xmrig | 6fc7bfc186b8207bcb43a0b012cf8aaa20b9c59ba3582ee48635044abaa1598e

General

Target

tmp.exe
Size

6.0MB
MD5

66055eb5779265037160e80546c6de3d
SHA1

49d3ac6f095af87c2940b16f52f1c72b81646b0d
SHA256

6fc7bfc186b8207bcb43a0b012cf8aaa20b9c59ba3582ee48635044abaa1598e
SHA512

a315bc889e9f629dd0bb0c8a376ee29f3fcd25706a2ad0511db1292e5d18b76392e857b4db1010b2b1ce6d7ea1f81d94b6dcbcbdd565d456565fa2a36aa152fc
SSDEEP

98304:wUQqpYQUHxoPmuVk77pC9RwQic/WkkQldxy6Qn3g64UFkcSJNsPGw7Wb/DibBZNY:wjqi+PS7Qf+OdkExPTpUC+Gwqb/DiNzY

Score

10^/10

xmrig miner

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1728 created 3376 1728 tmp.exe Explorer.EXE
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 1728 created 3376	1728	tmp.exe	Explorer.EXE

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/648-50-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/648-51-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/648-52-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/648-54-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/648-55-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/648-56-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/648-57-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/648-58-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/648-59-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/648-61-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

VCDDaemon.exe

pid process

3184 VCDDaemon.exe
Loads dropped DLL 4 IoCs

Processes:

VCDDaemon.exe

pid process

3184 VCDDaemon.exe
3184 VCDDaemon.exe
3184 VCDDaemon.exe
3184 VCDDaemon.exe

pid	process
3184	VCDDaemon.exe

pid	process
3184	VCDDaemon.exe
3184	VCDDaemon.exe
3184	VCDDaemon.exe
3184	VCDDaemon.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

VCDDaemon.execmd.exeMSBuild.exe

description	pid	process	target process
PID 3184 set thread context of 568	3184	VCDDaemon.exe	cmd.exe
PID 568 set thread context of 3412	568	cmd.exe	MSBuild.exe
PID 3412 set thread context of 648	3412	MSBuild.exe	ngen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tmp.exeVCDDaemon.execmd.exeMSBuild.exe

pid process

1728 tmp.exe
1728 tmp.exe
3184 VCDDaemon.exe
3184 VCDDaemon.exe
568 cmd.exe
568 cmd.exe
3412 MSBuild.exe
3412 MSBuild.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

676
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

VCDDaemon.execmd.exe

pid process

3184 VCDDaemon.exe
568 cmd.exe
568 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MSBuild.exengen.exe

description pid process

Token: SeDebugPrivilege 3412 MSBuild.exe
Token: SeLockMemoryPrivilege 648 ngen.exe
Token: SeLockMemoryPrivilege 648 ngen.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ngen.exe

pid process

648 ngen.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

1728 tmp.exe
1728 tmp.exe

pid	process
1728	tmp.exe
1728	tmp.exe
3184	VCDDaemon.exe
3184	VCDDaemon.exe
568	cmd.exe
568	cmd.exe
3412	MSBuild.exe
3412	MSBuild.exe

pid	process
676

pid	process
3184	VCDDaemon.exe
568	cmd.exe
568	cmd.exe

description	pid	process
Token: SeDebugPrivilege	3412	MSBuild.exe
Token: SeLockMemoryPrivilege	648	ngen.exe
Token: SeLockMemoryPrivilege	648	ngen.exe

pid	process
648	ngen.exe

pid	process
1728	tmp.exe
1728	tmp.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

tmp.exeVCDDaemon.execmd.exeMSBuild.exe

description	pid	process	target process
PID 1728 wrote to memory of 3184	1728	tmp.exe	VCDDaemon.exe
PID 1728 wrote to memory of 3184	1728	tmp.exe	VCDDaemon.exe
PID 1728 wrote to memory of 3184	1728	tmp.exe	VCDDaemon.exe
PID 3184 wrote to memory of 568	3184	VCDDaemon.exe	cmd.exe
PID 3184 wrote to memory of 568	3184	VCDDaemon.exe	cmd.exe
PID 3184 wrote to memory of 568	3184	VCDDaemon.exe	cmd.exe
PID 3184 wrote to memory of 568	3184	VCDDaemon.exe	cmd.exe
PID 568 wrote to memory of 3412	568	cmd.exe	MSBuild.exe
PID 568 wrote to memory of 3412	568	cmd.exe	MSBuild.exe
PID 568 wrote to memory of 3412	568	cmd.exe	MSBuild.exe
PID 568 wrote to memory of 3412	568	cmd.exe	MSBuild.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe
PID 3412 wrote to memory of 648	3412	MSBuild.exe	ngen.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe --donate-level 1 -o de.zephyr.herominers.com:1123 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p workwork -a rx/0 -k --max-cpu-usage=50
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17f33b40
Filesize
2.1MB

MD5
85dc900b68e0b5c3e277b14e891e7b1c

SHA1
bc8efe8d6c874122a2e9e118b2f7a50801799d6d

SHA256
1c7f0713d6cbeb14d2ca37ca4a80b1f148cbae8b7267c2c674ce7a35e51c1764

SHA512
242c5e65838a1986f49397142a21168cd22adecd157d95021d35525e3fe02ab608fdd91761edc792606afccd74dd04adaf561d84a7dbee9c78b1ee732cdfbbdc

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\ElbyCDIO.dll
Filesize
93KB

MD5
5abcd9f2323d7e4ac51728cc32f17cc6

SHA1
b226b10309a38cb1e30a00bce541cbf62e3dc0e0

SHA256
cff34dfd4251c22458f73674e6d2e1ca4c38a2ca7d69491db291e89c929d823b

SHA512
3b87c46047611fb491e82b6903694567965fc475337c437098b124679b231bfe47add75537fef26c78d8b87844700eca414c4d9e3f5a065d7f54286cb4f69254

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\ElbyVCD.dll
Filesize
130KB

MD5
aa490720cd3c26eff6e6fbe9601673a5

SHA1
e97dbbd6b37bff2c700e1ce967cf6612fddfbd41

SHA256
349b4dfa1e93144b010affba926663264288a5cfcb7b305320f466b2551b93df

SHA512
fb2347bd7d6f0408235f30468886da8e4ec4790058ed70dbb28a4080b399a9b55902aa33756209cb3ed8579347ca69d484cb12f6e7ef0120246c3ac37ef98647

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
Filesize
86KB

MD5
3bd79a1f6d2ea0fddea3f8914b2a6a0c

SHA1
3ea3f44f81b3501e652b448a7dc33a8ee739772e

SHA256
332e6806eff846a2e6d0dc04a70d3503855dabfa83e6ec27f37e2d9103e80e51

SHA512
7bbb3f3af90443803f7689c973a64f894fb48bd744ab0c70af7dfa7c763354dc6f67a7fbb7053d38b0c6611b0aaa532e73eb2579c1445b8a31c573f8bf972a67

Download Submit
C:\Users\Admin\AppData\Roaming\msdt\poppet.eps
Filesize
1.8MB

MD5
d0a7fae3a0fdae716c76300adf70b2bb

SHA1
5be0788226f428dcc66de7aa4dce5d8eeb832d8e

SHA256
f1d7eb55fcaf9a6f71316559e33d40682f47ce3c0b1c1ff4908c71ca1015c9ed

SHA512
1306f6fba2386a31dffb80297a089285f3045b1c19950a1068a5a3103f06467cda71650c23efc0ba59fd3e35482d1fe362f7713e2f8da965fed97151f85cd5a1

Download Submit
memory/568-36-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/568-31-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/568-38-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/568-35-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/568-33-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/648-58-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/648-57-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/648-56-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/648-55-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/648-54-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/648-53-0x00000272276E0000-0x0000027227700000-memory.dmp

Filesize
128KB

Download
memory/648-50-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/648-52-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/648-59-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/648-60-0x0000027229100000-0x0000027229140000-memory.dmp

Filesize
256KB

Download
memory/648-51-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/648-61-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1728-28-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/1728-0-0x0000000000400000-0x00000000006F1000-memory.dmp

Filesize
2.9MB

Download
memory/1728-6-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/1728-3-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/1728-2-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/1728-13-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/1728-1-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/3184-25-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/3184-29-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/3184-27-0x0000000074BC0000-0x0000000074D3B000-memory.dmp

Filesize
1.5MB

Download
memory/3184-26-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

Filesize
2.0MB

Download
memory/3184-23-0x0000000000470000-0x0000000000488000-memory.dmp

Filesize
96KB

Download
memory/3412-39-0x00007FF9161E0000-0x00007FF917857000-memory.dmp

Filesize
22.5MB

Download
memory/3412-46-0x00000281E4ED0000-0x00000281E4EE0000-memory.dmp

Filesize
64KB

Download
memory/3412-42-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/3412-45-0x00007FF915660000-0x00007FF916121000-memory.dmp

Filesize
10.8MB

Download
memory/3412-44-0x00000281E4ED0000-0x00000281E4EE0000-memory.dmp

Filesize
64KB

Download
memory/3412-43-0x00007FF915660000-0x00007FF916121000-memory.dmp

Filesize
10.8MB

Download
memory/3412-67-0x00007FF915660000-0x00007FF916121000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads