xmrig | e6ab57bf15408c7bbc263ceddc341df6df2ffec5e590867d1dc03b5ea17f936c

General

Target

184c9d5da1fa33549b3978e8dd9924d4.exe
Size

6.2MB
MD5

184c9d5da1fa33549b3978e8dd9924d4
SHA1

bdb1af8ed719cbf252aa941082edc8e40988d68f
SHA256

e6ab57bf15408c7bbc263ceddc341df6df2ffec5e590867d1dc03b5ea17f936c
SHA512

0afd402928f7431e555539f6106aaa3ffc783a0ca0c9c0419eef6e2b46440ca798565bbbc74f936794a599e7708a97a274f3a182967d36f7b456f208c850baa6

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4636-2-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/4636-3-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig

UPX packed file 105 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

yara_rule
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx

Drops desktop.ini file(s) 2 IoCs

Processes:

184c9d5da1fa33549b3978e8dd9924d4.exe

description	ioc	process
File created	C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	184c9d5da1fa33549b3978e8dd9924d4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 1439 IoCs

Processes:

184c9d5da1fa33549b3978e8dd9924d4.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\hi.pak	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\snmp.acl.template	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcr120.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\DismountDeny.mpa	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\bci.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\de.pak	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\sr.pak	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\uk.pak	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\JavaAccessBridge-64.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_iio.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklist	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.cpl	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\CompressUnblock.m4a	184c9d5da1fa33549b3978e8dd9924d4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	184c9d5da1fa33549b3978e8dd9924d4.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

828 4636 WerFault.exe 184c9d5da1fa33549b3978e8dd9924d4.exe

pid	pid_target	process	target process
828	4636	WerFault.exe	184c9d5da1fa33549b3978e8dd9924d4.exe

Modifies Internet Explorer start page 1 TTPs 4 IoCs

stealer

Modify Registry

T1112

Processes:

184c9d5da1fa33549b3978e8dd9924d4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.hryUVWlmjK.com"	184c9d5da1fa33549b3978e8dd9924d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.YfByULximv.com"	184c9d5da1fa33549b3978e8dd9924d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ZviHZfUpkM.com"	184c9d5da1fa33549b3978e8dd9924d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.NOqLJLfPGV.com"	184c9d5da1fa33549b3978e8dd9924d4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

184c9d5da1fa33549b3978e8dd9924d4.exe

description	pid	process
Token: SeLockMemoryPrivilege	4636	184c9d5da1fa33549b3978e8dd9924d4.exe
Token: SeLockMemoryPrivilege	4636	184c9d5da1fa33549b3978e8dd9924d4.exe

C:\Users\Admin\AppData\Local\Temp\184c9d5da1fa33549b3978e8dd9924d4.exe
"C:\Users\Admin\AppData\Local\Temp\184c9d5da1fa33549b3978e8dd9924d4.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4636 -s 1484
2⤵
- Program crash
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4636-2-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/4636-3-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/4636-6-0x0000000000180000-0x00000000001C0000-memory.dmp

Filesize
256KB

Download
memory/4636-7-0x00000000001C0000-0x00000000001E2000-memory.dmp

Filesize
136KB

Download
memory/4636-8-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads