalFilename	xmrig.exe
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2021 10:23:57.457556963 CEST	54531	53	192.168.2.4	8.8.8.8
Oct 1, 2021 10:23:57.485270977 CEST	53	54531	8.8.8.8	192.168.2.4
Oct 1, 2021 10:23:59.915610075 CEST	49714	53	192.168.2.4	8.8.8.8
Oct 1, 2021 10:23:59.934783936 CEST	53	49714	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

• xmrig.exe
• conhost.exe

Click to jump to process

Memory Usage

• xmrig.exe
• conhost.exe

Click to jump to process

Behavior

• xmrig.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: xmrig.exe PID: 1052 Parent PID: 6588

Function Logs

General

Start time:	10:24:03
Start date:	01/10/2021
Path:	C:\Users\user\Desktop\xmrig.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\xmrig.exe'
Imagebase:	0x7ff69e900000
File size:	1998512 bytes
MD5 hash:	0E2431A09F5AAE6D9F436E62EB41ED69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.648069559.00007FF69ED76000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.649585296.000001BB9ED16000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.650401118.00007FF69ED76000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.649570365.000001BB9ED00000.00000004.00000020.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000000.00000002.650259516.00007FF69EA80000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.650259516.00007FF69EA80000.00000002.00020000.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.647951192.00007FF69EA80000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 5400 Parent PID: 1052

Function Logs

General

Start time:	10:24:04
Start date:	01/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report xmrig.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Bitcoin Miner:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: xmrig.exe PID: 1052 Parent PID: 6588

General

File Activities

File Opened

File Created