xmrig | 5718b9d98c2b5f09acf7c2d46f24f0da693fff624908199d999b778983c8ee6c

General

Target

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
Size

5.2MB
MD5

2e025daacfe1def8ac1fa48820d2c8ce
SHA1

86da098c8b04844ca54c35429d77cdd3273754e3
SHA256

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8
SHA512

43c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d

Score

10^/10

xmrig evasion miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1468 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe

pid process

2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe

pid	process
1468	svchost.exe

pid	process
2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe

Drops file in Windows directory 4 IoCs

Processes:

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
File created	C:\Windows\System\svchost.exe	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
File opened for modification	C:\Windows\System\svchost.exe	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1496 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exepowershell.exe

pid process

592 powershell.exe
2016 7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
1924 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 592 powershell.exe
Token: SeDebugPrivilege 1924 powershell.exe

pid	process
1496	schtasks.exe

pid	process
592	powershell.exe
2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
1924	powershell.exe

description	pid	process
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exesvchost.exe

description	pid	process	target process
PID 2016 wrote to memory of 592	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	powershell.exe
PID 2016 wrote to memory of 592	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	powershell.exe
PID 2016 wrote to memory of 592	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	powershell.exe
PID 2016 wrote to memory of 1828	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 2016 wrote to memory of 1828	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 2016 wrote to memory of 1828	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 2016 wrote to memory of 640	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 2016 wrote to memory of 640	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 2016 wrote to memory of 640	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 2016 wrote to memory of 1496	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	schtasks.exe
PID 2016 wrote to memory of 1496	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	schtasks.exe
PID 2016 wrote to memory of 1496	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	schtasks.exe
PID 2016 wrote to memory of 1468	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	svchost.exe
PID 2016 wrote to memory of 1468	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	svchost.exe
PID 2016 wrote to memory of 1468	2016	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	svchost.exe
PID 1468 wrote to memory of 1924	1468	svchost.exe	powershell.exe
PID 1468 wrote to memory of 1924	1468	svchost.exe	powershell.exe
PID 1468 wrote to memory of 1924	1468	svchost.exe	powershell.exe
PID 1468 wrote to memory of 1584	1468	svchost.exe	netsh.exe
PID 1468 wrote to memory of 1584	1468	svchost.exe	netsh.exe
PID 1468 wrote to memory of 1584	1468	svchost.exe	netsh.exe
PID 1468 wrote to memory of 1664	1468	svchost.exe	netsh.exe
PID 1468 wrote to memory of 1664	1468	svchost.exe	netsh.exe
PID 1468 wrote to memory of 1664	1468	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
"C:\Users\Admin\AppData\Local\Temp\7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
PID:1828

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
PID:640

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:1584

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
2c9d71907f9d839af00e4ebd8d15340b

SHA1
3856b534059349b0233c55b8f328ca58f30875ca

SHA256
57360d85e677365f6fd01592a63d84539d454e56f0996340dd345ac091fcba69

SHA512
2d1c45b118ea98b24cc6bc780dbe683820d29fe49d7fe05956c845208b488c8cb41e77fa27a23a2525bc64632cc8494078a8dcbf6c014578b0cf3194b1fc2a73

Download Submit
C:\Windows\system\svchost.exe
MD5
2e025daacfe1def8ac1fa48820d2c8ce

SHA1
86da098c8b04844ca54c35429d77cdd3273754e3

SHA256
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8

SHA512
43c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d

Download Submit
\Windows\system\svchost.exe
MD5
2e025daacfe1def8ac1fa48820d2c8ce

SHA1
86da098c8b04844ca54c35429d77cdd3273754e3

SHA256
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8

SHA512
43c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d

Download Submit
memory/592-64-0x0000000001F64000-0x0000000001F67000-memory.dmp

Filesize
12KB

Download
memory/592-58-0x0000000000000000-mapping.dmp

Download
memory/592-61-0x000007FEF20B0000-0x000007FEF2C0D000-memory.dmp

Filesize
11.4MB

Download
memory/592-72-0x0000000001F6B000-0x0000000001F8A000-memory.dmp

Filesize
124KB

Download
memory/592-63-0x0000000001F62000-0x0000000001F64000-memory.dmp

Filesize
8KB

Download
memory/592-62-0x0000000001F60000-0x0000000001F62000-memory.dmp

Filesize
8KB

Download
memory/592-65-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/640-67-0x0000000000000000-mapping.dmp

Download
memory/1468-73-0x0000000000000000-mapping.dmp

Download
memory/1468-92-0x000000001049F000-0x00000000104C7000-memory.dmp

Filesize
160KB

Download
memory/1468-90-0x000000001037E000-0x000000001049F000-memory.dmp

Filesize
1.1MB

Download
memory/1468-89-0x0000000010001000-0x0000000010363000-memory.dmp

Filesize
3.4MB

Download
memory/1496-68-0x0000000000000000-mapping.dmp

Download
memory/1584-86-0x0000000000000000-mapping.dmp

Download
memory/1664-88-0x0000000000000000-mapping.dmp

Download
memory/1828-66-0x0000000000000000-mapping.dmp

Download
memory/1924-82-0x000007FEF20B0000-0x000007FEF2C0D000-memory.dmp

Filesize
11.4MB

Download
memory/1924-83-0x00000000023B0000-0x00000000023B2000-memory.dmp

Filesize
8KB

Download
memory/1924-84-0x00000000023B2000-0x00000000023B4000-memory.dmp

Filesize
8KB

Download
memory/1924-85-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/1924-79-0x0000000000000000-mapping.dmp

Download
memory/1924-87-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/2016-55-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2016-56-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2016-59-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2016-54-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2016-57-0x000007FEFB691000-0x000007FEFB693000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads