xmrig | a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373

General

Target

a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
Size

773KB
MD5

28fb61a68956efd2dd8c76d2da0ac9e8
SHA1

1ac9eb475b3fbe7d818825fe9551e7e4e2d3cbff
SHA256

a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373
SHA512

1792e750838cf1a66f63691d97aa8f09c70a9808ac1a26c67efde1ce86fae4e563c3be58fb206c53b1fbb7364221e8d278f8672b2f3e2868d6d39d4b6c38e78a

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1644-56-0x0000000000427AA0-mapping.dmp	xmrig
behavioral1/memory/1644-55-0x0000000000400000-0x000000000048D000-memory.dmp	xmrig
behavioral1/memory/1644-58-0x0000000000400000-0x000000000048D000-memory.dmp	xmrig
behavioral1/memory/1644-59-0x0000000000400000-0x000000000048D000-memory.dmp	xmrig
C:\ProgramData\Iostream.exe	xmrig
C:\ProgramData\Iostream.exe	xmrig
C:\ProgramData\Iostream.exe	xmrig

Executes dropped EXE 3 IoCs

Processes:

Iostream.exeIostream.exeIostream.exe

pid process

576 Iostream.exe
1692 Iostream.exe
1972 Iostream.exe

pid	process
576	Iostream.exe
1692	Iostream.exe
1972	Iostream.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe

description	pid	process	target process
PID 1740 set thread context of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1720 schtasks.exe
524 schtasks.exe
972 schtasks.exe
1396 schtasks.exe

pid	process
1720	schtasks.exe
524	schtasks.exe
972	schtasks.exe
1396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe

pid	process
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe

Suspicious behavior: RenamesItself 4 IoCs

Processes:

a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exeIostream.exeIostream.exeIostream.exe

pid process

1740 a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
576 Iostream.exe
1692 Iostream.exe
1972 Iostream.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

attrib.exe

description pid process

Token: SeLockMemoryPrivilege 1644 attrib.exe
Token: SeLockMemoryPrivilege 1644 attrib.exe

description	pid	process
Token: SeLockMemoryPrivilege	1644	attrib.exe
Token: SeLockMemoryPrivilege	1644	attrib.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exetaskeng.exeIostream.exeIostream.exe

description	pid	process	target process
PID 1740 wrote to memory of 1720	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	schtasks.exe
PID 1740 wrote to memory of 1720	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	schtasks.exe
PID 1740 wrote to memory of 1720	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	schtasks.exe
PID 1740 wrote to memory of 1720	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	schtasks.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1740 wrote to memory of 1644	1740	a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe	attrib.exe
PID 1980 wrote to memory of 576	1980	taskeng.exe	Iostream.exe
PID 1980 wrote to memory of 576	1980	taskeng.exe	Iostream.exe
PID 1980 wrote to memory of 576	1980	taskeng.exe	Iostream.exe
PID 1980 wrote to memory of 576	1980	taskeng.exe	Iostream.exe
PID 576 wrote to memory of 524	576	Iostream.exe	schtasks.exe
PID 576 wrote to memory of 524	576	Iostream.exe	schtasks.exe
PID 576 wrote to memory of 524	576	Iostream.exe	schtasks.exe
PID 576 wrote to memory of 524	576	Iostream.exe	schtasks.exe
PID 1980 wrote to memory of 1692	1980	taskeng.exe	Iostream.exe
PID 1980 wrote to memory of 1692	1980	taskeng.exe	Iostream.exe
PID 1980 wrote to memory of 1692	1980	taskeng.exe	Iostream.exe
PID 1980 wrote to memory of 1692	1980	taskeng.exe	Iostream.exe
PID 1692 wrote to memory of 972	1692	Iostream.exe	schtasks.exe
PID 1692 wrote to memory of 972	1692	Iostream.exe	schtasks.exe
PID 1692 wrote to memory of 972	1692	Iostream.exe	schtasks.exe
PID 1692 wrote to memory of 972	1692	Iostream.exe	schtasks.exe
PID 1980 wrote to memory of 1972	1980	taskeng.exe	Iostream.exe
PID 1980 wrote to memory of 1972	1980	taskeng.exe	Iostream.exe
PID 1980 wrote to memory of 1972	1980	taskeng.exe	Iostream.exe
PID 1980 wrote to memory of 1972	1980	taskeng.exe	Iostream.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1644 attrib.exe

pid	process
1644	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe
"C:\Users\Admin\AppData\Local\Temp\a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \Windows\Recovery\Cleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
2⤵
- Creates scheduled task(s)
PID:1720

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Views/modifies file attributes
PID:1644

C:\Windows\system32\taskeng.exe
taskeng.exe {048C0900-A1D7-424F-A396-87BFE90CD8F2} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\ProgramData\Iostream.exe
C:\ProgramData\Iostream.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \Windows\Recovery\Cleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:524

C:\ProgramData\Iostream.exe
C:\ProgramData\Iostream.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \Windows\Recovery\Cleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:972

C:\ProgramData\Iostream.exe
C:\ProgramData\Iostream.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \Windows\Recovery\Cleaner /tr "C:\ProgramData\Iostream.exe" /st 00:00 /sc once /du 9999:59 /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Hidden Files and Directories

1

T1158

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Iostream.exe
Filesize
773KB

MD5
28fb61a68956efd2dd8c76d2da0ac9e8

SHA1
1ac9eb475b3fbe7d818825fe9551e7e4e2d3cbff

SHA256
a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373

SHA512
1792e750838cf1a66f63691d97aa8f09c70a9808ac1a26c67efde1ce86fae4e563c3be58fb206c53b1fbb7364221e8d278f8672b2f3e2868d6d39d4b6c38e78a

Download Submit
C:\ProgramData\Iostream.exe
Filesize
773KB

MD5
28fb61a68956efd2dd8c76d2da0ac9e8

SHA1
1ac9eb475b3fbe7d818825fe9551e7e4e2d3cbff

SHA256
a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373

SHA512
1792e750838cf1a66f63691d97aa8f09c70a9808ac1a26c67efde1ce86fae4e563c3be58fb206c53b1fbb7364221e8d278f8672b2f3e2868d6d39d4b6c38e78a

Download Submit
C:\ProgramData\Iostream.exe
Filesize
773KB

MD5
28fb61a68956efd2dd8c76d2da0ac9e8

SHA1
1ac9eb475b3fbe7d818825fe9551e7e4e2d3cbff

SHA256
a3e86b5863b0f331c745e72d7a4fca5628dc4f42ea6edbbfd9394c789de4f373

SHA512
1792e750838cf1a66f63691d97aa8f09c70a9808ac1a26c67efde1ce86fae4e563c3be58fb206c53b1fbb7364221e8d278f8672b2f3e2868d6d39d4b6c38e78a

Download Submit
memory/524-62-0x0000000000000000-mapping.dmp

Download
memory/576-60-0x0000000000000000-mapping.dmp

Download
memory/972-65-0x0000000000000000-mapping.dmp

Download
memory/1644-55-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1644-58-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1644-59-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1644-56-0x0000000000427AA0-mapping.dmp

Download
memory/1692-63-0x0000000000000000-mapping.dmp

Download
memory/1720-54-0x0000000000000000-mapping.dmp

Download
memory/1972-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads