xmrig | d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8

General

Target

f_00011d.exe
Size

868KB
MD5

921211c93c0526423bf3449cb33690ea
SHA1

45eb2f70b41f7e782ff27fe6e419bad0e2f00119
SHA256

d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
SHA512

574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 2 IoCs

Processes:

dqvbeq.exedqvbeq.exe

pid process

3312 dqvbeq.exe
2256 dqvbeq.exe
Drops file in System32 directory 2 IoCs

Processes:

f_00011d.exe

description ioc process

File created C:\Windows\SysWOW64\dqvbeq.exe f_00011d.exe
File opened for modification C:\Windows\SysWOW64\dqvbeq.exe f_00011d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3312	dqvbeq.exe
2256	dqvbeq.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dqvbeq.exe	f_00011d.exe
File opened for modification	C:\Windows\SysWOW64\dqvbeq.exe	f_00011d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f_00011d.exe

pid	process
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe
2704	f_00011d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f_00011d.exe

description pid process

Token: SeIncBasePriorityPrivilege 2704 f_00011d.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2704	f_00011d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dqvbeq.exef_00011d.exe

description	pid	process	target process
PID 3312 wrote to memory of 2256	3312	dqvbeq.exe	dqvbeq.exe
PID 3312 wrote to memory of 2256	3312	dqvbeq.exe	dqvbeq.exe
PID 3312 wrote to memory of 2256	3312	dqvbeq.exe	dqvbeq.exe
PID 2704 wrote to memory of 3228	2704	f_00011d.exe	cmd.exe
PID 2704 wrote to memory of 3228	2704	f_00011d.exe	cmd.exe
PID 2704 wrote to memory of 3228	2704	f_00011d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f_00011d.exe
"C:\Users\Admin\AppData\Local\Temp\f_00011d.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\f_00011d.exe > nul
2⤵
PID:3228

C:\Windows\SysWOW64\dqvbeq.exe
C:\Windows\SysWOW64\dqvbeq.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\dqvbeq.exe
C:\Windows\SysWOW64\dqvbeq.exe Cool
2⤵
- Executes dropped EXE
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dqvbeq.exe
MD5
921211c93c0526423bf3449cb33690ea

SHA1
45eb2f70b41f7e782ff27fe6e419bad0e2f00119

SHA256
d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8

SHA512
574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f

Download Submit
C:\Windows\SysWOW64\dqvbeq.exe
MD5
921211c93c0526423bf3449cb33690ea

SHA1
45eb2f70b41f7e782ff27fe6e419bad0e2f00119

SHA256
d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8

SHA512
574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f

Download Submit
C:\Windows\SysWOW64\dqvbeq.exe
MD5
921211c93c0526423bf3449cb33690ea

SHA1
45eb2f70b41f7e782ff27fe6e419bad0e2f00119

SHA256
d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8

SHA512
574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f

Download Submit
memory/2256-121-0x0000000000000000-mapping.dmp

Download
memory/2704-115-0x0000000010001000-0x000000001001E000-memory.dmp

Filesize
116KB

Download
memory/2704-116-0x000000001001E000-0x0000000010022000-memory.dmp

Filesize
16KB

Download
memory/3228-125-0x0000000000000000-mapping.dmp

Download
memory/3312-120-0x000000001001E000-0x0000000010022000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing