xmrig | 9ec9b48a75aaa71be277321cf9eee25a40343b0fcbf93bdae4c895af133f4e12

General

Target

mine3.exe
Size

3.5MB
MD5

70e341f67ff1080b9e9258a65369232f
SHA1

b59ca5efcbc82346e95a8a69e96e0659a1b09205
SHA256

9ec9b48a75aaa71be277321cf9eee25a40343b0fcbf93bdae4c895af133f4e12
SHA512

89c52e6c02db5c102b76be5c36e348a1fdbd6d27fd441d4b307414d72564d0c982ea5ddae95005b433ebd79437ec62cbbd80d1ff841a1c995b3303961d3e334e
SSDEEP

98304:+3GWxmPjzreXXdB3X1tNWnbFMFLzcn0qVrpmJFjjCE:+3G3rzreXXjX1tNOxMFLIn6J7

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral1/files/0x000100000002aa25-18.dat	family_xmrig
behavioral1/files/0x000100000002aa25-18.dat	xmrig
behavioral1/memory/1644-21-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp	xmrig
behavioral1/memory/1644-22-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp	xmrig
behavioral1/memory/1644-23-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 2 IoCs

pid	Process
656	enced.exe
1644	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	mine3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1644	svchost.exe
Token: SeLockMemoryPrivilege	1644	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1644	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 1196	3652	mine3.exe	80
PID 3652 wrote to memory of 1196	3652	mine3.exe	80
PID 1196 wrote to memory of 656	1196	WScript.exe	82
PID 1196 wrote to memory of 656	1196	WScript.exe	82
PID 1196 wrote to memory of 656	1196	WScript.exe	82
PID 656 wrote to memory of 4384	656	enced.exe	84
PID 656 wrote to memory of 4384	656	enced.exe	84
PID 4384 wrote to memory of 1644	4384	cmd.exe	85
PID 4384 wrote to memory of 1644	4384	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\mine3.exe
"C:\Users\Admin\AppData\Local\Temp\mine3.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\685F.tmp\6860.tmp\6861.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
        
        svchost
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\685F.tmp\6860.tmp\6861.bat

Filesize
166B

MD5
386111a0272bbea006a609dcf40bdb3a

SHA1
3d3e93757be3480f5ac13b1d22e1a176cb1bc7df

SHA256
117d3372f76040e45673473df7f5e3837d46a6853ffd2363be26b93a92dd0e2f

SHA512
f9081fa4950f9298dd2199727b4bebcf2a081b7d3bd0b87ade76abceb5ba79bc3378507f015387dd0834ff615f5cb5f8049e20ec9f48df075f86578441d36f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.json

Filesize
3KB

MD5
43cc764d70e3988d6c79dcda228a0232

SHA1
b1af34e7f1ab3c4f0b569d1154a480cf494d324c

SHA256
835694daf882bb7d474c3b5ddf251961f1c9c5a3ad63bf5ac29707a75375606e

SHA512
ba85a828f80de83759fe932e60c08d2ead4a9cb6722cea60363471bc4f66c1bda131d5a53fdaaa6d3dda6db56a01d655e2ff927e6316a91843d8c7606404202a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\enced.exe

Filesize
89KB

MD5
7cd05433a3b4b84ac94175d3a64c1c02

SHA1
f7f5a17f7bedb00bdfaee7ad4f5d41072c6fcd3d

SHA256
31c68e8eef0bdf19be5850194ad47dad4620dd450c97d6578d6fa345d56a25b6

SHA512
a084530e4ee25a16795827bbf445a70cd02a527caf483b40cbe83badfae3f62101c801484e0bb45623c66c839751b98f946ce93089d07d1687a96a4367280f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs

Filesize
99B

MD5
9daf6eb9778b66b523f6f4f6c956ed4c

SHA1
caa17396d526a963dc7d4f2e164deaa71484956d

SHA256
d98328c99f703fcec40891d2173bbb8ad20b0f5f34642db82ecbb0eb7ea19d10

SHA512
14eefcb99170c40780585380762e7c8d1f5d261950aee01625dca7deab40b8ea271cd83cf4cb1ad2dd0b32c43e5e7dd2a5c39f7fd9bd9d48eb20054bf6f154ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe

Filesize
9.0MB

MD5
81d19b38ee6bccd0acb83280012e4a34

SHA1
9852f0df5ef32231062f5a6bd474918a26da6865

SHA256
d40e416f072fcbcdddddd302c9960f08039a4f8b6d8ca82eaf0f854f5938b61f

SHA512
14312ef19da9006a2733e59a8264e7af79b98d29a63de5678f42e7bbc51ca3d9fe58a0c7cd305125b3020b917bb5a2093a4c375db1ce52963a20f157c9e28b33

Download Submit
memory/1644-19-0x00000259279C0000-0x00000259279E0000-memory.dmp

Filesize
128KB

Download
memory/1644-21-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp

Filesize
12.2MB

Download
memory/1644-22-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp

Filesize
12.2MB

Download
memory/1644-23-0x00007FF7C0050000-0x00007FF7C0C7E000-memory.dmp

Filesize
12.2MB

Download

Analysis

Sharing