xmrig | 269418090e8be5de1625ff26c789f5be7be2ed5d690328647152ecb4d540f3ab

General

Target

cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe
Size

534KB
MD5

ad32f5c567edf16aba5dfedbd527084a
SHA1

9fbf7632af542f4e50b60d849518bb840544f1a6
SHA256

cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871
SHA512

20900fbd14dd4fb13ea7757fcebaf6cd130be1201f02320e7d70f203eb629eb2b983af121fe4f63719c25565490d140c10ad7ae382d7effca4e6ca9de6d8ef6e

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

WinSrv.exe

pid process

4020 WinSrv.exe

pid	process
4020	WinSrv.exe

Drops file in System32 directory 24 IoCs

Processes:

WinSrv.execd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\00E8B2222155EE2FA685572BF7181C12	WinSrv.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\GT4UB25K.cookie	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\PFTCWXWZ.cookie	WinSrv.exe
File created	C:\Windows\SysWOW64\WinSrv.exe	cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\00E8B2222155EE2FA685572BF7181C12	WinSrv.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\85IY7IKF.cookie	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\85IY7IKF.cookie	WinSrv.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\PFTCWXWZ.cookie	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\GT4UB25K.cookie	WinSrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WinSrv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

WinSrv.exe

description pid process target process

PID 4020 set thread context of 4032 4020 WinSrv.exe svchost.exe

description	pid	process	target process
PID 4020 set thread context of 4032	4020	WinSrv.exe	svchost.exe

Modifies data under HKEY_USERS 11 IoCs

Processes:

WinSrv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WinSrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WinSrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WinSrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WinSrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WinSrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WinSrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	WinSrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	WinSrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WinSrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WinSrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WinSrv.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WinSrv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WinSrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WinSrv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exeWinSrv.exesvchost.exe

pid	process
3600	cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe
3600	cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe
4020	WinSrv.exe
4020	WinSrv.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4032	svchost.exe
4020	WinSrv.exe
4020	WinSrv.exe
4032	svchost.exe
4032	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WinSrv.execd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe

description	pid	process	target process
PID 4020 wrote to memory of 4032	4020	WinSrv.exe	svchost.exe
PID 4020 wrote to memory of 4032	4020	WinSrv.exe	svchost.exe
PID 4020 wrote to memory of 4032	4020	WinSrv.exe	svchost.exe
PID 4020 wrote to memory of 4032	4020	WinSrv.exe	svchost.exe
PID 4020 wrote to memory of 4032	4020	WinSrv.exe	svchost.exe
PID 3600 wrote to memory of 60	3600	cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe	cmd.exe
PID 3600 wrote to memory of 60	3600	cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe	cmd.exe
PID 3600 wrote to memory of 60	3600	cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe
"C:\Users\Admin\AppData\Local\Temp\cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\cmd.exe
/c del C:\Users\Admin\AppData\Local\Temp\cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871.exe >> NUL
2⤵
PID:60

C:\Windows\SysWOW64\WinSrv.exe
C:\Windows\SysWOW64\WinSrv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WinSrv.exe
MD5
ad32f5c567edf16aba5dfedbd527084a

SHA1
9fbf7632af542f4e50b60d849518bb840544f1a6

SHA256
cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871

SHA512
20900fbd14dd4fb13ea7757fcebaf6cd130be1201f02320e7d70f203eb629eb2b983af121fe4f63719c25565490d140c10ad7ae382d7effca4e6ca9de6d8ef6e

Download Submit
C:\Windows\SysWOW64\WinSrv.exe
MD5
ad32f5c567edf16aba5dfedbd527084a

SHA1
9fbf7632af542f4e50b60d849518bb840544f1a6

SHA256
cd2eb403d51be7281c7166a1a88707d768e547197c853263213da955446dd871

SHA512
20900fbd14dd4fb13ea7757fcebaf6cd130be1201f02320e7d70f203eb629eb2b983af121fe4f63719c25565490d140c10ad7ae382d7effca4e6ca9de6d8ef6e

Download Submit
memory/60-123-0x0000000000000000-mapping.dmp

Download
memory/3600-116-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3600-115-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4020-120-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4020-119-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/4032-121-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4032-122-0x000000000040178D-mapping.dmp

Download
memory/4032-124-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4032-125-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads