xmrig | e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739

General

Target

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
Size

1.3MB
MD5

e51d77c98e92a06556b09b1bebfbc34a
SHA1

80cb84605a3e861708ee955923f87f69b8d9aaaf
SHA256

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739
SHA512

a03c67719fa39a2c06e9b33f8ba99461a02626ec436f2de541c2a5ea9d206cffb642de2d1409597d27d5f8975884f773c40e7137034f5ab2fc12eb9342fc62a2

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1044-63-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig
behavioral1/memory/1044-64-0x000000000058C000-0x0000000000625000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1044-55-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1044-57-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1044-58-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1044-61-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1044-62-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1044-63-0x0000000000400000-0x0000000000626000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyUtyDAEqS.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyUtyDAEqS.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe

description	pid	process	target process
PID 1260 set thread context of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe

pid	process
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
Token: SeLockMemoryPrivilege	1044	notepad.exe
Token: SeLockMemoryPrivilege	1044	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.execmd.exe

description	pid	process	target process
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1044	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 1260 wrote to memory of 1480	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	cmd.exe
PID 1260 wrote to memory of 1480	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	cmd.exe
PID 1260 wrote to memory of 1480	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	cmd.exe
PID 1260 wrote to memory of 1480	1260	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	cmd.exe
PID 1480 wrote to memory of 1200	1480	cmd.exe	wscript.exe
PID 1480 wrote to memory of 1200	1480	cmd.exe	wscript.exe
PID 1480 wrote to memory of 1200	1480	cmd.exe	wscript.exe
PID 1480 wrote to memory of 1200	1480	cmd.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
"C:\Users\Admin\AppData\Local\Temp\e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\EiNJhfkBGQ\cfgi"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\EiNJhfkBGQ\r.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\EiNJhfkBGQ\r.vbs"
3⤵
- Drops startup file
PID:1200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EiNJhfkBGQ\cfgi
Filesize
796B

MD5
cee89ca49dd15211d90076ae22b16ffc

SHA1
0f0559c71b5f35c5d613212ed7c34f4a69d3da30

SHA256
f12a7a28340b65d4efacd6ba8c434425a5630c2da8684357656368daf4ad1c6f

SHA512
77ce4e1fac6a57e3381abda53f6fd721c928576b139fc214f713e20d9880602775e77b87b1aa50a71af8b4e58a4365dcbbf0081e72ecefd9f808aab537069f89

Download Submit
C:\ProgramData\EiNJhfkBGQ\r.vbs
Filesize
660B

MD5
8a2c9828d9798fe9b3e4ba311b185c8d

SHA1
8d9c0d1053e9f5368b793c6afd3f2cf5dd51d05b

SHA256
682431149918ecaa1d546dd1fbb66e0110b715448106c11a930627a26e311c47

SHA512
c4827f0224449b2462ec811583f5689d0be3b5c7bb9078665c8ea8641c9878da164cbe2f8f10c1bac0200300037bf88d9def0770aadbec56104b92382f6145da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyUtyDAEqS.url
Filesize
73B

MD5
18ce536d947459cf389b8ec26826ad28

SHA1
60e49575cce266679a3a80f1df3a05d319384445

SHA256
ea125aea8b043b8811fe66b129b5e6afb5bc272cb121cbc2ef7c440bc78430c9

SHA512
3cfa58f79fd372d1e1af69cfaa74f4998c52911b484bab7550f387cc181019b57b756a6d2ca143df7fb88fa1d6560b6e547e381dc0834e35529a20c1020bb95a

Download Submit
memory/1044-64-0x000000000058C000-0x0000000000625000-memory.dmp

Filesize
612KB

Download
memory/1044-65-0x0000000000401000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1044-61-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1044-62-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1044-63-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1044-55-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1044-58-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1044-60-0x0000000000624080-mapping.dmp

Download
memory/1044-67-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1044-68-0x0000000000290000-0x0000000000294000-memory.dmp

Filesize
16KB

Download
memory/1044-57-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1200-70-0x0000000000000000-mapping.dmp

Download
memory/1260-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1480-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads