xmrig | 87202ddd20d67f566b2e49c98ceea801f58f72e66b47e61f8daf0d70521546f5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vhpcde.exe
Size

662KB
MD5

4ae02ce23e76c0d777a9000222e4336c
SHA1

4ad1cdcd30abc364dc93e671cec58461c1f7f2c2
SHA256

87202ddd20d67f566b2e49c98ceea801f58f72e66b47e61f8daf0d70521546f5
SHA512

c68eeac1bfe39ff7ce6d10c1e276ae98d5c7c56513bf0a172fb87da187671a3dbb02ff01fdeb588d819ae8ba2433e222a5e7dc1825675a0af78b7b4be1ef0c47
SSDEEP

12288:p5f3l8xufKg2UMSo/olMCsfMWsM8bs/AqFyJVH8sy9r/ud013YQqrYDiDM4kp:ptCFnVwlMaKAmyJ9etmyYQqrwiJk

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/5296-8026-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/5296-8033-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 1912	4752	Vhpcde.exe	92
PID 1912 set thread context of 5296	1912	aspnet_compiler.exe	96

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe
1912	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	Vhpcde.exe
Token: SeDebugPrivilege	1912	aspnet_compiler.exe
Token: SeLockMemoryPrivilege	5296	AddInProcess.exe
Token: SeLockMemoryPrivilege	5296	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5296	AddInProcess.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 1912	4752	Vhpcde.exe	92
PID 4752 wrote to memory of 1912	4752	Vhpcde.exe	92
PID 4752 wrote to memory of 1912	4752	Vhpcde.exe	92
PID 4752 wrote to memory of 1912	4752	Vhpcde.exe	92
PID 4752 wrote to memory of 1912	4752	Vhpcde.exe	92
PID 4752 wrote to memory of 1912	4752	Vhpcde.exe	92
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96
PID 1912 wrote to memory of 5296	1912	aspnet_compiler.exe	96

C:\Users\Admin\AppData\Local\Temp\Vhpcde.exe
"C:\Users\Admin\AppData\Local\Temp\Vhpcde.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o stratum+ssl://xmr-eu1.nanopool.org:10343 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2.Btristen52@gmail.com -p [email protected] --algo rx/0 --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1912-4046-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/1912-8032-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/1912-8021-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/1912-8020-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/1912-8019-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/4752-25-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-61-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-63-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-21-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-59-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-57-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-55-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-53-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-51-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-49-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-47-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-45-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-43-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-41-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-39-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-19-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-35-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-31-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-29-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-0-0x00007FF8DCEC3000-0x00007FF8DCEC5000-memory.dmp

Filesize
8KB

Download
memory/4752-1-0x0000022A296A0000-0x0000022A2974A000-memory.dmp

Filesize
680KB

Download
memory/4752-67-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-37-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-17-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-14-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-15-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/4752-6-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-12-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-10-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-8-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-4-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-3-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-4008-0x0000022A2B2F0000-0x0000022A2B346000-memory.dmp

Filesize
344KB

Download
memory/4752-4009-0x0000022A43C90000-0x0000022A43CDC000-memory.dmp

Filesize
304KB

Download
memory/4752-4010-0x00007FF8DCEC3000-0x00007FF8DCEC5000-memory.dmp

Filesize
8KB

Download
memory/4752-4013-0x00007FF8DCEC0000-0x00007FF8DD981000-memory.dmp

Filesize
10.8MB

Download
memory/4752-65-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-33-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-27-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/4752-2-0x0000022A43B80000-0x0000022A43C8A000-memory.dmp

Filesize
1.0MB

Download
memory/4752-23-0x0000022A43B80000-0x0000022A43C85000-memory.dmp

Filesize
1.0MB

Download
memory/5296-8026-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/5296-8033-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download