xmrig | 54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf

General

Target

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
Size

1.1MB
MD5

095cb62a0daf1fea377ab60917a24b67
SHA1

5a3cd2b24201a7cf6a98d6f1a06aa984dfed0e8c
SHA256

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf
SHA512

55194c0e738f3872ea1fb8a64881f6265ea9ec2bff2dbd722166283ac93a12fb85077aaf9b7ca075d69d58d2467460b1d7ab715f86796e8ec09df62980487d80

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\LZMA.DLL	acprotect
\Users\Admin\AppData\Local\Temp\LZMA.DLL	acprotect
\Users\Admin\AppData\Local\Temp\LZMA.DLL	acprotect
\Users\Admin\AppData\Local\Temp\LZMA.DLL	acprotect

XMRig Miner Payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/912-59-0x0000000000080000-0x0000000000183000-memory.dmp	xmrig
behavioral1/memory/912-60-0x0000000000081500-mapping.dmp	xmrig
behavioral1/memory/912-62-0x0000000000080000-0x0000000000183000-memory.dmp	xmrig
behavioral1/memory/1808-65-0x0000000000140000-0x0000000000243000-memory.dmp	xmrig
behavioral1/memory/1808-66-0x0000000000141500-mapping.dmp	xmrig
behavioral1/memory/1808-72-0x0000000000140000-0x0000000000243000-memory.dmp	xmrig
behavioral1/memory/1112-73-0x00000000002C0000-0x00000000003C3000-memory.dmp	xmrig
behavioral1/memory/1112-74-0x00000000002C1500-mapping.dmp	xmrig
behavioral1/memory/1112-78-0x00000000002C0000-0x00000000003C3000-memory.dmp	xmrig
behavioral1/memory/1824-79-0x0000000000250000-0x0000000000353000-memory.dmp	xmrig
behavioral1/memory/1824-80-0x0000000000251500-mapping.dmp	xmrig
behavioral1/memory/912-81-0x0000000000080000-0x0000000000183000-memory.dmp	xmrig
behavioral1/memory/1824-84-0x0000000000250000-0x0000000000353000-memory.dmp	xmrig
behavioral1/memory/1112-85-0x00000000002C0000-0x00000000003C3000-memory.dmp	xmrig
behavioral1/memory/1808-83-0x0000000000140000-0x0000000000243000-memory.dmp	xmrig
behavioral1/memory/1824-86-0x0000000000250000-0x0000000000353000-memory.dmp	xmrig

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\LZMA.DLL	upx
\Users\Admin\AppData\Local\Temp\LZMA.DLL	upx
\Users\Admin\AppData\Local\Temp\LZMA.DLL	upx
\Users\Admin\AppData\Local\Temp\LZMA.DLL	upx

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Loads dropped DLL 4 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

pid	process
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ondriver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe"	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

description	pid	process	target process
PID 1120 set thread context of 912	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 set thread context of 1808	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 set thread context of 1112	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 set thread context of 1824	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

pid	process
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

svchost.execalc.exesvchost.execalc.exe

description	pid	process
Token: SeLockMemoryPrivilege	912	svchost.exe
Token: SeLockMemoryPrivilege	1808	calc.exe
Token: SeLockMemoryPrivilege	1808	calc.exe
Token: SeLockMemoryPrivilege	912	svchost.exe
Token: SeLockMemoryPrivilege	1112	svchost.exe
Token: SeLockMemoryPrivilege	1112	svchost.exe
Token: SeLockMemoryPrivilege	1824	calc.exe
Token: SeLockMemoryPrivilege	1824	calc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

pid	process
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

pid	process
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

description	pid	process	target process
PID 1120 wrote to memory of 912	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 912	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 912	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 912	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 912	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 912	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 1808	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1808	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1808	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1808	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1808	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1808	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1112	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 1112	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 1112	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 1112	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 1112	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 1112	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 1120 wrote to memory of 1824	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1824	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1824	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1824	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1824	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 1120 wrote to memory of 1824	1120	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
"C:\Users\Admin\AppData\Local\Temp\54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\svchost.exe
-o xmr.pool.minergate.com:45560 -u mikaelamonero2@gmx.com -p x --max-cpu-usage=20 --donate-level=1 -k -B
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\calc.exe
-o xmr.pool.minergate.com:45560 -u thiagoiphones6@gmail.com -p x --max-cpu-usage=50 --donate-level=1 -k -B
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\svchost.exe
-o xmr.pool.minergate.com:45560 -u mikaelamonero2@gmx.com -p x --max-cpu-usage=20 --donate-level=1 -k -B
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\calc.exe
-o xmr.pool.minergate.com:45560 -u thiagoiphones6@gmail.com -p x --max-cpu-usage=50 --donate-level=1 -k -B
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\LZMA.DLL
Filesize
22KB

MD5
ccf916511374fa95c4c685ee0854fe9e

SHA1
27d7458ecafb17c202d262c990bd06f4d47098bd

SHA256
2a6b997d31834bd186e6ed19651b33bda29260ba09a17a78c6e81dfbc6b299de

SHA512
db90ddfb847192fd4736278d48ef31629e8e01e03f92e5c3c262963a2207b7f750d9200fa5f7904d659d3ebb3dd45cebd5a54779395da24a56ea8a3bc1923cad

Download Submit
\Users\Admin\AppData\Local\Temp\LZMA.DLL
Filesize
22KB

MD5
ccf916511374fa95c4c685ee0854fe9e

SHA1
27d7458ecafb17c202d262c990bd06f4d47098bd

SHA256
2a6b997d31834bd186e6ed19651b33bda29260ba09a17a78c6e81dfbc6b299de

SHA512
db90ddfb847192fd4736278d48ef31629e8e01e03f92e5c3c262963a2207b7f750d9200fa5f7904d659d3ebb3dd45cebd5a54779395da24a56ea8a3bc1923cad

Download Submit
\Users\Admin\AppData\Local\Temp\LZMA.DLL
Filesize
22KB

MD5
ccf916511374fa95c4c685ee0854fe9e

SHA1
27d7458ecafb17c202d262c990bd06f4d47098bd

SHA256
2a6b997d31834bd186e6ed19651b33bda29260ba09a17a78c6e81dfbc6b299de

SHA512
db90ddfb847192fd4736278d48ef31629e8e01e03f92e5c3c262963a2207b7f750d9200fa5f7904d659d3ebb3dd45cebd5a54779395da24a56ea8a3bc1923cad

Download Submit
\Users\Admin\AppData\Local\Temp\LZMA.DLL
Filesize
22KB

MD5
ccf916511374fa95c4c685ee0854fe9e

SHA1
27d7458ecafb17c202d262c990bd06f4d47098bd

SHA256
2a6b997d31834bd186e6ed19651b33bda29260ba09a17a78c6e81dfbc6b299de

SHA512
db90ddfb847192fd4736278d48ef31629e8e01e03f92e5c3c262963a2207b7f750d9200fa5f7904d659d3ebb3dd45cebd5a54779395da24a56ea8a3bc1923cad

Download Submit
memory/912-60-0x0000000000081500-mapping.dmp

Download
memory/912-81-0x0000000000080000-0x0000000000183000-memory.dmp

Filesize
1.0MB

Download
memory/912-62-0x0000000000080000-0x0000000000183000-memory.dmp

Filesize
1.0MB

Download
memory/912-57-0x0000000000080000-0x0000000000183000-memory.dmp

Filesize
1.0MB

Download
memory/912-59-0x0000000000080000-0x0000000000183000-memory.dmp

Filesize
1.0MB

Download
memory/1112-85-0x00000000002C0000-0x00000000003C3000-memory.dmp

Filesize
1.0MB

Download
memory/1112-73-0x00000000002C0000-0x00000000003C3000-memory.dmp

Filesize
1.0MB

Download
memory/1112-74-0x00000000002C1500-mapping.dmp

Download
memory/1112-78-0x00000000002C0000-0x00000000003C3000-memory.dmp

Filesize
1.0MB

Download
memory/1120-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1808-65-0x0000000000140000-0x0000000000243000-memory.dmp

Filesize
1.0MB

Download
memory/1808-72-0x0000000000140000-0x0000000000243000-memory.dmp

Filesize
1.0MB

Download
memory/1808-66-0x0000000000141500-mapping.dmp

Download
memory/1808-83-0x0000000000140000-0x0000000000243000-memory.dmp

Filesize
1.0MB

Download
memory/1824-79-0x0000000000250000-0x0000000000353000-memory.dmp

Filesize
1.0MB

Download
memory/1824-84-0x0000000000250000-0x0000000000353000-memory.dmp

Filesize
1.0MB

Download
memory/1824-80-0x0000000000251500-mapping.dmp

Download
memory/1824-86-0x0000000000250000-0x0000000000353000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads