File name:	s.bat
Full analysis:	https://app.any.run/tasks/b0b6594a-5ce8-4514-ad1b-f39380c562c1
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	December 21, 2024, 15:32:25
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	miner arch-exec xmrig
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, ASCII text, with CRLF line terminators
MD5:	F9E0161FAC70CF9D9935E2F8D1F1891E
SHA1:	A6A1EFCDB0C9DC7DEE578400E7B3E7FC7EDA50CC
SHA256:	1572BE5BE48B2559B80405A61761E6377CEB81C4B67FFEEEAA9A9819B9E5716A
SSDEEP:	24:my+01b2UnJM1/RSZfYwn5bmQfdKPAuIczCF169UeKP9xW0dmLJJk11ocO8AKiyB8:mN01KOJMVR0Dn5qQfdkeW0dArkSoPE


(PID) Process:	(3564) ShellExperienceHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\yYpHriFUdyS-r81lKl88jPGlZr-M05PzoCQ_A6O0gXA\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Voices
Operation:	write	Name:	DefaultTokenId
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM
(PID) Process:	(3564) ShellExperienceHost.exe	Key:	\REGISTRY\A\{775f7f16-9014-ec20-46ba-bc68ac9c638a}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20241204
Value: 00000000B46CB494BD53DB01
(PID) Process:	(3564) ShellExperienceHost.exe	Key:	\REGISTRY\A\{775f7f16-9014-ec20-46ba-bc68ac9c638a}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20241205
Value: 00000000B46CB494BD53DB01
(PID) Process:	(3564) ShellExperienceHost.exe	Key:	\REGISTRY\A\{775f7f16-9014-ec20-46ba-bc68ac9c638a}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20241206
Value: 00000000B46CB494BD53DB01
(PID) Process:	(3564) ShellExperienceHost.exe	Key:	\REGISTRY\A\{775f7f16-9014-ec20-46ba-bc68ac9c638a}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20241207
Value: 00000000B46CB494BD53DB01
(PID) Process:	(3564) ShellExperienceHost.exe	Key:	\REGISTRY\A\{775f7f16-9014-ec20-46ba-bc68ac9c638a}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20241208
Value: 00000000B46CB494BD53DB01
(PID) Process:	(3564) ShellExperienceHost.exe	Key:	\REGISTRY\A\{775f7f16-9014-ec20-46ba-bc68ac9c638a}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20241209
Value: 000000004ED0B694BD53DB01
(PID) Process:	(3564) ShellExperienceHost.exe	Key:	\REGISTRY\A\{775f7f16-9014-ec20-46ba-bc68ac9c638a}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20241210
Value: 000000004ED0B694BD53DB01
(PID) Process:	(3564) ShellExperienceHost.exe	Key:	\REGISTRY\A\{775f7f16-9014-ec20-46ba-bc68ac9c638a}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20241211
Value: 000000004ED0B694BD53DB01
(PID) Process:	(3564) ShellExperienceHost.exe	Key:	\REGISTRY\A\{775f7f16-9014-ec20-46ba-bc68ac9c638a}\LocalState\ClockFlyoutCache
Operation:	write	Name:	20241212
Value: 000000004ED0B694BD53DB01

PID	Process	Filename		Type
440	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nvtxnh3u.uii.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
440	powershell.exe	C:\Users\admin\AppData\Local\Temp\xmrig-6.22.2-msvc-win64.zip		compressed
		MD5:57B7AB5BCE7D5E47FD168E1F0D437D32	SHA256:1D903D39C7E4E1706C32C44721D6A6C851AA8C4C10DF1479478EE93CD67301BC
6028	powershell.exe	C:\Users\admin\AppData\Local\Temp\xmrig\xmrig-6.22.2\config.json		binary
		MD5:66F38C96A4901E7B345787C447842B3E	SHA256:2B03943244871CA75E44513E4D20470B8F3E0F209D185395DE82B447022437EC
6028	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hhflwms5.lvp.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
440	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:87F599CCCE6E4CAD09851199E67FAB34	SHA256:6AE4341B327F340EF2D5A1F02AF2ADF7C4C7DCC507F8C35E557DE954C0786F6A
6028	powershell.exe	C:\Users\admin\AppData\Local\Temp\xmrig\xmrig-6.22.2\SHA256SUMS		text
		MD5:C7A209DEE0F5D1C6C3DD496BA22F78AB	SHA256:C83B38B121842A02FB910FE260C83CCED6AA90663C2A1626231FF5122850DEE8
6028	powershell.exe	C:\Users\admin\AppData\Local\Temp\xmrig\xmrig-6.22.2\benchmark_1M.cmd		text
		MD5:CBA1927CF6959DC99ECBD0C553E4DB6F	SHA256:D7747E7A3C782009F4CEB6E9C106115876386853929563B509DA5258E3968D15
6028	powershell.exe	C:\Users\admin\AppData\Local\Temp\xmrig\xmrig-6.22.2\pool_mine_example.cmd		text
		MD5:2E737F5C3AF9C8AA5216DFDC5BE02CC6	SHA256:E73491065D86B1AD69229BB5D2019E08B947E11A2A57ADF5C2D9A2B5D8F4ACAD
6028	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_plpbm4sl.g4t.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6028	powershell.exe	C:\Users\admin\AppData\Local\Temp\xmrig\xmrig-6.22.2\WinRing0x64.sys		executable
		MD5:0C0195C48B6B8582FA6F6373032118DA	SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1684	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	302	140.82.121.4:443	https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-msvc-win64.zip	unknown	—	—	—
1684	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1684	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	104.126.37.171:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1684	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1684	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
www.bing.com	104.126.37.171 104.126.37.185 104.126.37.154 104.126.37.168 104.126.37.169 104.126.37.130 104.126.37.123 104.126.37.170 104.126.37.161	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
github.com	140.82.121.4	shared
objects.githubusercontent.com	185.199.108.133 185.199.110.133 185.199.109.133 185.199.111.133	shared
de.monero.herominers.com	141.95.126.31	malicious
self.events.data.microsoft.com	20.189.173.5	whitelisted

PID	Process	Class	Message
5576	xmrig.exe	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin
2192	svchost.exe	Crypto Currency Mining Activity Detected	ET COINMINER Observed DNS Query to herominers Domain (herominers .com)
5576	xmrig.exe	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin

General Info

s.bat

F9E0161FAC70CF9D9935E2F8D1F1891E

A6A1EFCDB0C9DC7DEE578400E7B3E7FC7EDA50CC

1572BE5BE48B2559B80405A61761E6377CEB81C4B67FFEEEAA9A9819B9E5716A

24:my+01b2UnJM1/RSZfYwn5bmQfdKPAuIczCF169UeKP9xW0dmLJJk11ocO8AKiyB8:mN01KOJMVR0Dn5qQfdkeW0dArkSoPE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XMRig has been detected

MINER has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Downloads file from URI via Powershell

Starts POWERSHELL.EXE for commands execution

Reads security settings of Internet Explorer

Gets file extension (POWERSHELL)

Drops a system driver (possible attempt to evade defenses)

Executable content was dropped or overwritten

Application launched itself

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Crypto Currency Mining Activity Detected

Potential Corporate Privacy Violation

Connects to unusual port

INFO

Disables trace logs

Reads the computer name

Reads the machine GUID from the registry

The sample compiled with japanese language support

Process checks computer location settings

Checks proxy server information

Checks supported languages

Checks if a key exists in the options dictionary (POWERSHELL)

Checks whether the specified file exists (POWERSHELL)

Manual execution by a user

Sends debugging messages

Reads Microsoft Office registry keys

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings