Windows Analysis Report
From S03E06.exe

Overview

General Information

Sample name: From S03E06.exe
Analysis ID: 1541163
MD5: a295f06dbf2df55b18e31f7d79a3e7ee
SHA1: a4ed024614203be3e7178718d9241fd94a4542e1
SHA256: e9463c6d4a79774f7ccccb01a22f2c609fe50ff60cd10fc7ba510ecfeef873ba
Infos:

Detection

Xmrig
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Found potential dummy code loops (likely to delay analysis)
Found strings related to Crypto-Mining
Machine Learning detection for sample
Potential thread-based time evasion detected
Query firmware table information (likely to detect VMs)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: From S03E06.exe Avira: detected
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.2% probability
Machine Learning detection for sample
Source: From S03E06.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: From S03E06.exe, type: SAMPLE
Source: Yara match File source: 0.0.From S03E06.exe.7ff69e6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1698485998.00007FF69ECF1000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: From S03E06.exe PID: 7260, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: From S03E06.exe, 00000000.00000000.1698485998.00007FF69ECF1000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: From S03E06.exe, 00000000.00000000.1698485998.00007FF69ECF1000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: cryptonight/0
Source: From S03E06.exe, 00000000.00000000.1698485998.00007FF69ECF1000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: From S03E06.exe, 00000000.00000000.1698485998.00007FF69ECF1000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: stratum+tcp://
Source: From S03E06.exe, 00000000.00000000.1698485998.00007FF69ECF1000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: From S03E06.exe, 00000000.00000000.1698485998.00007FF69ECF1000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: XMRig 6.22.0-mo3
Source: From S03E06.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: From S03E06.exe String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: From S03E06.exe String found in binary or memory: https://xmrig.com/benchmark/%s
Source: From S03E06.exe String found in binary or memory: https://xmrig.com/docs/algorithms
Source: From S03E06.exe String found in binary or memory: https://xmrig.com/wizard
Source: From S03E06.exe String found in binary or memory: https://xmrig.com/wizard%s

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: From S03E06.exe, type: SAMPLE Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: From S03E06.exe, type: SAMPLE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: From S03E06.exe, type: SAMPLE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: From S03E06.exe, type: SAMPLE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.0.From S03E06.exe.7ff69e6b0000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0.0.From S03E06.exe.7ff69e6b0000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0.0.From S03E06.exe.7ff69e6b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.0.From S03E06.exe.7ff69e6b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000000.00000000.1698485998.00007FF69ECF1000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000000.00000000.1697450350.00007FF69E6B1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: From S03E06.exe PID: 7260, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\From S03E06.exe Process Stats: CPU usage > 49%
PE file contains more sections than normal
Source: From S03E06.exe Static PE information: Number of sections : 11 > 10
Yara signature match
Source: From S03E06.exe, type: SAMPLE Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: From S03E06.exe, type: SAMPLE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: From S03E06.exe, type: SAMPLE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: From S03E06.exe, type: SAMPLE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.0.From S03E06.exe.7ff69e6b0000.0.unpack, type: UNPACKEDPE Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0.0.From S03E06.exe.7ff69e6b0000.0.unpack, type: UNPACKEDPE Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0.0.From S03E06.exe.7ff69e6b0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0.0.From S03E06.exe.7ff69e6b0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000000.00000000.1698485998.00007FF69ECF1000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000000.00000000.1697450350.00007FF69E6B1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: From S03E06.exe PID: 7260, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: classification engine Classification label: mal88.evad.mine.winEXE@3/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: From S03E06.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\From S03E06.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: From S03E06.exe String found in binary or memory: --help
Source: From S03E06.exe String found in binary or memory: --help
Source: From S03E06.exe String found in binary or memory: -h, --help display this help and exit
Source: From S03E06.exe String found in binary or memory: -h, --help display this help and exit
Source: From S03E06.exe String found in binary or memory: a:c:kBp:Px:r:R:s:t:T:o:u:O:v:l:Sx:XMRig 6.22.0-mo3-h--help-V--version--versions--export-topology--print-platformsUsage: xmrig [OPTIONS]
Source: From S03E06.exe String found in binary or memory: a:c:kBp:Px:r:R:s:t:T:o:u:O:v:l:Sx:XMRig 6.22.0-mo3-h--help-V--version--versions--export-topology--print-platformsUsage: xmrig [OPTIONS]
Source: From S03E06.exe String found in binary or memory: if(p-start_p>size_limit)
Source: From S03E06.exe String found in binary or memory: id-cmc-addExtensions
Source: From S03E06.exe String found in binary or memory: set-addPolicy
Source: From S03E06.exe String found in binary or memory: crypto/store/loader_file.c
Source: From S03E06.exe String found in binary or memory: crypto/store/loader_file.cpass phrasePRIVATE KEYPUBLIC KEYPARAMETERSX509 CRLTRUSTED CERTIFICATEX509 CERTIFICATECERTIFICATEENCRYPTED PRIVATE KEYPKCS8 decrypt passwordPKCS12 import passwordfile:localhost/rb-----BEGIN %08lx/PEM'PEM type is 'file
Source: From S03E06.exe String found in binary or memory: %s: unexpected id `%s' not-starting with `obj', ignoring
Source: From S03E06.exe String found in binary or memory: -addPXH
Source: From S03E06.exe String found in binary or memory: c-addEx
Source: unknown Process created: C:\Users\user\Desktop\From S03E06.exe "C:\Users\user\Desktop\From S03E06.exe"
Source: C:\Users\user\Desktop\From S03E06.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: opencl.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: From S03E06.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: From S03E06.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: From S03E06.exe Static file information: File size 10974645 > 1048576
Source: From S03E06.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x62fc00
Source: From S03E06.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x161600
Source: From S03E06.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: From S03E06.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: From S03E06.exe Static PE information: section name: .xdata
Source: C:\Users\user\Desktop\From S03E06.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Potential thread-based time evasion detected
Source: Initial file Signature Results: Thread-based counter
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\From S03E06.exe System information queried: FirmwareTableInformation Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\From S03E06.exe Window / User API: threadDelayed 2802 Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Window / User API: threadDelayed 5846 Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Window / User API: threadDelayed 802 Jump to behavior
Source: C:\Users\user\Desktop\From S03E06.exe Window / User API: threadDelayed 538 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: From S03E06.exe, 00000000.00000002.4169890093.0000020562E98000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWE
Source: From S03E06.exe, 00000000.00000002.4169890093.0000020562E98000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\From S03E06.exe Process Stats: CPU usage > 42% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: conhost.exe, 00000001.00000002.4170291135.00000201F7780000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000001.00000002.4170291135.00000201F7780000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: conhost.exe, 00000001.00000002.4170291135.00000201F7780000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: conhost.exe, 00000001.00000002.4170291135.00000201F7780000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541163 Sample: From S03E06.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 88 13 Malicious sample detected (through community Yara rule) 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Yara detected Xmrig cryptocurrency miner 2->17 19 4 other signatures 2->19 6 From S03E06.exe 1 2->6         started        9 svchost.exe 2->9         started        process3 signatures4 21 Query firmware table information (likely to detect VMs) 6->21 23 Found strings related to Crypto-Mining 6->23 11 conhost.exe 6->11         started        process5
No contacted IP infos