Adversaries are likely deploying Coinminer malware using known IOCs to mine cryptocurrency undetected on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate cryptocurrency mining activities before significant resource exhaustion occurs.
IOC Summary
Malware Family: Coinminer Total IOCs: 3 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 4dd2a916d6767a36f1b289339555b1993471952acf4f3ed4813644bf232a68f9 | payload | 2026-06-14 | 95% |
| sha1_hash | 8d8cf767dfd250d81c6f0731458c68992cc0649e | payload | 2026-06-14 | 95% |
| md5_hash | ab02ca10ab74d9ba0bcaff7f62ac2f6e | payload | 2026-06-14 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Coinminer
let malicious_hashes = dynamic(["4dd2a916d6767a36f1b289339555b1993471952acf4f3ed4813644bf232a68f9", "8d8cf767dfd250d81c6f0731458c68992cc0649e", "ab02ca10ab74d9ba0bcaff7f62ac2f6e"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Scheduled Task
Description: A legitimate system maintenance task, such as schtasks.exe running a script to clean temporary files or update software.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance script paths (e.g., C:\Windows\System32\cleanmgr.exe).
Scenario: Admin Task for Log Management
Description: An administrator uses logman.exe or wevtutil.exe to configure or manage event logs, which may trigger the rule due to similar command-line activity.
Filter/Exclusion: Exclude processes with logman.exe or wevtutil.exe and check for administrative privileges or known log management scripts.
Scenario: Antivirus Quarantine Process
Description: A legitimate antivirus tool (e.g., Bitdefender, Kaspersky) quarantines a file, which may be flagged as a Coinminer IOC due to file hashes or network activity.
Filter/Exclusion: Exclude processes with known antivirus executable paths (e.g., C:\Program Files\Bitdefender\Bitdefender Security\bdagent.exe).
Scenario: Backup Job Execution
Description: A backup job (e.g., wbadmin.exe, vssadmin.exe) runs and generates network traffic or file access that matches Coinminer IOCs.
Filter/Exclusion: Exclude processes initiated by backup tools and check for known backup job names or paths (e.g., C:\Windows\System32\wbadmin.exe).
Scenario: Software Update Deployment
Description: A software update (e.g., via SCCM or Windows Update) triggers network activity or file modifications that match the Coinminer detection logic.
Filter/Exclusion: Exclude processes related to update services (e.g.,