xmrig | 8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef

General

Target

8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef.exe
Size

4.1MB
MD5

af9babf45fc68f5ffb60df235e3d2ef4
SHA1

301ead0ebc07ccd4f7f6fe28268cb56d2e165bd3
SHA256

8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef
SHA512

fa590018fdc6da0077cdc2c666fe622dc44ca098837a6abff1e2d9e1c7b2d09eadeea4db35bfbddfd38a8135d6d15b29abb7b90d4cc95588f30b9fecdfb45586

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1472-156-0x000000014036DB84-mapping.dmp	xmrig
behavioral1/memory/1472-155-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1472-157-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1472-158-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1472-160-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1796 updater.exe

pid	process
1796	updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exe

description	pid	process	target process
PID 5048 set thread context of 2032	5048	conhost.exe	conhost.exe
PID 5048 set thread context of 1472	5048	conhost.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4204 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

conhost.execonhost.exe

pid process

4812 conhost.exe
5048 conhost.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
4204	schtasks.exe

pid	process
4812	conhost.exe
5048	conhost.exe

pid	process
668

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

conhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4812	conhost.exe
Token: SeShutdownPrivilege	848	powercfg.exe
Token: SeCreatePagefilePrivilege	848	powercfg.exe
Token: SeShutdownPrivilege	4144	powercfg.exe
Token: SeCreatePagefilePrivilege	4144	powercfg.exe
Token: SeShutdownPrivilege	2732	powercfg.exe
Token: SeCreatePagefilePrivilege	2732	powercfg.exe
Token: SeShutdownPrivilege	4836	powercfg.exe
Token: SeCreatePagefilePrivilege	4836	powercfg.exe
Token: SeDebugPrivilege	5048	conhost.exe
Token: SeShutdownPrivilege	960	powercfg.exe
Token: SeCreatePagefilePrivilege	960	powercfg.exe
Token: SeShutdownPrivilege	2300	powercfg.exe
Token: SeCreatePagefilePrivilege	2300	powercfg.exe
Token: SeShutdownPrivilege	3640	powercfg.exe
Token: SeCreatePagefilePrivilege	3640	powercfg.exe
Token: SeShutdownPrivilege	4100	powercfg.exe
Token: SeCreatePagefilePrivilege	4100	powercfg.exe
Token: SeLockMemoryPrivilege	1472	svchost.exe
Token: SeLockMemoryPrivilege	1472	svchost.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef.execonhost.execmd.execmd.execmd.exeupdater.execonhost.execmd.exe

description	pid	process	target process
PID 2360 wrote to memory of 4812	2360	8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef.exe	conhost.exe
PID 2360 wrote to memory of 4812	2360	8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef.exe	conhost.exe
PID 2360 wrote to memory of 4812	2360	8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef.exe	conhost.exe
PID 4812 wrote to memory of 4044	4812	conhost.exe	cmd.exe
PID 4812 wrote to memory of 4044	4812	conhost.exe	cmd.exe
PID 4044 wrote to memory of 848	4044	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 848	4044	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 4144	4044	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 4144	4044	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 2732	4044	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 2732	4044	cmd.exe	powercfg.exe
PID 4812 wrote to memory of 2344	4812	conhost.exe	cmd.exe
PID 4812 wrote to memory of 2344	4812	conhost.exe	cmd.exe
PID 4044 wrote to memory of 4836	4044	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 4836	4044	cmd.exe	powercfg.exe
PID 2344 wrote to memory of 4204	2344	cmd.exe	schtasks.exe
PID 2344 wrote to memory of 4204	2344	cmd.exe	schtasks.exe
PID 4812 wrote to memory of 212	4812	conhost.exe	cmd.exe
PID 4812 wrote to memory of 212	4812	conhost.exe	cmd.exe
PID 212 wrote to memory of 4132	212	cmd.exe	schtasks.exe
PID 212 wrote to memory of 4132	212	cmd.exe	schtasks.exe
PID 1796 wrote to memory of 5048	1796	updater.exe	conhost.exe
PID 1796 wrote to memory of 5048	1796	updater.exe	conhost.exe
PID 1796 wrote to memory of 5048	1796	updater.exe	conhost.exe
PID 5048 wrote to memory of 1244	5048	conhost.exe	cmd.exe
PID 5048 wrote to memory of 1244	5048	conhost.exe	cmd.exe
PID 1244 wrote to memory of 960	1244	cmd.exe	powercfg.exe
PID 1244 wrote to memory of 960	1244	cmd.exe	powercfg.exe
PID 1244 wrote to memory of 2300	1244	cmd.exe	powercfg.exe
PID 1244 wrote to memory of 2300	1244	cmd.exe	powercfg.exe
PID 5048 wrote to memory of 2032	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 2032	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 2032	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 2032	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 2032	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 2032	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 2032	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 2032	5048	conhost.exe	conhost.exe
PID 1244 wrote to memory of 3640	1244	cmd.exe	powercfg.exe
PID 1244 wrote to memory of 3640	1244	cmd.exe	powercfg.exe
PID 1244 wrote to memory of 4100	1244	cmd.exe	powercfg.exe
PID 1244 wrote to memory of 4100	1244	cmd.exe	powercfg.exe
PID 5048 wrote to memory of 2032	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe
PID 5048 wrote to memory of 1472	5048	conhost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef.exe
"C:\Users\Admin\AppData\Local\Temp\8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe^"'
3⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe"'
4⤵
- Creates scheduled task(s)
PID:4204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe ynjmoqjfk0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRSWr9mZW0WjQ8Zp6uvmLE6dag+TZlTAmoHzamq8sbNpoaqoauUZ0S0h88ZgZioXPZB5uzHY0xuablZYwN52Eab97q6keLIVJGsieGeSZMPVPgbRKaS2ICjkOPADAdCfEegtUAWNdA43I6HKnjqpUvxs/FTscOD9uQHYfwbeYlDHbQIeL8ARzbcl8639igLUT0XcEhIMz0NjnxRyIMKFoAaleWNBCuFOP5AhRzVhN8khO7kwKV5axfQBr099VbVb4ALNnWXFWSxz+U886bYffNs1n8Iih+3q87/C/1qyPJbTcoWFcI3ftLcZqdykLXKUvhAcJo/LE2jiYZWq+Pp/BgA
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
443B

