| File name: | xmrig-5.5.0 (1).rar |
| Full analysis: | https://app.any.run/tasks/fbbcefa3-a0f0-43ec-9bca-9efad7055c6e |
| Verdict: | Malicious activity |
| Threats: | Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. |
| Analysis date: | March 02, 2024, 00:21:58 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | DDB94060DE24C47DE03862C887234437 |
| SHA1: | 223EE92092F6B96712DCB420D5019B8FE66258AD |
| SHA256: | A9FCB0245DE569706FA29FD177B68E6A1D8A651D1F7C657F5BAC678ABA73BB67 |
| SSDEEP: | 98304:20LPuzz+chCTb1lgTsWbpTF/XPaQbxfnbhWM/9TKrRENFM1JEvGN6vTf5zbdlJeX:ednjc4IjHE9V7E+O |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 1432)
XMRig has been detected
- xmrig.exe (PID: 1876)
- xmrig.exe (PID: 2892)
XMRIG has been detected (YARA)
- xmrig.exe (PID: 2892)
- xmrig.exe (PID: 1876)
SUSPICIOUS
Drops a system driver (possible attempt to evade defenses)
- WinRAR.exe (PID: 1432)
INFO
Checks supported languages
- xmrig.exe (PID: 2892)
- xmrig.exe (PID: 1876)
Manual execution by a user
- xmrig.exe (PID: 1876)
- taskmgr.exe (PID: 2072)
- xmrig.exe (PID: 2892)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1432)
Reads the machine GUID from the registry
- xmrig.exe (PID: 2892)
- xmrig.exe (PID: 1876)
Reads the computer name
- xmrig.exe (PID: 2892)
- xmrig.exe (PID: 1876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
45
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1432 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\xmrig-5.5.0 (1).rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1876 | "C:\Users\admin\Desktop\xmrig.exe" | C:\Users\admin\Desktop\xmrig.exe | explorer.exe | ||||||||||||
User: admin Company: www.xmrig.com Integrity Level: MEDIUM Description: XMRig miner Exit code: 3221225786 Version: 5.5.0 Modules
| |||||||||||||||
| 2072 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2892 | "C:\Users\admin\Desktop\xmrig.exe" | C:\Users\admin\Desktop\xmrig.exe | explorer.exe | ||||||||||||
User: admin Company: www.xmrig.com Integrity Level: HIGH Description: XMRig miner Exit code: 0 Version: 5.5.0 Modules
| |||||||||||||||
Total events
4 158
Read events
4 133
Write events
25
Delete events
0
Modification events
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\xmrig-5.5.0 (1).rar | |||
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1432) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
3
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1432 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1432.42366\xmrig.exe | executable | |
MD5:2C5F8843F514824FC636F451FC6A18B4 | SHA256:363841B14E9048FD50A012F2A3E04C3F86312FBCD3C1F4A837A102FE7E258CA7 | |||
| 1432 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1432.42366\xmrig-notls.exe | executable | |
MD5:E3E0BF7FB4FDDCF7970EF9D090C78333 | SHA256:1F791E378CF855CAAE7977DA95D966E33F8CDA28406B2E0CFC287025BF639843 | |||
| 1432 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1432.42366\SHA256SUMS | text | |
MD5:3AC1C0D348AD431F3D12E063AB4B6213 | SHA256:37A6BC6ECF18FC8744A1ADB54D4528D614D8390FC2DA1F04DCF3CEA3B4A54F90 | |||
| 1432 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1432.42366\config.json | binary | |
MD5:94C4C40C8E9A4A6895C00966FCD2EC1D | SHA256:05F53DCEC3BA94402200B6FE534E09E067EF9E40F151838FDE0245DCD9FC6026 | |||
| 1432 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1432.42366\WinRing0x64.sys | executable | |
MD5:0C0195C48B6B8582FA6F6373032118DA | SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5 | |||
| 1432 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1432.42366\start.cmd | text | |
MD5:6EB783BC229F92D0F8285500928AC8A1 | SHA256:9554E811347798D784BBE0ED5FA212E95DC8783A34CBC298454805F0988CB577 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
3
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1876 | xmrig.exe | 141.94.96.195:443 | pool.supportxmr.com | OVH SAS | FR | unknown |
2892 | xmrig.exe | 141.94.96.144:443 | pool.supportxmr.com | OVH SAS | FR | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pool.supportxmr.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Crypto Currency Mining Activity Detected | ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com) |
2 ETPRO signatures available at the full report