{
	"id": "1babe6cb-9b1b-4b96-83e0-c111f460902f",
	"created_at": "2026-04-06T00:13:24.74628Z",
	"updated_at": "2026-04-10T13:11:51.316184Z",
	"deleted_at": null,
	"sha1_hash": "d2ea8e9a6aa9f061c2b9b463a46fdb849d3033e5",
	"title": "All That for a Coinminer? - The DFIR Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 278173,
	"plain_text": "All That for a Coinminer? - The DFIR Report\r\nBy editor\r\nPublished: 2021-01-18 · Archived: 2026-04-05 12:50:58 UTC\r\nA threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz.\r\nThey not only dumped LogonPasswords but they also exported all Kerberos tickets. The threat actor used Advanced IP\r\nScanner to scan the environment before RDPing into multiple systems, including a Domain Controller. After an hour of\r\nmoving around the environment, they deployed XMRig on the initial compromised system before logging off. The threat\r\nactor was active on the network for about 2 hours in total.\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nThe threat actor logged in using RDP from an IP (92.118.13[.]103) that hadn’t attempted any previous logins. The account\r\nwas created the previous day using a source IP of 54.38.67[.]132, which had been trying to brute force a local admin\r\npassword. The threat actor used a workstation named winstation. During the intrusion, the threat actors also used\r\n5.122.15[.]138 to login to one of the systems.\r\nExecution\r\nThe threat actor copied svshost.exe to C:\\naz\\naz and then executed it. This PE creates “XMRig CPU mine.exe” and\r\nHideAll.bat in C:\\Windows\\PolicyDefinitions and then executes both of them.\r\nDefense Evasion\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 1 of 10\n\nThe PE file that installs XMRig (svshost.exe) also has a script (HideAll.bat) imbedded in it, which is called at runtime. This\r\nis the contents of that batch file.\r\nattrib +h svshost.exe\r\nattrib +h XMRig CPU mine.exe\r\nattrib +h config.json\r\nattrib +h HideAll.bat\r\nattrib +h xmrig-notls.exe\r\nThis script is copied to C:\\Windows\\PolicyDefitions\\ and run, which causes the files specified to be hidden.\r\nPersistence\r\nBefore the threat actor disconnected, they changed the user password.\r\nnet user %USERNAME% ehs.123\r\nCredential Access\r\nMimikatz was used to dump credentials from memory, as well as, export Kerberos tickets using the following command:\r\nmimikatz.exe\", \"\"\"log\"\" \"\"privilege::debug\"\" \"\"sekurlsa::logonpasswords\"\" \"\"sekurlsa::tickets /export\"\" \"\"exi\r\nThe threat actors used a vbs script named launch to execute mimikatz. This is the content of launch.vbs\r\nset shell=CreateObject(\"Shell.Application\")\r\nshell.ShellExecute \"mimikatz.exe\", \"\"\"log\"\" \"\"privilege::debug\"\" \"\"sekurlsa::logonpasswords\"\" \"\"sekurlsa::tic\r\nset shell=nothing\r\nSince the log parameter was used, the output was saved to mimikatz.log\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 2 of 10\n\nThe Kerberos tickets were saved to disk, due to the threat actor using sekurlsa::tickets /export.\r\nDiscovery\r\nAdvanced IP Scanner was used to scan the environment.\r\nTask manager was opened multiple times. Possibly looking at logged in users and/or processes.\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 3 of 10\n\nNet Accounts was used to review user policies.\r\nnet accounts\r\nmasscan and masscan gui were dropped but were not executed.\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 4 of 10\n\nLateral Movement\r\nRDP was used to move laterally to multiple machines in the environment, which included domain controllers, backup\r\nmachines, etc.\r\nCommand and Control\r\nRDP was used to access the environment, as well as move within the environment.\r\nImpact\r\nXMRig was running on the system, using some CPU but not enough to cause any issues. We tend to block mining\r\nendpoints, which may have lessened the impact of this intrusion. XMRig made connection attempts to 104.140.201[.]42 \u0026\r\n104.142.244[.]186.\r\nThe threat actors have been using the associated Monero wallet for 738+ days and have netted around $5,159.\r\nWas the threat actors’ mission to mine Monero? Or was this a recon mission? Possibly both?\r\nEnjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!\r\nWe also have pcaps, files, and Kape packages available here. No memory captures are available for this case.\r\nIOCs\r\nMISP https://misppriv.circl.lu/events/view/81975 \u0026 OTX https://otx.alienvault.com/pulse/60062031b621e8e94a93ff36\r\nNetwork\r\n92.118.13.103\r\n54.38.67.132\r\n5.122.15.138\r\n104.140.201.42\r\n104.142.244.186\r\nFile\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 5 of 10\n\nsvshost.exe https://www.hybrid-analysis.com/sample/ba94d5539a4ed65ac7a94a971dbb463a469f8671c767f515d271223078983442/5e4357ce225259716f52ff7a\r\nsvshost.exe\r\n81a4bc7617cee5761fd883413a1a26d3\r\nf63b9e779dc48d49bb13ba0a2c31520d12cf2643\r\nba94d5539a4ed65ac7a94a971dbb463a469f8671c767f515d271223078983442\r\nmasscan.exe\r\nc50f3b0b23dfe5c66561bb9297bf7bbc\r\n5f14241aea174608a7c85127fdad042d7382277d\r\nde903a297afc249bb7d68fef6c885a4c945d740a487fe3e9144a8499a7094131\r\nmimikatz.exe\r\n624ce5a34d00abe90023ddfe54be9269\r\n0b557b7f5740d2de4f023591a8222b1c0eef7bd1\r\n99d8d56435e780352a8362dd5cb3857949c6ff5585e81b287527cd6e52a092c1\r\nXMRig CPU mine.exe\r\nab7bd2b83f10283b39ec8ea66d31429a\r\nd21c587aff0347360ef7248f27458718e82157fb\r\na8b2e85b3e0f5de4b82a92b3ca56d2d889a30383a3f9283ae48aec879edd0376\r\nDetections\r\nNetwork\r\n[1:2024792:4] ET POLICY Cryptocurrency Miner Checkin\r\n[1:2826930:3] ETPRO POLICY XMR CoinMiner Usage\r\n[1:2841079:1] ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2020-02-18 2)\r\nSigma\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mimikatz_command_line.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_attrib_hiding_files.yml\r\nCustom created Sigma rule\r\nhttps://github.com/The-DFIR-Report/Sigma-Rules/blob/main/Mimikatz_Command_Line_With_Ticket_Export\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-01-18\r\nIdentifier: Case 1014\r\nReference: https://thedfirreport.com/\r\n*/\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 6 of 10\n\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule miner_exe_svshost {\r\nmeta:\r\ndescription = \"exe - file svshost.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-01-18\"\r\nhash1 = \"ba94d5539a4ed65ac7a94a971dbb463a469f8671c767f515d271223078983442\"\r\nstrings:\r\n$s1 = \"* The error occured in hwloc %s inside process `%s', while\" fullword ascii\r\n$s2 = \"__kernel void find_shares(__global const uint64_t* hashes,uint64_t target,uint32_t start_nonce,__globa\r\n$s3 = \"lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561\r\n$s4 = \"svshost.exe\" fullword wide\r\n$s5 = \"Could not read dumped cpuid file %s, ignoring cpuiddump.\" fullword ascii\r\n$s6 = \"%PROGRAMFILES%\\\\NVIDIA Corporation\\\\NVSMI\\\\nvml.dll\" fullword ascii\r\n$s7 = \"void blake2b_512_process_single_block(ulong *h,const ulong* m,uint blockTemplateSize)\" fullword ascii\r\n$s8 = \"* the input XML was generated by hwloc %s inside process `%s'.\" fullword ascii\r\n$s9 = \"blake2b_512_process_single_block(hash,m,blockTemplateSize);\" fullword ascii\r\n$s10 = \"F:\\\\Apps\\\\cSharp\\\\myMinerup\\\\myM\\\\myM\\\\obj\\\\Debug\\\\svshost.pdb\" fullword ascii\r\n$s11 = \"|attrib +h svshost.exe\" fullword ascii\r\n$s12 = \"Found non-x86 dumped cpuid summary in %s: %s\" fullword ascii\r\n$s13 = \"GetCurrentProcessorNumberExProc || (GetCurrentProcessorNumberProc \u0026\u0026 nr_processor_groups == 1)\" fullw\r\n$s14 = \"__kernel void blake2b_initial_hash(__global void *out,__global const void* blockTemplate,uint blockTe\r\n$s15 = \"* hwloc %s received invalid information from the operating system.\" fullword ascii\r\n$s16 = \"__local exec_t* execution_plan=(__local exec_t*)(execution_plan_buf+(get_local_id(0)/8)*RANDOMX_PROGR\r\n$s17 = \"__kernel void execute_vm(__global void* vm_states,__global void* rounding,__global void* scratchpads,\r\n$s18 = \"__kernel void execute_vm(__global void* vm_states,__global void* rounding,__global void* scratchpads,\r\n$s19 = \"__local exec_t* execution_plan=(__local exec_t*)(execution_plan_buf+(get_local_id(0)/8)*RANDOMX_PROGR\r\n$s20 = \"__kernel void blake2b_initial_hash(__global void *out,__global const void* blockTemplate,uint blockTe\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 19000KB and\r\n8 of them\r\n}\r\nrule mimikatz_1014 {\r\nmeta:\r\ndescription = \"exe - file mimikatz.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-01-18\"\r\nhash1 = \"99d8d56435e780352a8362dd5cb3857949c6ff5585e81b287527cd6e52a092c1\"\r\nstrings:\r\n$x1 = \"ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)\" fullword\r\n$x2 = \"ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx user (%s)\" fullword wide\r\n$x3 = \"ERROR kuhl_m_lsadump_lsa ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)\" fullword wid\r\n$x4 = \"ERROR kuhl_m_lsadump_getComputerAndSyskey ; kull_m_registry_RegOpenKeyEx LSA KO\" fullword wide\r\n$x5 = \"ERROR kuhl_m_lsadump_dcsync ; kull_m_rpc_drsr_ProcessGetNCChangesReply\" fullword wide\r\n$x6 = \"ERROR kuhl_m_lsadump_trust ; kull_m_process_getVeryBasicModuleInformationsForName (0x%08x)\" fullword w\r\n$x7 = \"ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO\" fullword wide\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 7 of 10\n\n$x8 = \"ERROR kuhl_m_lsadump_lsa_getHandle ; OpenProcess (0x%08x)\" fullword wide\r\n$x9 = \"ERROR kuhl_m_lsadump_netsync ; I_NetServerTrustPasswordsGet (0x%08x)\" fullword wide\r\n$x10 = \"ERROR kuhl_m_dpapi_chrome ; Input 'Login Data' file needed (/in:\\\"%%localappdata%%\\\\Google\\\\Chrome\\\\U\r\n$x11 = \"ERROR kuhl_m_kernel_processProtect ; Argument /process:program.exe or /pid:processid needed\" fullword\r\n$x12 = \"ERROR kuhl_m_lsadump_getHash ; Unknow SAM_HASH revision (%hu)\" fullword wide\r\n$x13 = \"ERROR kuhl_m_lsadump_sam ; kull_m_registry_RegOpenKeyEx (SAM) (0x%08x)\" fullword wide\r\n$x14 = \"ERROR kull_m_rpc_drsr_ProcessGetNCChangesReply_decrypt ; Checksums don't match (C:0x%08x - R:0x%08x)\"\r\n$x15 = \"ERROR kuhl_m_lsadump_enumdomains_users ; /user or /rid is needed\" fullword wide\r\n$x16 = \"ERROR kuhl_m_lsadump_changentlm ; Argument /oldpassword: or /oldntlm: is needed\" fullword wide\r\n$x17 = \"livessp.dll\" fullword wide /* reversed goodware string 'lld.pssevil' */\r\n$x18 = \"ERROR kuhl_m_lsadump_enumdomains_users ; SamLookupNamesInDomain: %08x\" fullword wide\r\n$x19 = \"ERROR kuhl_m_lsadump_getComputerAndSyskey ; kuhl_m_lsadump_getSyskey KO\" fullword wide\r\n$x20 = \"ERROR kuhl_m_lsadump_getKeyFromGUID ; kuhl_m_lsadump_LsaRetrievePrivateData: 0x%08x\" fullword wide\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 3000KB and\r\n( pe.imphash() == \"a0444dc502edb626311492eb9abac8ec\" or 1 of ($x*) )\r\n}\r\nrule masscan_1014 {\r\nmeta:\r\ndescription = \"exe - file masscan.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-01-18\"\r\nhash1 = \"de903a297afc249bb7d68fef6c885a4c945d740a487fe3e9144a8499a7094131\"\r\nstrings:\r\n$x1 = \"User-Agent: masscan/1.0 (https://github.com/robertdavidgraham/masscan)\" fullword ascii\r\n$s2 = \"Usage: masscan [Options] -p{Target-Ports} {Target-IP-Ranges}\" fullword ascii\r\n$s3 = \"GetProcessAffinityMask() returned error %u\" fullword ascii\r\n$s4 = \"Via: HTTP/1.1 ir14.fp.bf1.yahoo.com (YahooTrafficServer/1.2.0.13 [c s f ])\" fullword ascii\r\n$s5 = \"C:\\\\Documents and Settings\\\\\" fullword ascii\r\n$s6 = \"android.com\" fullword ascii\r\n$s7 = \"youtube.com\" fullword ascii\r\n$s8 = \"espanol.yahoo.com\" fullword ascii\r\n$s9 = \"brb.yahoo.com\" fullword ascii\r\n$s10 = \"malaysia.yahoo.com\" fullword ascii\r\n$s11 = \"att.yahoo.com\" fullword ascii\r\n$s12 = \"hsrd.yahoo.com\" fullword ascii\r\n$s13 = \"googlecommerce.com\" fullword ascii\r\n$s14 = \"maktoob.yahoo.com\" fullword ascii\r\n$s15 = \"*.youtube-nocookie.com\" fullword ascii\r\n$s16 = \"# TARGET SELECTION (IP, PORTS, EXCLUDES)\" fullword ascii\r\n$s17 = \"www.yahoo.com\" fullword ascii\r\n$s18 = \"x.509 parser failure: google.com\" fullword ascii\r\n$s19 = \"-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth\" fullword ascii\r\n$s20 = \"urchin.com\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 700KB and\r\n( pe.imphash() == \"9b0b559e373d62a1c93e615f003f8af8\" or 10 of them)\r\n}\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 8 of 10\n\nrule XMRig_CPU_mine_1014 {\r\nmeta:\r\ndescription = \"exe - file XMRig CPU mine.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-01-18\"\r\nhash1 = \"a8b2e85b3e0f5de4b82a92b3ca56d2d889a30383a3f9283ae48aec879edd0376\"\r\nstrings:\r\n$s1 = \"* The error occured in hwloc %s inside process `%s', while\" fullword ascii\r\n$s2 = \"__kernel void find_shares(__global const uint64_t* hashes,uint64_t target,uint32_t start_nonce,__globa\r\n$s3 = \"Could not read dumped cpuid file %s, ignoring cpuiddump.\" fullword ascii\r\n$s4 = \"%PROGRAMFILES%\\\\NVIDIA Corporation\\\\NVSMI\\\\nvml.dll\" fullword ascii\r\n$s5 = \"void blake2b_512_process_single_block(ulong *h,const ulong* m,uint blockTemplateSize)\" fullword ascii\r\n$s6 = \"* the input XML was generated by hwloc %s inside process `%s'.\" fullword ascii\r\n$s7 = \"blake2b_512_process_single_block(hash,m,blockTemplateSize);\" fullword ascii\r\n$s8 = \"Found non-x86 dumped cpuid summary in %s: %s\" fullword ascii\r\n$s9 = \"GetCurrentProcessorNumberExProc || (GetCurrentProcessorNumberProc \u0026\u0026 nr_processor_groups == 1)\" fullwo\r\n$s10 = \"__kernel void blake2b_initial_hash(__global void *out,__global const void* blockTemplate,uint blockTe\r\n$s11 = \"* hwloc %s received invalid information from the operating system.\" fullword ascii\r\n$s12 = \"__local exec_t* execution_plan=(__local exec_t*)(execution_plan_buf+(get_local_id(0)/8)*RANDOMX_PROGR\r\n$s13 = \"__kernel void execute_vm(__global void* vm_states,__global void* rounding,__global void* scratchpads,\r\n$s14 = \"__kernel void execute_vm(__global void* vm_states,__global void* rounding,__global void* scratchpads,\r\n$s15 = \"__local exec_t* execution_plan=(__local exec_t*)(execution_plan_buf+(get_local_id(0)/8)*RANDOMX_PROGR\r\n$s16 = \"__kernel void blake2b_initial_hash(__global void *out,__global const void* blockTemplate,uint blockTe\r\n$s17 = \"nvml.dll\" fullword ascii\r\n$s18 = \"__kernel void Groestl(__global ulong *states,__global uint *BranchBuf,__global uint *output,ulong Tar\r\n$s19 = \"__kernel void Blake(__global ulong *states,__global uint *BranchBuf,__global uint *output,ulong Targe\r\n$s20 = \"__kernel void JH(__global ulong *states,__global uint *BranchBuf,__global uint *output,ulong Target,u\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 19000KB and\r\n( pe.imphash() == \"5c21c3e071f2116dcdb008ad5fc936d4\" or 8 of them )\r\n}\r\nMITRE\r\nCommand-Line Interface – T1059\r\nCreate Account – T1136\r\nCredential Dumping – T1003\r\nExternal Remote Services – T1133\r\nGraphical User Interface – T1061\r\nHidden Files and Directories – T1564.001\r\nLocal Account – T1087.001\r\nNetwork Service Scanning – T1046\r\nRemote Services – T1021\r\nResource Hijacking – T1496\r\nInternal case 1014\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 9 of 10\n\nSource: https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/"
	],
	"report_names": [
		"all-that-for-a-coinminer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2ea8e9a6aa9f061c2b9b463a46fdb849d3033e5.pdf",
		"text": "https://archive.orkl.eu/d2ea8e9a6aa9f061c2b9b463a46fdb849d3033e5.txt",
		"img": "https://archive.orkl.eu/d2ea8e9a6aa9f061c2b9b463a46fdb849d3033e5.jpg"
	}
}