xmrig | 423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843

General

Target

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
Size

3.4MB
MD5

b8686eb397b6f0cdafce7ae4cc3927d9
SHA1

cf2e6c163ec592095941d95e7e1fffa2d556b114
SHA256

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843
SHA512

adac4ebddaa99f1bf2444cc4d160cbf4e6eaff8397c15017cc9f444e05985c03a5fa1bf5ed0068d0af5f31aa82a37d968635cc4a8cf81016967d0409297c5431

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

Drops file in System32 directory 64 IoCs

Processes:

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.0 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Etherlords II Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.0.6 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\UltraEdit-32 10.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 8.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinAce 2.2 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity 4 Rush Hour No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Quake 4 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FlashGet 1.3 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Conflict - Desert Storm II - Back to Baghdad Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Star Wars - Knights of the Old Republic Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\IconPackager 2.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Hitman II Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Enemy Territory No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake 4 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior 5 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\FlashGet 1.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 8.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2004 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Praetorians Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Thief II Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Conflict - Desert Storm II - Back to Baghdad No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GetRight 5.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\LingoWare 3.0 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Lord of the Rings - The Two Towers Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\World War II - Frontline Command Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\UltraEdit-32 10.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\IconPackager 2.12 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Halo Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 8.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\KaZaA Speedup 3.03 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Midtown Madness 2 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Knights of the Temple No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\FlashGet 1.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Elder Scrolls III - Tribunal No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NCAA Football 2004 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2004 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\The Sims Superstar Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief II Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\DOOM III Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\PhotoShow 2.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Download Manager 3.15 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\IL-2 Sturmovik - Forgotten Battles Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\F1 2002 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 5.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Half-Life 2 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Quake IV No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\DOOM 3 No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lords of the Realm III No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid III No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Armor2net Personal Firewall 3.1 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Soul Reaver 3 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Age of Wonders II - Shadow Magic Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity 4 Rush Hour Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Madden NFL 2003 Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Divx 5.x Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.0.6 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Splinter Cell No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\LingoWare 3.0 Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Star Wars Jedi Knight - Jedi Academy Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File created	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.x Serial Generator.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Knights of the Temple No-Cd Crack.exe	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe

description	pid	process	target process
PID 3872 wrote to memory of 3552	3872	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe	cmd.exe
PID 3872 wrote to memory of 3552	3872	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe	cmd.exe
PID 3872 wrote to memory of 3552	3872	423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe
"C:\Users\Admin\AppData\Local\Temp\423eb3ee1dca6dac105f68812619c8d77643dbb0d082ae24ef7fc42b93d3e843.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
2⤵
PID:3552

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\$$$$$.bat
MD5
e5c16518d9bc9565a3c2074170a04490

SHA1
db97d2ae53737f43badcfb298c6eb2952c22b4ff

SHA256
7ed516ddd607ef5f3c6e5a4294143f36cacdda0b004e8e949075e6981617f0e9

SHA512
864285ee2ee2a734b5a04a64a7ba7d74686334ff9d66b843f287fd4a9502daf7e4c19ac55cfefdc31d1b1c264b60d7f83d27da3a330795d4583ff78c99c87bd6

Download Submit
memory/3552-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads