xmrig | 09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37

General

Target

09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe
Size

4.0MB
MD5

728f38d39c035cd7908cac6c22cb3f46
SHA1

55d9caf8c3e95a66bc57cd3e6732ec871792badd
SHA256

09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37
SHA512

12aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/576-138-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/576-139-0x0000000140310068-mapping.dmp	xmrig
behavioral1/memory/576-141-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

runtimebroker64x.exesihost64.exe

pid process

776 runtimebroker64x.exe
2752 sihost64.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

runtimebroker64x.exe

description pid process target process

PID 776 set thread context of 576 776 runtimebroker64x.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1176 schtasks.exe

pid	process
776	runtimebroker64x.exe
2752	sihost64.exe

description	pid	process	target process
PID 776 set thread context of 576	776	runtimebroker64x.exe	explorer.exe

pid	process
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exeruntimebroker64x.exeexplorer.exe

pid	process
3060	09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe
776	runtimebroker64x.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exeruntimebroker64x.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3060	09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe
Token: SeDebugPrivilege	776	runtimebroker64x.exe
Token: SeLockMemoryPrivilege	576	explorer.exe
Token: SeLockMemoryPrivilege	576	explorer.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.execmd.execmd.exeruntimebroker64x.exe

description	pid	process	target process
PID 3060 wrote to memory of 592	3060	09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe	cmd.exe
PID 3060 wrote to memory of 592	3060	09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe	cmd.exe
PID 592 wrote to memory of 1176	592	cmd.exe	schtasks.exe
PID 592 wrote to memory of 1176	592	cmd.exe	schtasks.exe
PID 3060 wrote to memory of 1484	3060	09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe	cmd.exe
PID 3060 wrote to memory of 1484	3060	09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe	cmd.exe
PID 1484 wrote to memory of 776	1484	cmd.exe	runtimebroker64x.exe
PID 1484 wrote to memory of 776	1484	cmd.exe	runtimebroker64x.exe
PID 776 wrote to memory of 2752	776	runtimebroker64x.exe	sihost64.exe
PID 776 wrote to memory of 2752	776	runtimebroker64x.exe	sihost64.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe
PID 776 wrote to memory of 576	776	runtimebroker64x.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe
"C:\Users\Admin\AppData\Local\Temp\09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimebroker64x" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "runtimebroker64x" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe"
3⤵
- Creates scheduled task(s)
PID:1176

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
4⤵
- Executes dropped EXE
PID:2752

C:\Windows\explorer.exe
C:\Windows\explorer.exe bsjqdsgfph1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJQKdDfd51MUAGcZ+8CiY/eWSp0aN2gplT4NdxBcWRue+M1Jpa0OJpGvqnNi/CnIRVBtwYcUcBsTgJlURiqnaO0woILJyz0/0D0hJDZynRQ08qFq5P7/mbUB8II5CjRnh9NHfqCnnlw3RFcA8Z2LbiFadHSPio9cwS2aQjdkPVHBZAKU2n9xqm7rcBx5TMMAyEjRsdDYLMfmxpPDS7CwfGIxZjlwbzdxRwQIMxNxbs51UKMXSMHHCcOx+8aW4ZlO8qkDAH3hfPQAc0kllEA2DI5VL1XJgHoZtXYR1kI83nuYGjD9EAoHG29TcNPUPSC06OX+ik6/te/jCtGrEUOkA6mMzzArmAi3dt62G9e0ZRNwbPMxstE0K7SVu2ZKFLBIR5r1WoiVpBdcmeO4s0+5L8WnjvesBddnCVrPjdOU21U+MA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe
MD5
728f38d39c035cd7908cac6c22cb3f46

SHA1
55d9caf8c3e95a66bc57cd3e6732ec871792badd

SHA256
09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37

SHA512
12aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe
MD5
728f38d39c035cd7908cac6c22cb3f46

SHA1
55d9caf8c3e95a66bc57cd3e6732ec871792badd

SHA256
09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37

SHA512
12aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
9ffb415e287a7ae2f14ab0c7387b2b1d

SHA1
b4f83a40c8d02012ca97d04f68d6c26381c32da6

SHA256
06328631b2b0a279cc61136ac7e3e0d98cd5acff70013c1b41781504c21a2957

SHA512
7ccf979d4ca65589049067fdd5f01a53a2f90f7174b5d9df62aa1f3b601844a26e9bca9cb940d1f87b3fafb754a5adf2b73afee727a129e9dc133f740dc7ed4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
9ffb415e287a7ae2f14ab0c7387b2b1d

SHA1
b4f83a40c8d02012ca97d04f68d6c26381c32da6

SHA256
06328631b2b0a279cc61136ac7e3e0d98cd5acff70013c1b41781504c21a2957

SHA512
7ccf979d4ca65589049067fdd5f01a53a2f90f7174b5d9df62aa1f3b601844a26e9bca9cb940d1f87b3fafb754a5adf2b73afee727a129e9dc133f740dc7ed4a

Download Submit
memory/576-141-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/576-138-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/576-146-0x00000000028E0000-0x0000000002900000-memory.dmp

Filesize
128KB

Download
memory/576-145-0x00000000028C0000-0x00000000028E0000-memory.dmp

Filesize
128KB

Download
memory/576-144-0x0000000002890000-0x00000000028B0000-memory.dmp

Filesize
128KB

Download
memory/576-143-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/576-142-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/576-140-0x00000000009C0000-0x00000000009E0000-memory.dmp

Filesize
128KB

Download
memory/576-139-0x0000000140310068-mapping.dmp

Download
memory/592-122-0x0000000000000000-mapping.dmp

Download
memory/776-131-0x000000001C720000-0x000000001C722000-memory.dmp

Filesize
8KB

Download
memory/776-125-0x0000000000000000-mapping.dmp

Download
memory/1176-123-0x0000000000000000-mapping.dmp

Download
memory/1484-124-0x0000000000000000-mapping.dmp

Download
memory/2752-137-0x000000001C160000-0x000000001C162000-memory.dmp

Filesize
8KB

Download
memory/2752-135-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2752-132-0x0000000000000000-mapping.dmp

Download
memory/3060-120-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/3060-118-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/3060-121-0x000000001C580000-0x000000001C582000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads