xmrig | 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a

General

Target

89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe
Size

5.2MB
MD5

b8a9c4416fda57f7f6c2a9f714ccddf7
SHA1

7364b591eb1f949c8df4d9ec99300accb12f3932
SHA256

89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a
SHA512

f018f8cab0cb9ed08a70036009f20072729d13b9e73bc3ef7ade2218e5b54dc110747c6e660136a6c248d57ab983c8d935648ac1fb8b08bfc87221bf0a52ef89

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4392-135-0x0000000000400000-0x00000000013AE000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

taskshell.exe

pid process

4392 taskshell.exe

pid	process
4392	taskshell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMI Update Service = "C:\\ProgramData\\WMI Provider Host\\taskshell.exe"	89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe

pid process

3272 89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe

pid	process
3272	89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exetaskshell.exe

description	pid	process
Token: SeDebugPrivilege	3272	89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe
Token: SeLockMemoryPrivilege	4392	taskshell.exe
Token: SeLockMemoryPrivilege	4392	taskshell.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe

description	pid	process	target process
PID 3272 wrote to memory of 4392	3272	89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe	taskshell.exe
PID 3272 wrote to memory of 4392	3272	89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe	taskshell.exe

C:\Users\Admin\AppData\Local\Temp\89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe
"C:\Users\Admin\AppData\Local\Temp\89a8d0cbbf372598047ee4a28c4d8a8b475e9af932fd043916b423ff6919355a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272

C:\ProgramData\WMI Provider Host\taskshell.exe
"C:\ProgramData\WMI Provider Host\taskshell.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WMI Provider Host\config.json
Filesize
2KB

MD5
7e4f178a012ae8d777805a493169d93d

SHA1
7e1282eaa2f36ff2abc6bf1eb64b375b47d84122

SHA256
1e6401bfde7dedb96cc2dd87dcc0083293113c2414dd5d3d27c4633963ce85e2

SHA512
0a543c178546b85d181813e8d7a815e827c030d99ac1f31711a51f616f39100562372459e1d484450a863e1fdcbf79f03e790b80c19994dfc22384d96844fe11

Download Submit
C:\ProgramData\WMI Provider Host\taskshell.exe
Filesize
5.1MB

MD5
b7171cde96b09f4d3bdb3b2bb510dec9

SHA1
934ba3b48a0235b18bdfdc62cb62601eb20ab653

SHA256
3cd3732916ceb1386d540de478b0a743666b9d98b8d8f2fe9364029d8d6266ab

SHA512
fafa112e3e82161b5a5d416aa311b707575fd373e7db4ac86ee056d249bdeaf9e3e8ce16b34480d703a59f253445c33ff2237f27564d364ffc2c2b45d23f5447

Download Submit
memory/3272-130-0x0000000000B00000-0x0000000001032000-memory.dmp

Filesize
5.2MB

Download
memory/3272-131-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/3272-134-0x0000000006B30000-0x0000000006BC2000-memory.dmp

Filesize
584KB

Download
memory/4392-132-0x0000000000000000-mapping.dmp

Download
memory/4392-135-0x0000000000400000-0x00000000013AE000-memory.dmp

Filesize
15.7MB

Download
memory/4392-140-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads