xmrig | 423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843

General

Target

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
Size

3.4MB
MD5

b8686eb397b6f0cdafce7ae4cc3927d9
SHA1

cf2e6c163ec592095941d95e7e1fffa2d556b114
SHA256

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843
SHA512

adac4ebddaa99f1bf2444cc4d160cbf4e6eaff8397c15017cc9f444e05985c03a5fa1bf5ed0068d0af5f31aa82a37d968635cc4a8cf81016967d0409297c5431

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1652 cmd.exe

pid	process
1652	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

Drops file in System32 directory 64 IoCs

Processes:

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers32\Harry Potter - Quidditch World Cup No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\FlashFXP 1.4 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\WS_FTP 5.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Star Trek - Elite Force II No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinZip 8.0 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief 2 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Star Trek - Elite Force II Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2003 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2002 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Paint Shop Pro 8.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Metal Gear Solid 3 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Enemy Territory Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Train Simulator 2 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Command & Conquer Generals No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lord of the Rings - The Two Towers Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief II Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\DAP Plus 5.3 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\svchosts.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\WinZip 8.0 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Conflict - Desert Storm II - Back to Baghdad Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\DOOM 3 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Armor2net Personal Firewall 3.1 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\SWiSH 2.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 5.5.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Age of Mythology - The Titans Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Xenus Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Metal Gear Solid No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Halo Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\IL-2 Sturmovik - Forgotten Battles Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Trinity Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Freedom - Soldiers of Liberty No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Half-Life II Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Commandos 3 - Destination Berlin Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Train Simulator 2 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\EverQuest 2 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ICUII 5.7 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Kings of War No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Conflict - Desert Storm II - Back to Baghdad No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\IconPackager 2.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Silent Hill III Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 5.5.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Enemy Territory No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lords of EverQuest No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FlashFXP 1.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 5 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.0 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Chrome No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Flight Simulator - Century of Flight No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Half-Life No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Splinter Cell No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\DOOM III No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Grand Theft Auto - Vice City Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NBA Live 2004 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 4 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 7.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\KaZaA Speedup 3.03 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2002 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.0.6 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Madden NFL 2004 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.4 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\ICUII 5.7 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

description	pid	process	target process
PID 1096 wrote to memory of 1652	1096	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe	cmd.exe
PID 1096 wrote to memory of 1652	1096	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe	cmd.exe
PID 1096 wrote to memory of 1652	1096	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe	cmd.exe
PID 1096 wrote to memory of 1652	1096	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
"C:\Users\Admin\AppData\Local\Temp\423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\$$$$$.bat
2⤵
- Deletes itself
PID:1652

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\$$$$$.bat
MD5
e5c16518d9bc9565a3c2074170a04490

SHA1
db97d2ae53737f43badcfb298c6eb2952c22b4ff

SHA256
7ed516ddd607ef5f3c6e5a4294143f36cacdda0b004e8e949075e6981617f0e9

SHA512
864285ee2ee2a734b5a04a64a7ba7d74686334ff9d66b843f287fd4a9502daf7e4c19ac55cfefdc31d1b1c264b60d7f83d27da3a330795d4583ff78c99c87bd6

Download Submit
memory/1652-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads