Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family DisguisedXMRigMiner
This threat is a Trojan that covertly installs and runs a disguised version of the XMRig cryptocurrency miner on the victim's system. It uses the infected computer's resources to mine Monero for the attacker, leading to performance degradation, and employs multiple 'living-off-the-land' techniques and scheduled tasks for execution and persistence.
Relevant strings associated with this threat: - mining.authorize call failed (PEHSTR) - mining.extranonce.subscribe (PEHSTR) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
bc584641fa7be701f0ba164e43dc4a0ea24944b1f40fce23d8b7143eb36ee64bAllow your security software to remove the threat and perform a full system scan. Investigate and remove any persistence mechanisms created by the malware, such as suspicious scheduled tasks or startup entries. Block network connections to known cryptocurrency mining pools at the firewall.