xmrig | 22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7

General

Target

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
Size

14.8MB
MD5

0167d867d0e0c974d66d6ff02cda9c1c
SHA1

1580c09b356286bb4ab5526ec2367c6c5d36ec0a
SHA256

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7
SHA512

e8ef3047e28d7f237f05bde56b543ad67667e1dd83cde7ecdafa303b12dc33dfa95902b1afb4571a7edff699191b92d05ace1d9add54df2520604aa52c10e6be

Score

10^/10

xmrig evasion miner persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\svchost.exe	xmrig

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3592 svchost.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3592	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe"	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

Drops file in Program Files directory 26 IoCs

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

Drops file in Windows directory 4 IoCs

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

description	ioc	process
File opened for modification	C:\Windows\config.json	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File opened for modification	C:\Windows\svchost.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File created	C:\Windows\config.json	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
File created	C:\Windows\svchost.exe	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4372	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
Token: 33	4372	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
Token: SeIncBasePriorityPrivilege	4372	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
Token: SeIncBasePriorityPrivilege	3592	svchost.exe
Token: SeLockMemoryPrivilege	3592	svchost.exe
Token: SeLockMemoryPrivilege	3592	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

pid process

4372 22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

pid	process
4372	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

description	pid	process	target process
PID 4372 wrote to memory of 3592	4372	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe	svchost.exe
PID 4372 wrote to memory of 3592	4372	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe	svchost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe

C:\Users\Admin\AppData\Local\Temp\22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe
"C:\Users\Admin\AppData\Local\Temp\22b5e969c1621e6065f407f9fb7f71ef21b592982cc75ff402892b399a49e9a7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4372

C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

4

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\config.json
Filesize
1KB

MD5
88c5c5706d2e237422eda18490dc6a59

SHA1
bb8d12375f6b995301e756de2ef4fa3a3f6efd39

SHA256
4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e

SHA512
a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

Download Submit
C:\Windows\svchost.exe
Filesize
833KB

MD5
4a87a4d6677558706db4afaeeeb58d20

SHA1
7738dc6a459f8415f0265d36c626b48202cd6764

SHA256
08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7

SHA512
bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

Download Submit
memory/3592-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads