xmrig | 088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8

General

Target

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
Size

1.9MB
MD5

bd9e745f73bf7fe19145cfb5c25460c0
SHA1

87760bc05ef4290fc06cc3115224dcd1672cfd13
SHA256

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8
SHA512

c84cc42e37d6bc4fce8d057cdcfd6c3920f5fd0020ac37db15a8756e05c79e278665a034e353e6d36b9032ee4bd1da2e67e327a9f4381e9d607adc70b3a6c6a7

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

Drops file in System32 directory 64 IoCs

Processes:

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.4 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Star Wars Jedi Knight - Jedi Academy Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior IV Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 5 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 4 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake IV No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2002 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\UltraEdit-32 10.00b Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Microangelo 6.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GeoWhere 2.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warcraft III - The Frozen Throne No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Racing 2003 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Madden NFL 2004 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2003 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\IL-2 Sturmovik - Forgotten Battles Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Star Trek - Elite Force II Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior V Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Winamp 3.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 7.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinAce 2.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SimCity 4 Rush Hour Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Train Simulator II No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness 2 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Midtown Madness II Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FlashGet 1.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Train Simulator 2 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\PhotoShow 2.0 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Lords of the Realm III Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Battlefield 1942 - Secret Weapons of World War II Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief II Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warlords 4 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\GetRight 6.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Raven Shield Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.0 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Star Trek - Elite Force II No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\DOOM III Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Star Trek - Elite Force II No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid III No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Thief III Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.0.6 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\CloneCD 5.0 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Etherlords II No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity 4 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Alpha Communicator 5.0 Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Train Simulator II Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness III Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Sniper Elite - Berlin 1943 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SimCity 4 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Elder Scrolls III - Tribunal Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Star Wars - Knights of the Old Republic Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\CloneCD 4.x Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.0 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\UT 2004 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Raven Shield No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Easy CD-DA Extractor 5.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Star Wars - Knights of the Old Republic No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Conflict - Desert Storm II - Back to Baghdad No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Paint Shop Pro 9.x Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.0.6 Serial Generator.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Silent Hill 3 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Hitman II No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
File created	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2002 No-Cd Crack.exe	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe

description	pid	process	target process
PID 3968 wrote to memory of 2204	3968	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe	cmd.exe
PID 3968 wrote to memory of 2204	3968	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe	cmd.exe
PID 3968 wrote to memory of 2204	3968	088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe
"C:\Users\Admin\AppData\Local\Temp\088fc93c12a7c71daa62f3b4756b489ad218f8cb2bb92753702b6b1e57291aa8.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
2⤵
PID:2204

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\$$$$$.bat
MD5
173fdcea0387c6139991e4dd37e0963b

SHA1
df78ff695f7d89b9ca4c66ca314849c4c5584408

SHA256
059e38957d12eb264aaa59d1ad6d152e99790e55f4a9b7726c94569f351701e4

SHA512
a740149a0aac4f7d7bf2e21af00c2377baddef1967e9334e3d436a95c9019d1e2b89eac87032ec957769cfb8af0c6712619ed4d31cb6207d371f2b065fe98cfb

Download Submit
memory/2204-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads