xmrig | ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a

General

Target

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
Size

1.3MB
MD5

ce854dd32e1d931cd6a791b30dcd9458
SHA1

0b247814ee8be3926e0dd64e749d7a4f174f96b7
SHA256

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a
SHA512

12cc6264daa1deaf81d59153f8cb9f9ed5b67dd45d6c954706c4a9052807384395ceb008b082e9bf903493dc9e52769fcf91a8295be9beae95655691a72c7e42

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3960-135-0x0000000000624080-mapping.dmp	xmrig
behavioral2/memory/3960-138-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig
behavioral2/memory/3960-141-0x000000000058C000-0x0000000000625000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3960-130-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/3960-132-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/3960-133-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/3960-136-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/3960-137-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/3960-138-0x0000000000400000-0x0000000000626000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zylUYKzaGy.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zylUYKzaGy.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

description	pid	process	target process
PID 3184 set thread context of 3960	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

pid	process
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
Token: SeLockMemoryPrivilege	3960	notepad.exe
Token: SeLockMemoryPrivilege	3960	notepad.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.execmd.exe

description	pid	process	target process
PID 3184 wrote to memory of 3960	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	notepad.exe
PID 3184 wrote to memory of 3960	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	notepad.exe
PID 3184 wrote to memory of 3960	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	notepad.exe
PID 3184 wrote to memory of 3960	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	notepad.exe
PID 3184 wrote to memory of 3960	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	notepad.exe
PID 3184 wrote to memory of 3960	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	notepad.exe
PID 3184 wrote to memory of 3960	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	notepad.exe
PID 3184 wrote to memory of 3960	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	notepad.exe
PID 3184 wrote to memory of 2852	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	cmd.exe
PID 3184 wrote to memory of 2852	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	cmd.exe
PID 3184 wrote to memory of 2852	3184	ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe	cmd.exe
PID 2852 wrote to memory of 364	2852	cmd.exe	wscript.exe
PID 2852 wrote to memory of 364	2852	cmd.exe	wscript.exe
PID 2852 wrote to memory of 364	2852	cmd.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe
"C:\Users\Admin\AppData\Local\Temp\ac4daabcc33e6d296965a9e4b5af21fa43e47f49c58da62c420ebb66694b819a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\iEtHqNVRGt\cfgi"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\iEtHqNVRGt\r.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\iEtHqNVRGt\r.vbs"
3⤵
- Drops startup file
PID:364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\iEtHqNVRGt\cfgi
Filesize
876B

MD5
34bb94db8839a2aaeac48594a3f0ebe8

SHA1
ba81d8aa9c4309a35c8e1f0a58791c3d39bf5edd

SHA256
c09aec150148504183dac3ea39b5d3f04bb1779f27da8cca219e1990071cbede

SHA512
86ebc7ead25933cac0c0668fb5a4d2dea38dabee20f0771a30ffa79d0a852bae19f659ae4b29fce72d4cfd4e26264874fb4566211b03e9dc554e53425b26a592

Download Submit
C:\ProgramData\iEtHqNVRGt\r.vbs
Filesize
654B

MD5
b23a1fc8e307280ef31a642edfce3a21

SHA1
383a780d371e77d5235420d88e951784397fe92d

SHA256
73d8861c33c983a15faa95dddb4cdbc2b4937884e806a7d84bf8442bc7861067

SHA512
04c753ef23e9d8f02f3e022e61efa68ee0c284f4395d4dbbf561a643ff998b377e767e19411b53b382bb4fb8b17fdeb7214bbe3cac14ab40f5aefb396413a0f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zylUYKzaGy.url
Filesize
70B

MD5
0635cf33c47c96c413afe48d40842b84

SHA1
f3c064987470725dea67c15807dbb7efb52fc72b

SHA256
0c7b61e072a3b51c27d9b1beb7751a49fc830973f7f4069c2651af5f049b8dc3

SHA512
bfb65c35d2431eeca8c8635646517e94692d770edc8884d1c297a2b1688946288589196fb3fa409e81a351c894e30693e7d4cfffdfe4fbc85267ac8164483bae

Download Submit
memory/364-145-0x0000000000000000-mapping.dmp

Download
memory/2852-144-0x0000000000000000-mapping.dmp

Download
memory/3960-135-0x0000000000624080-mapping.dmp

Download
memory/3960-138-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/3960-137-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/3960-140-0x000001E0B58D0000-0x000001E0B58E0000-memory.dmp

Filesize
64KB

Download
memory/3960-142-0x0000000000401000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3960-141-0x000000000058C000-0x0000000000625000-memory.dmp

Filesize
612KB

Download
memory/3960-143-0x000001E0B58E0000-0x000001E0B58E4000-memory.dmp

Filesize
16KB

Download
memory/3960-130-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/3960-136-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/3960-133-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/3960-132-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads