xmrig | 3e3a2350cc65c94f1139adf4229a5d1a0c0fdd7aa79c5ba8612011e2a5113b0f

General

Target

file3.exe
Size

4.4MB
MD5

85916ca32ad6adf4bcc68318fcfe1722
SHA1

e58a67d48b79cc828e31121f5c3ed2b06ebd4f85
SHA256

3e3a2350cc65c94f1139adf4229a5d1a0c0fdd7aa79c5ba8612011e2a5113b0f
SHA512

db3e042b77f5f4b5e1b83dac49f24e1159552c7a7207ab2897e44bcb58875dc87a84257ef3ca95606c565d7baaa55db67f36f47d8adcfb8b4aa9d5aa522dfb90

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1400-66-0x0000000000400000-0x0000000000872000-memory.dmp	xmrig
behavioral1/memory/1400-67-0x000000000086D6EA-mapping.dmp	xmrig
behavioral1/memory/1400-68-0x0000000000400000-0x0000000000872000-memory.dmp	xmrig
\Users\Admin\AppData\Roaming\xmrig.exe	xmrig
C:\Users\Admin\AppData\Roaming\xmrig.exe	xmrig

Executes dropped EXE 1 IoCs

Processes:

xmrig.exe

pid process

376 xmrig.exe
Loads dropped DLL 1 IoCs

Processes:

file3.exe

pid process

1400 file3.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

file3.exe

description pid process target process

PID 788 set thread context of 1400 788 file3.exe file3.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xmrig.exe

description pid process

Token: SeLockMemoryPrivilege 376 xmrig.exe
Token: SeLockMemoryPrivilege 376 xmrig.exe

pid	process
376	xmrig.exe

pid	process
1400	file3.exe

description	pid	process	target process
PID 788 set thread context of 1400	788	file3.exe	file3.exe

description	pid	process
Token: SeLockMemoryPrivilege	376	xmrig.exe
Token: SeLockMemoryPrivilege	376	xmrig.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

file3.exefile3.exe

description	pid	process	target process
PID 788 wrote to memory of 1400	788	file3.exe	file3.exe
PID 788 wrote to memory of 1400	788	file3.exe	file3.exe
PID 788 wrote to memory of 1400	788	file3.exe	file3.exe
PID 788 wrote to memory of 1400	788	file3.exe	file3.exe
PID 788 wrote to memory of 1400	788	file3.exe	file3.exe
PID 788 wrote to memory of 1400	788	file3.exe	file3.exe
PID 788 wrote to memory of 1400	788	file3.exe	file3.exe
PID 788 wrote to memory of 1400	788	file3.exe	file3.exe
PID 788 wrote to memory of 1400	788	file3.exe	file3.exe
PID 1400 wrote to memory of 376	1400	file3.exe	xmrig.exe
PID 1400 wrote to memory of 376	1400	file3.exe	xmrig.exe
PID 1400 wrote to memory of 376	1400	file3.exe	xmrig.exe
PID 1400 wrote to memory of 376	1400	file3.exe	xmrig.exe

C:\Users\Admin\AppData\Local\Temp\file3.exe
"C:\Users\Admin\AppData\Local\Temp\file3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\file3.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\xmrig.exe
"C:\Users\Admin\AppData\Roaming\xmrig.exe" -p trinity-miner --donate-level 5 -o pool.supportxmr.com:443 -u 89UyhNJWGyP6xoycGBA3A6HjdNEs7g3jr34EXVtqGYzg5wLEbmZY2AcGy5Kw5NRfjaYTUyW1dKCHGinv7fGMg45zVCRQwNM -k --tls
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\xmrig.exe
MD5
184fb976a5e2ff8241f6d7799ba930be

SHA1
6b9043b37361225cb709ef927f23cbac65063588

SHA256
fd0f5b78bcc0c8c9690777f1be1602f006e627fff201b8111275a10edfb76c83

SHA512
9752bd4251a6f2daac1525ecb345e2026fd00647f8e0120dc577341b6b216f3934ff11398ef77742bb4621a90fddeabceb6757d527d2e13bd10ae6e154fbf2c9

Download Submit
\Users\Admin\AppData\Roaming\xmrig.exe
MD5
184fb976a5e2ff8241f6d7799ba930be

SHA1
6b9043b37361225cb709ef927f23cbac65063588

SHA256
fd0f5b78bcc0c8c9690777f1be1602f006e627fff201b8111275a10edfb76c83

SHA512
9752bd4251a6f2daac1525ecb345e2026fd00647f8e0120dc577341b6b216f3934ff11398ef77742bb4621a90fddeabceb6757d527d2e13bd10ae6e154fbf2c9

Download Submit
memory/376-71-0x0000000000000000-mapping.dmp

Download
memory/376-75-0x0000000000490000-0x00000000004B0000-memory.dmp

Filesize
128KB

Download
memory/376-74-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/376-73-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/788-64-0x0000000009220000-0x00000000094F8000-memory.dmp

Filesize
2.8MB

Download
memory/788-65-0x000000000B8C0000-0x000000000BD30000-memory.dmp

Filesize
4.4MB

Download
memory/788-60-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/788-63-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/788-62-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1400-68-0x0000000000400000-0x0000000000872000-memory.dmp

Filesize
4.4MB

Download
memory/1400-67-0x000000000086D6EA-mapping.dmp

Download
memory/1400-66-0x0000000000400000-0x0000000000872000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads