xmrig | 82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68

General

Target

82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Size

1.5MB
MD5

823f26a80be46a78c0165bff11c19070
SHA1

d580906a344590011caf1f980143887a4a903c58
SHA256

82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68
SHA512

440b0721f5739c3310f73788809619c0cea0f7a46dabe7eb7cd69a99373cd8dda2876b7e49be0d7eaa9d1c7e89dda406e3659be7500050d90f8e707a6998d377

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/916-68-0x0000000000502B90-mapping.dmp	xmrig
behavioral1/memory/916-69-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/916-66-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/916-67-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/916-69-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe

description	pid	Process	procid_target
PID 484 set thread context of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe

pid	Process
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exenotepad.exe

description	pid	Process
Token: SeDebugPrivilege	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
Token: SeLockMemoryPrivilege	916	notepad.exe
Token: SeLockMemoryPrivilege	916	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.execmd.exe

description	pid	Process	procid_target
PID 484 wrote to memory of 840	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	30
PID 484 wrote to memory of 840	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	30
PID 484 wrote to memory of 840	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	30
PID 484 wrote to memory of 840	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	30
PID 840 wrote to memory of 616	840	cmd.exe	32
PID 840 wrote to memory of 616	840	cmd.exe	32
PID 840 wrote to memory of 616	840	cmd.exe	32
PID 840 wrote to memory of 616	840	cmd.exe	32
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33
PID 484 wrote to memory of 916	484	82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe	33

C:\Users\Admin\AppData\Local\Temp\82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe
"C:\Users\Admin\AppData\Local\Temp\82c911654f0ee48371791f470c0998e9a82e8c09df8dcb8a1257b795922a4b68.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
    3⤵
    - Drops startup file
    PID:616
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GCxcrhlcfj\cfgi

MD5
8f03e53fb9894dc50349c5cbe1ce8a85

SHA1
7589ea8073fc0c512a40e170629578e44703f163

SHA256
3c4b872f648a7c0fcf05408285fc3b51b2ba0d2dfef811235f65878dc1844a18

SHA512
b3d8d10c68db85c0b203bad11ab901f563f450f8386e88058391fadf952297e5b2ed8d6841c58ab3a87e35c6255757b24ab882a2e6d171408375ee9610f0d745

Download Submit
C:\ProgramData\GCxcrhlcfj\r.vbs

MD5
7cc317139a7d477bc8c5faf0fafed491

SHA1
3966c44cf9988e6cc6af135eac5b7ab93d2c4058

SHA256
c065f76aad68eedaf001ec5142e7bcaaba73916b3903037cc46a54eb67be77a8

SHA512
5e8f3bc963c690f4000349589fe11f08b4efadff7b8d56a9634692ec4fbbbce4330935ee3afbd8542e3c770f68cab4b9949ea7f06c9996e040b42969a7fb7fd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url

MD5
059ec62ae3c51a6ff8d0f02363e108e9

SHA1
24742ba20d3323718b0ee51c9efe166825b314a5

SHA256
117b0440b143c36cbe18a6b01f7f0c483a0a67a10600140e545d0c3c61634ac8

SHA512
62dafb2db57840cd0d0886dbe92af3a82f7f82902118a985e6baf81f3f3bc5dc5076d28c3a3ae601a83e7c2c9ee845c030752f36b02f586828bc427284989664

Download Submit
memory/484-60-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/484-59-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/616-62-0x0000000000000000-mapping.dmp

Download
memory/840-61-0x0000000000000000-mapping.dmp

Download
memory/916-66-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/916-68-0x0000000000502B90-mapping.dmp

Download
memory/916-69-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/916-67-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/916-71-0x00000000004AD000-0x0000000000503000-memory.dmp

Filesize
344KB

Download
memory/916-72-0x0000000000401000-0x00000000004AD000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads