xmrig | e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739

General

Target

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
Size

1.3MB
MD5

e51d77c98e92a06556b09b1bebfbc34a
SHA1

80cb84605a3e861708ee955923f87f69b8d9aaaf
SHA256

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739
SHA512

a03c67719fa39a2c06e9b33f8ba99461a02626ec436f2de541c2a5ea9d206cffb642de2d1409597d27d5f8975884f773c40e7137034f5ab2fc12eb9342fc62a2

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2696-135-0x0000000000624080-mapping.dmp	xmrig
behavioral2/memory/2696-138-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig
behavioral2/memory/2696-141-0x000000000058C000-0x0000000000625000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2696-130-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/2696-132-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/2696-133-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/2696-136-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/2696-137-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/2696-138-0x0000000000400000-0x0000000000626000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyUtyDAEqS.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyUtyDAEqS.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe

description	pid	process	target process
PID 4952 set thread context of 2696	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe

pid	process
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
Token: SeLockMemoryPrivilege	2696	notepad.exe
Token: SeLockMemoryPrivilege	2696	notepad.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.execmd.exe

description	pid	process	target process
PID 4952 wrote to memory of 2696	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 4952 wrote to memory of 2696	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 4952 wrote to memory of 2696	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 4952 wrote to memory of 2696	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 4952 wrote to memory of 2696	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 4952 wrote to memory of 2696	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 4952 wrote to memory of 2696	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 4952 wrote to memory of 2696	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	notepad.exe
PID 4952 wrote to memory of 1624	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	cmd.exe
PID 4952 wrote to memory of 1624	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	cmd.exe
PID 4952 wrote to memory of 1624	4952	e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe	cmd.exe
PID 1624 wrote to memory of 1516	1624	cmd.exe	wscript.exe
PID 1624 wrote to memory of 1516	1624	cmd.exe	wscript.exe
PID 1624 wrote to memory of 1516	1624	cmd.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe
"C:\Users\Admin\AppData\Local\Temp\e0fbfdd5bb5d283ddbb8693da51c7caf2edc24a7da80478b15489ceb36724739.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\EiNJhfkBGQ\cfgi"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\EiNJhfkBGQ\r.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\EiNJhfkBGQ\r.vbs"
3⤵
- Drops startup file
PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EiNJhfkBGQ\cfgi
Filesize
796B

MD5
58b43ec26187b4a8fd98d7cb746744cf

SHA1
48b938e4e3bed0e40514f4fd6021b00db7eb7310

SHA256
0c2d1d67e9aca976219e85cdede51d947917d11a205cb630ee1078dbba4d4f42

SHA512
b21a3e20346929f959869cfc997f14a0d8d0fd7c2828a1f5b1a7d07ca785c620741d76e525dfb09c004f62f9a1b2ed2b14ed928bb19b8f9c2dbed8a5a9e5071e

Download Submit
C:\ProgramData\EiNJhfkBGQ\r.vbs
Filesize
660B

MD5
8a2c9828d9798fe9b3e4ba311b185c8d

SHA1
8d9c0d1053e9f5368b793c6afd3f2cf5dd51d05b

SHA256
682431149918ecaa1d546dd1fbb66e0110b715448106c11a930627a26e311c47

SHA512
c4827f0224449b2462ec811583f5689d0be3b5c7bb9078665c8ea8641c9878da164cbe2f8f10c1bac0200300037bf88d9def0770aadbec56104b92382f6145da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dyUtyDAEqS.url
Filesize
73B

MD5
18ce536d947459cf389b8ec26826ad28

SHA1
60e49575cce266679a3a80f1df3a05d319384445

SHA256
ea125aea8b043b8811fe66b129b5e6afb5bc272cb121cbc2ef7c440bc78430c9

SHA512
3cfa58f79fd372d1e1af69cfaa74f4998c52911b484bab7550f387cc181019b57b756a6d2ca143df7fb88fa1d6560b6e547e381dc0834e35529a20c1020bb95a

Download Submit
memory/1516-145-0x0000000000000000-mapping.dmp

Download
memory/1624-144-0x0000000000000000-mapping.dmp

Download
memory/2696-136-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/2696-138-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/2696-137-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/2696-140-0x000001DEE2C60000-0x000001DEE2C70000-memory.dmp

Filesize
64KB

Download
memory/2696-141-0x000000000058C000-0x0000000000625000-memory.dmp

Filesize
612KB

Download
memory/2696-142-0x0000000000401000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2696-143-0x000001DEE2C70000-0x000001DEE2C74000-memory.dmp

Filesize
16KB

Download
memory/2696-130-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/2696-135-0x0000000000624080-mapping.dmp

Download
memory/2696-133-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/2696-132-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads