xmrig | 6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1

General

Target

6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
Size

17.8MB
MD5

d9ac013439b130beb75112a9a283e8ad
SHA1

d9af31324653804281830aeb9f3214e0cc1a6c4f
SHA256

6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1
SHA512

967ffe9896730239e8e39f8856e25787aeb15d69aba04e4d8842795f5ed20b821f948e53afdcb87f9a4791aaaefabc4b4a28cc0c8ab572016843e4af04990a91

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1444-126-0x00000001402A7C88-mapping.dmp	xmrig
behavioral1/memory/1444-125-0x0000000140000000-0x0000000140703000-memory.dmp	xmrig
behavioral1/memory/1444-129-0x0000000140000000-0x0000000140703000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3020 svchost.exe
Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

pid	process
3020	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3020 set thread context of 1444 3020 svchost.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3020 set thread context of 1444	3020	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe

pid	process
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
Token: SeDebugPrivilege	3020	svchost.exe
Token: SeLockMemoryPrivilege	1444	svchost.exe
Token: SeLockMemoryPrivilege	1444	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exesvchost.exe

description	pid	process	target process
PID 2096 wrote to memory of 3020	2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe	svchost.exe
PID 2096 wrote to memory of 3020	2096	6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe
PID 3020 wrote to memory of 1444	3020	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe
"C:\Users\Admin\AppData\Local\Temp\6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -B --coin=monero --url=xmr.pool.minergate.com:45700 --user=asenevaolga@gmail.com --pass= --cpu-max-threads-hint=50 --donate-level=4
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
d9ac013439b130beb75112a9a283e8ad

SHA1
d9af31324653804281830aeb9f3214e0cc1a6c4f

SHA256
6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1

SHA512
967ffe9896730239e8e39f8856e25787aeb15d69aba04e4d8842795f5ed20b821f948e53afdcb87f9a4791aaaefabc4b4a28cc0c8ab572016843e4af04990a91

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
d9ac013439b130beb75112a9a283e8ad

SHA1
d9af31324653804281830aeb9f3214e0cc1a6c4f

SHA256
6c18b1e5a90977b48b5b9ce94b03c46665b1c9c305e9dd3e4eaec9e2fe1679d1

SHA512
967ffe9896730239e8e39f8856e25787aeb15d69aba04e4d8842795f5ed20b821f948e53afdcb87f9a4791aaaefabc4b4a28cc0c8ab572016843e4af04990a91

Download Submit
memory/1444-128-0x000001F58CA20000-0x000001F58CA34000-memory.dmp

Filesize
80KB

Download
memory/1444-131-0x000001F58CAA0000-0x000001F58CAC0000-memory.dmp

Filesize
128KB

Download
memory/1444-130-0x000001F58CA80000-0x000001F58CAA0000-memory.dmp

Filesize
128KB

Download
memory/1444-129-0x0000000140000000-0x0000000140703000-memory.dmp

Filesize
7.0MB

Download
memory/1444-126-0x00000001402A7C88-mapping.dmp

Download
memory/1444-125-0x0000000140000000-0x0000000140703000-memory.dmp

Filesize
7.0MB

Download
memory/2096-115-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3020-124-0x00000000025F0000-0x00000000025F2000-memory.dmp

Filesize
8KB

Download
memory/3020-127-0x000000001E303000-0x000000001E304000-memory.dmp

Filesize
4KB

Download
memory/3020-123-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/3020-122-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/3020-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads