xmrig | 73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/03/2023, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286.exe
Size

2.1MB
MD5

019cd16abc7c1aac7cf950fb6278fe1e
SHA1

83498e183f0057f3900cc9ed1a09829d6097e0db
SHA256

73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286
SHA512

aaddaec71ff257b11e3a56fef23c17e9ab87af58c44d8c745145751bc1fb8595dc878e16f25c7ff4ef5e67cc6759ac9f05af5d227e311b6392daf59dab73b77c
SSDEEP

49152:LZslaH0znUO2Qh9odfguRJXLMSsdhOTveI:LZAaHcVJrIbXXLMijT

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral1/memory/1564-79-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-80-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-82-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-81-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-83-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-84-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-85-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-86-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-87-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-89-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-92-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-94-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-95-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-96-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-98-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-100-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-102-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-103-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1564-109-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
1020	servicesupdate.exe
1348	sihost64.exe

Loads dropped DLL 4 IoCs

pid	Process
800	cmd.exe
800	cmd.exe
1340	conhost.exe
1340	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 1564	1340	conhost.exe	38

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1096	conhost.exe
1340	conhost.exe
1340	conhost.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe
1564	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	conhost.exe
Token: SeDebugPrivilege	1340	conhost.exe
Token: SeLockMemoryPrivilege	1564	explorer.exe
Token: SeLockMemoryPrivilege	1564	explorer.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1096	1724	73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286.exe	28
PID 1724 wrote to memory of 1096	1724	73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286.exe	28
PID 1724 wrote to memory of 1096	1724	73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286.exe	28
PID 1724 wrote to memory of 1096	1724	73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286.exe	28
PID 1096 wrote to memory of 592	1096	conhost.exe	30
PID 1096 wrote to memory of 592	1096	conhost.exe	30
PID 1096 wrote to memory of 592	1096	conhost.exe	30
PID 592 wrote to memory of 1684	592	cmd.exe	32
PID 592 wrote to memory of 1684	592	cmd.exe	32
PID 592 wrote to memory of 1684	592	cmd.exe	32
PID 1096 wrote to memory of 800	1096	conhost.exe	33
PID 1096 wrote to memory of 800	1096	conhost.exe	33
PID 1096 wrote to memory of 800	1096	conhost.exe	33
PID 800 wrote to memory of 1020	800	cmd.exe	35
PID 800 wrote to memory of 1020	800	cmd.exe	35
PID 800 wrote to memory of 1020	800	cmd.exe	35
PID 1020 wrote to memory of 1340	1020	servicesupdate.exe	36
PID 1020 wrote to memory of 1340	1020	servicesupdate.exe	36
PID 1020 wrote to memory of 1340	1020	servicesupdate.exe	36
PID 1020 wrote to memory of 1340	1020	servicesupdate.exe	36
PID 1340 wrote to memory of 1348	1340	conhost.exe	37
PID 1340 wrote to memory of 1348	1340	conhost.exe	37
PID 1340 wrote to memory of 1348	1340	conhost.exe	37
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1340 wrote to memory of 1564	1340	conhost.exe	38
PID 1348 wrote to memory of 628	1348	sihost64.exe	39
PID 1348 wrote to memory of 628	1348	sihost64.exe	39
PID 1348 wrote to memory of 628	1348	sihost64.exe	39
PID 1348 wrote to memory of 628	1348	sihost64.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286.exe
"C:\Users\Admin\AppData\Local\Temp\73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "servicesupdate" /tr "C:\Users\Admin\AppData\Roaming\servicesupdate.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "servicesupdate" /tr "C:\Users\Admin\AppData\Roaming\servicesupdate.exe"
      4⤵
      Creates scheduled task(s)
      PID:1684
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\servicesupdate.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Roaming\servicesupdate.exe
      C:\Users\Admin\AppData\Roaming\servicesupdate.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\servicesupdate.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        7⤵
        
        PID:628
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.2miners.com:12222 --user=42wRSnCZxVfH9eWFcN2svEebFc5VcHVyfjd2s74LvsMPbrymtDoU239XZeTmT5YnaWVwPT3JeLDFA78HmQ31tFMsDwTkH8e --pass= --cpu-max-threads-hint=80 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=1 --cinit-idle-cpu=90 --tls --cinit-stealth
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
44e0c83e06b803e582681e2bc160da0b

SHA1
a83fc741a2ca2c2e57877ea97ad238b684e65422

SHA256
d721cb5f30684ff59cba2e68ea6c89c6a2d14775c8dcfa621501cf8c324df681

SHA512
0d706c35b98b40476f5c91f9921d5e250e142e5d712715710089ea57d815e80ae85773ee3c1c41aaf0563e03a8472fd982fa9065c11cd73e5a390b08e9c05714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
44e0c83e06b803e582681e2bc160da0b

SHA1
a83fc741a2ca2c2e57877ea97ad238b684e65422

SHA256
d721cb5f30684ff59cba2e68ea6c89c6a2d14775c8dcfa621501cf8c324df681

SHA512
0d706c35b98b40476f5c91f9921d5e250e142e5d712715710089ea57d815e80ae85773ee3c1c41aaf0563e03a8472fd982fa9065c11cd73e5a390b08e9c05714

Download Submit
C:\Users\Admin\AppData\Roaming\servicesupdate.exe

Filesize
2.1MB

MD5
019cd16abc7c1aac7cf950fb6278fe1e

SHA1
83498e183f0057f3900cc9ed1a09829d6097e0db

SHA256
73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286

SHA512
aaddaec71ff257b11e3a56fef23c17e9ab87af58c44d8c745145751bc1fb8595dc878e16f25c7ff4ef5e67cc6759ac9f05af5d227e311b6392daf59dab73b77c

Download Submit
C:\Users\Admin\AppData\Roaming\servicesupdate.exe

Filesize
2.1MB

MD5
019cd16abc7c1aac7cf950fb6278fe1e

SHA1
83498e183f0057f3900cc9ed1a09829d6097e0db

SHA256
73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286

SHA512
aaddaec71ff257b11e3a56fef23c17e9ab87af58c44d8c745145751bc1fb8595dc878e16f25c7ff4ef5e67cc6759ac9f05af5d227e311b6392daf59dab73b77c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
44e0c83e06b803e582681e2bc160da0b

SHA1
a83fc741a2ca2c2e57877ea97ad238b684e65422

SHA256
d721cb5f30684ff59cba2e68ea6c89c6a2d14775c8dcfa621501cf8c324df681

SHA512
0d706c35b98b40476f5c91f9921d5e250e142e5d712715710089ea57d815e80ae85773ee3c1c41aaf0563e03a8472fd982fa9065c11cd73e5a390b08e9c05714

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
44e0c83e06b803e582681e2bc160da0b

SHA1
a83fc741a2ca2c2e57877ea97ad238b684e65422

SHA256
d721cb5f30684ff59cba2e68ea6c89c6a2d14775c8dcfa621501cf8c324df681

SHA512
0d706c35b98b40476f5c91f9921d5e250e142e5d712715710089ea57d815e80ae85773ee3c1c41aaf0563e03a8472fd982fa9065c11cd73e5a390b08e9c05714

Download Submit
\Users\Admin\AppData\Roaming\servicesupdate.exe

Filesize
2.1MB

MD5
019cd16abc7c1aac7cf950fb6278fe1e

SHA1
83498e183f0057f3900cc9ed1a09829d6097e0db

SHA256
73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286

SHA512
aaddaec71ff257b11e3a56fef23c17e9ab87af58c44d8c745145751bc1fb8595dc878e16f25c7ff4ef5e67cc6759ac9f05af5d227e311b6392daf59dab73b77c

Download Submit
\Users\Admin\AppData\Roaming\servicesupdate.exe

Filesize
2.1MB

MD5
019cd16abc7c1aac7cf950fb6278fe1e

SHA1
83498e183f0057f3900cc9ed1a09829d6097e0db

SHA256
73d77cad2b273758046922b2b6a2ca7ec1c28ca6e02e72223fd2a49c769ed286

SHA512
aaddaec71ff257b11e3a56fef23c17e9ab87af58c44d8c745145751bc1fb8595dc878e16f25c7ff4ef5e67cc6759ac9f05af5d227e311b6392daf59dab73b77c

Download Submit
memory/628-106-0x000000001AC50000-0x000000001ACD0000-memory.dmp

Filesize
512KB

Download
memory/628-110-0x000000001AC50000-0x000000001ACD0000-memory.dmp

Filesize
512KB

Download
memory/628-99-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/628-101-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/628-104-0x000000001AC50000-0x000000001ACD0000-memory.dmp

Filesize
512KB

Download
memory/628-105-0x000000001AC50000-0x000000001ACD0000-memory.dmp

Filesize
512KB

Download
memory/628-113-0x000000001AC50000-0x000000001ACD0000-memory.dmp

Filesize
512KB

Download
memory/628-112-0x000000001AC50000-0x000000001ACD0000-memory.dmp

Filesize
512KB

Download
memory/628-111-0x000000001AC50000-0x000000001ACD0000-memory.dmp

Filesize
512KB

Download
memory/1096-57-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/1096-54-0x0000000000230000-0x0000000000450000-memory.dmp

Filesize
2.1MB

Download
memory/1096-55-0x000000001B550000-0x000000001B770000-memory.dmp

Filesize
2.1MB

Download
memory/1096-56-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/1340-75-0x000000001AE40000-0x000000001AEC0000-memory.dmp

Filesize
512KB

Download
memory/1340-74-0x000000001AE40000-0x000000001AEC0000-memory.dmp

Filesize
512KB

Download
memory/1564-86-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-83-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-87-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-88-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/1564-89-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-92-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-93-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1564-94-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-95-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-96-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-84-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-98-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-100-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-85-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-102-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-103-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-81-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-82-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-80-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-107-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/1564-108-0x0000000002070000-0x0000000002090000-memory.dmp

Filesize
128KB

Download
memory/1564-109-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-79-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-78-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-77-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-76-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1564-114-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/1564-115-0x0000000002070000-0x0000000002090000-memory.dmp

Filesize
128KB

Download