Adversaries are likely deploying Coinminer malware using known IOCs to mine cryptocurrency undetected on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate cryptocurrency mining activities before significant resource exhaustion occurs.
IOC Summary
Malware Family: Coinminer Total IOCs: 3 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 4dd2a916d6767a36f1b289339555b1993471952acf4f3ed4813644bf232a68f9 | payload | 2026-06-14 | 95% |
| sha1_hash | 8d8cf767dfd250d81c6f0731458c68992cc0649e | payload | 2026-06-14 | 95% |
| md5_hash | ab02ca10ab74d9ba0bcaff7f62ac2f6e | payload | 2026-06-14 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Coinminer
let malicious_hashes = dynamic(["4dd2a916d6767a36f1b289339555b1993471952acf4f3ed4813644bf232a68f9", "8d8cf767dfd250d81c6f0731458c68992cc0649e", "ab02ca10ab74d9ba0bcaff7f62ac2f6e"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Monitoring Tool Installation
Description: A system administrator installs a legitimate monitoring tool (e.g., Prometheus, Zabbix, or Nagios) that includes a binary with a hash matching a known Coinminer IOC.
Filter/Exclusion: Exclude processes related to known monitoring tools using the process.name field, e.g., process.name = "zabbix_agentd" or process.name = "prometheus".
Scenario: Scheduled Backup Job with Similar Hash
Description: A scheduled backup job (e.g., Veeam, Commvault, or rsync) uses a script or binary with a hash that matches a Coinminer IOC.
Filter/Exclusion: Exclude processes associated with backup tools using the process.name field, e.g., process.name = "veeam" or process.name = "rsync".
Scenario: Admin Task Using Known Coinminer Hash for Debugging
Description: A system administrator uses a Coinminer-related hash for debugging or testing purposes (e.g., in a sandbox or test environment).
Filter/Exclusion: Exclude processes with the user field set to a known admin account (e.g., user = "root" or user = "Administrator") and filter by process.command_line containing terms like "debug" or "test".
Scenario: Legitimate Software Update with Embedded IOC
Description: A software update (e.g., from a vendor like Microsoft, Cisco, or VMware) includes a file with a hash that matches a Coinminer IOC due to a shared library or dependency.
Filter/Exclusion: Exclude files that are part of known software updates using the file.name field, e.g., `file.name = “msvcr100