MD5
8add56521ef894ef0c66ecd3e989d718

SHA1
2058aa5185fd5dcce7263bef8fe35bf5e12dbc7f

SHA256
01bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724

SHA512
af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
Filesize
4.1MB

MD5
af9babf45fc68f5ffb60df235e3d2ef4

SHA1
301ead0ebc07ccd4f7f6fe28268cb56d2e165bd3

SHA256
8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef

SHA512
fa590018fdc6da0077cdc2c666fe622dc44ca098837a6abff1e2d9e1c7b2d09eadeea4db35bfbddfd38a8135d6d15b29abb7b90d4cc95588f30b9fecdfb45586

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe
Filesize
4.1MB

MD5
af9babf45fc68f5ffb60df235e3d2ef4

SHA1
301ead0ebc07ccd4f7f6fe28268cb56d2e165bd3

SHA256
8a0e4ffb3a92941c38f7ad6eb259b4f761020bab5b7dad169bca31eee4c574ef

SHA512
fa590018fdc6da0077cdc2c666fe622dc44ca098837a6abff1e2d9e1c7b2d09eadeea4db35bfbddfd38a8135d6d15b29abb7b90d4cc95588f30b9fecdfb45586

Download Submit
memory/212-139-0x0000000000000000-mapping.dmp

Download
memory/848-131-0x0000000000000000-mapping.dmp

Download
memory/960-145-0x0000000000000000-mapping.dmp

Download
memory/1244-144-0x0000000000000000-mapping.dmp

Download
memory/1472-160-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1472-156-0x000000014036DB84-mapping.dmp

Download
memory/1472-155-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1472-157-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1472-158-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1472-159-0x000002AE73FB0000-0x000002AE73FD0000-memory.dmp

Filesize
128KB

Download
memory/1472-161-0x000002AE74580000-0x000002AE745C0000-memory.dmp

Filesize
256KB

Download
memory/2032-150-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-153-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-151-0x0000000000401BEA-mapping.dmp

Download
memory/2300-146-0x0000000000000000-mapping.dmp

Download
memory/2344-135-0x0000000000000000-mapping.dmp

Download
memory/2732-134-0x0000000000000000-mapping.dmp

Download
memory/3640-147-0x0000000000000000-mapping.dmp

Download
memory/4044-130-0x0000000000000000-mapping.dmp

Download
memory/4100-148-0x0000000000000000-mapping.dmp

Download
memory/4132-140-0x0000000000000000-mapping.dmp

Download
memory/4144-132-0x0000000000000000-mapping.dmp

Download
memory/4204-138-0x0000000000000000-mapping.dmp

Download
memory/4812-133-0x000001AF7DE50000-0x000001AF7E269000-memory.dmp

Filesize
4.1MB

Download
memory/4812-137-0x00007FFAB70A0000-0x00007FFAB7B61000-memory.dmp

Filesize
10.8MB

Download
memory/4836-136-0x0000000000000000-mapping.dmp

Download
memory/5048-149-0x00007FFAB71C0000-0x00007FFAB7C81000-memory.dmp

Filesize
10.8MB

Download
memory/5048-154-0x00000202A51C0000-0x00000202A51D2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads