xmrig | b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89

General

Target

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
Size

605KB
MD5

1578dff0667515e1f9e20fd9667b5793
SHA1

6c18fd0b383162cb9030e4b18a27ecbacd8c34d3
SHA256

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89
SHA512

0d261eb8c81bef9df5bc0812c1b9e77d8f0728c891bc9e9ffcfd8df89733cff0e2b581891a6e6da05d068d26353ff0992056a2c0198cf484d3050e5e6e534004

Score

10^/10

xmrig miner spyware vmprotect

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

380 csrss.exe

pid	process
380	csrss.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1188-3-0x0000000001040000-0x0000000001041000-memory.dmp	vmprotect
C:\PerfLogs\Admin\csrss.exe	vmprotect
C:\PerfLogs\Admin\csrss.exe	vmprotect
behavioral1/memory/380-20-0x0000000000EA0000-0x0000000000EA1000-memory.dmp	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ipinfo.io
9 ipinfo.io

flow	ioc
8	ipinfo.io
9	ipinfo.io

Drops file in Windows directory 4 IoCs

Processes:

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe

description	ioc	process
File created	C:\Windows\Media\Calligraphy\audiodg.exe	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
File created	C:\Windows\Media\Calligraphy\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
File created	C:\Windows\system\winlogon.exe	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
File created	C:\Windows\system\cc11b995f2a76da408ea6a601e682e64743153ad	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1920 380 WerFault.exe csrss.exe
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

632 schtasks.exe
340 schtasks.exe
1500 schtasks.exe
1616 schtasks.exe
1840 schtasks.exe
928 schtasks.exe
1216 schtasks.exe

pid	pid_target	process	target process
1920	380	WerFault.exe	csrss.exe

pid	process
632	schtasks.exe
340	schtasks.exe
1500	schtasks.exe
1616	schtasks.exe
1840	schtasks.exe
928	schtasks.exe
1216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.execsrss.exe

pid	process
1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe
380	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.execsrss.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
Token: SeDebugPrivilege	380	csrss.exe
Token: SeDebugPrivilege	1920	WerFault.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.execsrss.exe

description	pid	process	target process
PID 1188 wrote to memory of 1500	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1500	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1500	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1616	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1616	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1616	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1840	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1840	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1840	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 928	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 928	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 928	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1216	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1216	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 1216	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 632	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 632	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 632	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 340	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 340	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 340	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	schtasks.exe
PID 1188 wrote to memory of 380	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	csrss.exe
PID 1188 wrote to memory of 380	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	csrss.exe
PID 1188 wrote to memory of 380	1188	b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe	csrss.exe
PID 380 wrote to memory of 1920	380	csrss.exe	WerFault.exe
PID 380 wrote to memory of 1920	380	csrss.exe	WerFault.exe
PID 380 wrote to memory of 1920	380	csrss.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe
"C:\Users\Admin\AppData\Local\Temp\b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\system\winlogon.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\PerfLogs\Admin\dwm.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Media\Calligraphy\audiodg.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:340

C:\PerfLogs\Admin\csrss.exe
"C:\PerfLogs\Admin\csrss.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 380 -s 1244
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\csrss.exe
MD5
1578dff0667515e1f9e20fd9667b5793

SHA1
6c18fd0b383162cb9030e4b18a27ecbacd8c34d3

SHA256
b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89

SHA512
0d261eb8c81bef9df5bc0812c1b9e77d8f0728c891bc9e9ffcfd8df89733cff0e2b581891a6e6da05d068d26353ff0992056a2c0198cf484d3050e5e6e534004

Download Submit
C:\PerfLogs\Admin\csrss.exe
MD5
1578dff0667515e1f9e20fd9667b5793

SHA1
6c18fd0b383162cb9030e4b18a27ecbacd8c34d3

SHA256
b25d1a51f01c5d9c4f2091c5dcdcc77bca91d4fbca3c30f1c6ca64d3f7c8dd89

SHA512
0d261eb8c81bef9df5bc0812c1b9e77d8f0728c891bc9e9ffcfd8df89733cff0e2b581891a6e6da05d068d26353ff0992056a2c0198cf484d3050e5e6e534004

Download Submit
memory/340-15-0x0000000000000000-mapping.dmp

Download
memory/380-36-0x000000001B2CE000-0x000000001B2CF000-memory.dmp

Filesize
4KB

Download
memory/380-40-0x000000001B2D2000-0x000000001B2D3000-memory.dmp

Filesize
4KB

Download
memory/380-28-0x000000001B2C6000-0x000000001B2C7000-memory.dmp

Filesize
4KB

Download
memory/380-29-0x000000001B2C7000-0x000000001B2C8000-memory.dmp

Filesize
4KB

Download
memory/380-35-0x000000001B2CD000-0x000000001B2CE000-memory.dmp

Filesize
4KB

Download
memory/380-43-0x000000001B2D5000-0x000000001B2D6000-memory.dmp

Filesize
4KB

Download
memory/380-34-0x000000001B2CC000-0x000000001B2CD000-memory.dmp

Filesize
4KB

Download
memory/380-42-0x000000001B2D4000-0x000000001B2D5000-memory.dmp

Filesize
4KB

Download
memory/380-16-0x0000000000000000-mapping.dmp

Download
memory/380-30-0x000000001B2C8000-0x000000001B2C9000-memory.dmp

Filesize
4KB

Download
memory/380-41-0x000000001B2D3000-0x000000001B2D4000-memory.dmp

Filesize
4KB

Download
memory/380-19-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/380-20-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/380-22-0x000000001B2A0000-0x000000001B2A2000-memory.dmp

Filesize
8KB

Download
memory/380-26-0x000000001B2A6000-0x000000001B2C5000-memory.dmp

Filesize
124KB

Download
memory/380-27-0x000000001B2C5000-0x000000001B2C6000-memory.dmp

Filesize
4KB

Download
memory/380-37-0x000000001B2CF000-0x000000001B2D0000-memory.dmp

Filesize
4KB

Download
memory/380-39-0x000000001B2D1000-0x000000001B2D2000-memory.dmp

Filesize
4KB

Download
memory/380-38-0x000000001B2D0000-0x000000001B2D1000-memory.dmp

Filesize
4KB

Download
memory/380-31-0x000000001B2C9000-0x000000001B2CA000-memory.dmp

Filesize
4KB

Download
memory/380-32-0x000000001B2CA000-0x000000001B2CB000-memory.dmp

Filesize
4KB

Download
memory/380-33-0x000000001B2CB000-0x000000001B2CC000-memory.dmp

Filesize
4KB

Download
memory/632-14-0x0000000000000000-mapping.dmp

Download
memory/928-12-0x0000000000000000-mapping.dmp

Download
memory/1188-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1188-2-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

Filesize
9.9MB

Download
memory/1188-3-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/1188-5-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

Filesize
8KB

Download
memory/1216-13-0x0000000000000000-mapping.dmp

Download
memory/1500-9-0x0000000000000000-mapping.dmp

Download
memory/1616-10-0x0000000000000000-mapping.dmp

Download
memory/1840-11-0x0000000000000000-mapping.dmp

Download
memory/1920-44-0x0000000000000000-mapping.dmp

Download
memory/1920-45-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

Filesize
8KB

Download
memory/1920-46-0x00000000020C0000-0x00000000020D1000-memory.dmp

Filesize
68KB

Download
memory/1920-47-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads