xmrig | 6000cb4765d6219aeea0210a1ecec6af293e3ee6e330f560e30c043987f5aeb7

General

Target

b598b0ecf0848c10ca61aa23c93ed5f9.exe
Size

91KB
MD5

b598b0ecf0848c10ca61aa23c93ed5f9
SHA1

3dd842fb3ab58046de7f4d4c2f0d28b4404a1c57
SHA256

6000cb4765d6219aeea0210a1ecec6af293e3ee6e330f560e30c043987f5aeb7
SHA512

9aec32b1c79788eee9bf6fd20122603dab131e0c3d5e209e1502583d65a44e012765158ee3f25a07d44b92cc9872dd0af2d92c0dedd058e587f530f47fa0493d

Score

10^/10

xmrig evasion miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Drops file in System32 directory 2 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Drops file in Program Files directory 2 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	ioc	process
File created	C:\Program Files (x86)\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

pid	process
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

pid process

1788 b598b0ecf0848c10ca61aa23c93ed5f9.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	pid	process
Token: SeDebugPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: 33	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe
Token: SeIncBasePriorityPrivilege	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b598b0ecf0848c10ca61aa23c93ed5f9.exe

description	pid	process	target process
PID 1788 wrote to memory of 580	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 580	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 580	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 580	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 1288	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 1288	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 1288	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 1288	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 1856	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 1856	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 1856	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe
PID 1788 wrote to memory of 1856	1788	b598b0ecf0848c10ca61aa23c93ed5f9.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe
"C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe" "b598b0ecf0848c10ca61aa23c93ed5f9.exe" ENABLE
2⤵
PID:580

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe"
2⤵
PID:1288

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\b598b0ecf0848c10ca61aa23c93ed5f9.exe" "b598b0ecf0848c10ca61aa23c93ed5f9.exe" ENABLE
2⤵
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-56-0x0000000000000000-mapping.dmp

Download
memory/1288-58-0x0000000000000000-mapping.dmp

Download
memory/1788-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1788-55-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1856-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads