xmrig | 40ba07f9761a6565642d7aae57f2f4622030e33fe80eb46a543446dcb8e3f1ca

Analysis

max time kernel
152s
max time network
143s
platform
windows7_x64
resource
win7v20201028
submitted
15-03-2021 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
Size

1.2MB
MD5

629616cf3527c449d804903309e7ce66
SHA1

90374cb88ca94ed7cc0ec7a0eca33be01e40b6d0
SHA256

7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2
SHA512

da12c2757632698ea0ba35261c95a3c712b3f4a2d276b628fba703d2a2c4c2e2d2929c6dc178c1cd18142d6010e54ef9b7b8b8f009ed5b402007bc7cd431fa67

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral29/memory/852-6-0x0000000000400000-0x0000000000516000-memory.dmp	xmrig

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral29/memory/852-4-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral29/memory/852-6-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral29/memory/852-8-0x0000000000400000-0x0000000000516000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BfWTjSzBAA.url	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe

description	pid	Process	procid_target
PID 1152 set thread context of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe

pid	Process
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exenotepad.exe

description	pid	Process
Token: SeDebugPrivilege	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
Token: SeLockMemoryPrivilege	852	notepad.exe
Token: SeLockMemoryPrivilege	852	notepad.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe

description	pid	Process	procid_target
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30
PID 1152 wrote to memory of 852	1152	7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe	30

C:\Users\Admin\AppData\Local\Temp\7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe
"C:\Users\Admin\AppData\Local\Temp\7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\WrdJdgYRmg\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WrdJdgYRmg\cfgi

MD5
632bbd48c445912d2c9d9a0311df52b9

SHA1
a726bc979279df32fad8a1cb47a32aba8e1c2426

SHA256
f1fe61476c6a00402b178859757bea2188f23e75bc3b0ae24a793164670e5728

SHA512
4ad9ba45b3611d42f3361eb8208fecc08b5a9ec71e82c38400cc8073b2ef0c8dd582d378ac70aafa5a8389a2d6e67d1fc18e9f7cb86f263f44d3966e8e327153

Download Submit
memory/852-4-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/852-5-0x000000000050F100-mapping.dmp

Download
memory/852-6-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/852-8-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1152-3-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download