xmrig | 5718b9d98c2b5f09acf7c2d46f24f0da693fff624908199d999b778983c8ee6c

General

Target

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
Size

5.2MB
MD5

2e025daacfe1def8ac1fa48820d2c8ce
SHA1

86da098c8b04844ca54c35429d77cdd3273754e3
SHA256

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8
SHA512

43c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d

Score

10^/10

xmrig evasion miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2340 svchost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2340	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exesvchost.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
File created	C:\Windows\System\svchost.exe	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
File opened for modification	C:\Windows\System\svchost.exe	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1300 schtasks.exe

pid	process
1300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exepowershell.exe

pid	process
3476	powershell.exe
3476	powershell.exe
3476	powershell.exe
1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeIncreaseQuotaPrivilege	3476	powershell.exe
Token: SeSecurityPrivilege	3476	powershell.exe
Token: SeTakeOwnershipPrivilege	3476	powershell.exe
Token: SeLoadDriverPrivilege	3476	powershell.exe
Token: SeSystemProfilePrivilege	3476	powershell.exe
Token: SeSystemtimePrivilege	3476	powershell.exe
Token: SeProfSingleProcessPrivilege	3476	powershell.exe
Token: SeIncBasePriorityPrivilege	3476	powershell.exe
Token: SeCreatePagefilePrivilege	3476	powershell.exe
Token: SeBackupPrivilege	3476	powershell.exe
Token: SeRestorePrivilege	3476	powershell.exe
Token: SeShutdownPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeSystemEnvironmentPrivilege	3476	powershell.exe
Token: SeRemoteShutdownPrivilege	3476	powershell.exe
Token: SeUndockPrivilege	3476	powershell.exe
Token: SeManageVolumePrivilege	3476	powershell.exe
Token: 33	3476	powershell.exe
Token: 34	3476	powershell.exe
Token: 35	3476	powershell.exe
Token: 36	3476	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeIncreaseQuotaPrivilege	3032	powershell.exe
Token: SeSecurityPrivilege	3032	powershell.exe
Token: SeTakeOwnershipPrivilege	3032	powershell.exe
Token: SeLoadDriverPrivilege	3032	powershell.exe
Token: SeSystemProfilePrivilege	3032	powershell.exe
Token: SeSystemtimePrivilege	3032	powershell.exe
Token: SeProfSingleProcessPrivilege	3032	powershell.exe
Token: SeIncBasePriorityPrivilege	3032	powershell.exe
Token: SeCreatePagefilePrivilege	3032	powershell.exe
Token: SeBackupPrivilege	3032	powershell.exe
Token: SeRestorePrivilege	3032	powershell.exe
Token: SeShutdownPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeSystemEnvironmentPrivilege	3032	powershell.exe
Token: SeRemoteShutdownPrivilege	3032	powershell.exe
Token: SeUndockPrivilege	3032	powershell.exe
Token: SeManageVolumePrivilege	3032	powershell.exe
Token: 33	3032	powershell.exe
Token: 34	3032	powershell.exe
Token: 35	3032	powershell.exe
Token: 36	3032	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exesvchost.exe

description	pid	process	target process
PID 1924 wrote to memory of 3476	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	powershell.exe
PID 1924 wrote to memory of 3476	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	powershell.exe
PID 1924 wrote to memory of 2724	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 1924 wrote to memory of 2724	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 1924 wrote to memory of 4084	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 1924 wrote to memory of 4084	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	netsh.exe
PID 1924 wrote to memory of 1300	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	schtasks.exe
PID 1924 wrote to memory of 1300	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	schtasks.exe
PID 1924 wrote to memory of 2340	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	svchost.exe
PID 1924 wrote to memory of 2340	1924	7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe	svchost.exe
PID 2340 wrote to memory of 3032	2340	svchost.exe	powershell.exe
PID 2340 wrote to memory of 3032	2340	svchost.exe	powershell.exe
PID 2340 wrote to memory of 3832	2340	svchost.exe	netsh.exe
PID 2340 wrote to memory of 3832	2340	svchost.exe	netsh.exe
PID 2340 wrote to memory of 2960	2340	svchost.exe	netsh.exe
PID 2340 wrote to memory of 2960	2340	svchost.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe
"C:\Users\Admin\AppData\Local\Temp\7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
PID:2724

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
PID:4084

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:1300

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:3832

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4f9b8fbed10ac49f5b0a5425dac93a0b

SHA1
003b374218cdb742e7855b1a1742be17e0b9d414

SHA256
a4be16999ff3c84e059c2513754c6912ae7598dce9f4ad16c339afc8c4607a7d

SHA512
9ea70a13bd106c3e892a8ef1a190aa7afc05baebce108d0e961c3c6274d2faa95360dbedabc7eea789521212264676e880eaafa87df0dcb9bbf9e6d3d3e81cca

Download Submit
C:\Windows\System\svchost.exe
MD5
2e025daacfe1def8ac1fa48820d2c8ce

SHA1
86da098c8b04844ca54c35429d77cdd3273754e3

SHA256
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8

SHA512
43c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d

Download Submit
C:\Windows\System\svchost.exe
MD5
2e025daacfe1def8ac1fa48820d2c8ce

SHA1
86da098c8b04844ca54c35429d77cdd3273754e3

SHA256
7fba11e6cf45e2b1f27fa0011e65c00c71c227d151eb4ed7975e50320f9e26c8

SHA512
43c42d5817c59478890b6ab6520bb179960010434b3d114976528f475c331f1e6f69d93e7d7639da75c0ac00b5462825e4e53a830278e58f72cb2b7138454e9d

Download Submit
memory/1300-158-0x0000000000000000-mapping.dmp

Download
memory/1924-118-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/1924-117-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/1924-115-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/1924-116-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2340-162-0x0000000140000000-0x0000000140632400-memory.dmp

Filesize
6.2MB

Download
memory/2340-159-0x0000000000000000-mapping.dmp

Download
memory/2724-156-0x0000000000000000-mapping.dmp

Download
memory/2960-213-0x0000000000000000-mapping.dmp

Download
memory/3032-178-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3032-183-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3032-169-0x0000000000000000-mapping.dmp

Download
memory/3032-180-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3032-175-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3032-181-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3032-174-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3032-179-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3032-173-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3032-185-0x0000018827D50000-0x0000018827D52000-memory.dmp

Filesize
8KB

Download
memory/3032-186-0x0000018827D56000-0x0000018827D58000-memory.dmp

Filesize
8KB

Download
memory/3032-187-0x0000018827D53000-0x0000018827D55000-memory.dmp

Filesize
8KB

Download
memory/3032-172-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3032-211-0x0000018827D58000-0x0000018827D59000-memory.dmp

Filesize
4KB

Download
memory/3032-171-0x000001880DE40000-0x000001880DE42000-memory.dmp

Filesize
8KB

Download
memory/3476-129-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-125-0x000001A616310000-0x000001A616311000-memory.dmp

Filesize
4KB

Download
memory/3476-165-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-134-0x000001A62E893000-0x000001A62E895000-memory.dmp

Filesize
8KB

Download
memory/3476-119-0x0000000000000000-mapping.dmp

Download
memory/3476-120-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-135-0x000001A62E896000-0x000001A62E898000-memory.dmp

Filesize
8KB

Download
memory/3476-133-0x000001A62E890000-0x000001A62E892000-memory.dmp

Filesize
8KB

Download
memory/3476-131-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-130-0x000001A630970000-0x000001A630971000-memory.dmp

Filesize
4KB

Download
memory/3476-128-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-127-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-126-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-166-0x000001A62E898000-0x000001A62E899000-memory.dmp

Filesize
4KB

Download
memory/3476-124-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-123-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-122-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3476-121-0x000001A614870000-0x000001A614872000-memory.dmp

Filesize
8KB

Download
memory/3832-212-0x0000000000000000-mapping.dmp

Download
memory/4084-157-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads