xmrig | 088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8

General

Target

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
Size

1.9MB
MD5

bd9e745f73bf7fe19145cfb5c25460c0
SHA1

87760bc05ef4290fc06cc3115224dcd1672cfd13
SHA256

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8
SHA512

c84cc42e37d6bc4fce8d057cdcfd6c3920f5fd0020ac37db15a8756e05c79e278665a034e353e6d36b9032ee4bd1da2e67e327a9f4381e9d607adc70b3a6c6a7

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1360 cmd.exe

pid	process
1360	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

Drops file in System32 directory 64 IoCs

Processes:

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness 3 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Easy CD-DA Extractor 5.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\GetRight 5.0 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Conflict - Desert Storm II - Back to Baghdad No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Medal of Honor - Allied Assault Breakthrough No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\LingoWare 3.0 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2002 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Easy CD-DA Extractor 5.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.0.6 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\KaZaA Speedup 3.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Sniper Elite - Berlin 1943 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\FireStarter No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Soul Reaver 3 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Half-Life II Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\World War II - Frontline Command Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Thief 2 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\SnagIt 6.2.2 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Metal Gear Solid III No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief II No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 9.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Armor2net Personal Firewall 3.1 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\UT 2004 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Lords of the Realm III No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid 3 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Winamp 3.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Railroad Tycoon III Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Hex Workshop Hex Editor 4.1 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\The Sims Superstar No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2002 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Rainbow Six 3 - Raven Shield Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Thunder 2004 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NCAA Football 2003 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.8x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Splinter Cell No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\GeoWhere 2.11 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.8x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Train Simulator II No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Winamp 2.91 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Half-Life II Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Madden NFL 2004 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NCAA Football 2004 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 9.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Quake 3 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 8.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Paint Shop Pro 9.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Rainbow Six 3 - Raven Shield No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 8.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Warlords IV - Heroes of Etheria No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior 4 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\WinZip 8.1 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\IconPackager 2.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warlords 4 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Soul Reaver 3 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\WinRAR 3.12 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 8.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\IconPackager 2.12 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Command & Conquer Generals No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Battlefield 1942 - Secret Weapons of World War II No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Metal Gear Solid 3 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Unreal Tournament 2003 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Commandos 3 - Destination Berlin Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

description	pid	process	target process
PID 1096 wrote to memory of 1360	1096	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe	cmd.exe
PID 1096 wrote to memory of 1360	1096	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe	cmd.exe
PID 1096 wrote to memory of 1360	1096	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe	cmd.exe
PID 1096 wrote to memory of 1360	1096	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
"C:\Users\Admin\AppData\Local\Temp\088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\$$$$$.bat
2⤵
- Deletes itself
PID:1360

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\$$$$$.bat
MD5
173fdcea0387c6139991e4dd37e0963b

SHA1
df78ff695f7d89b9ca4c66ca314849c4c5584408

SHA256
059e38957d12eb264aaa59d1ad6d152e99790e55f4a9b7726c94569f351701e4

SHA512
a740149a0aac4f7d7bf2e21af00c2377baddef1967e9334e3d436a95c9019d1e2b89eac87032ec957769cfb8af0c6712619ed4d31cb6207d371f2b065fe98cfb

Download Submit
memory/1360-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads