xmrig | 07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3

General

Target

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
Size

1.1MB
MD5

b176cb3017b571848116d94415e2f5b5
SHA1

c3cbae2f86feb6262535e81ed6c3a04a86dec36a
SHA256

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3
SHA512

dc24ee1896bf1777a43c5456bc3646a5f634e24322c4a416736a7fa4e6cfa1b4ba89e0841b979a1e8e0717adab90fd9533a3f708a1ca499f5562206b74db4fd6

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/580-69-0x0000000000502B90-mapping.dmp	xmrig
behavioral1/memory/580-72-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral1/memory/580-74-0x00000000004AD000-0x0000000000503000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/580-64-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/580-66-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/580-67-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/580-70-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/580-71-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/580-72-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe

description	pid	process	target process
PID 1116 set thread context of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe

pid	process
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
Token: SeLockMemoryPrivilege	580	notepad.exe
Token: SeLockMemoryPrivilege	580	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.execmd.exe

description	pid	process	target process
PID 1116 wrote to memory of 2032	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	cmd.exe
PID 1116 wrote to memory of 2032	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	cmd.exe
PID 1116 wrote to memory of 2032	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	cmd.exe
PID 1116 wrote to memory of 2032	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	cmd.exe
PID 2032 wrote to memory of 1920	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 1920	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 1920	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 1920	2032	cmd.exe	wscript.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 1116 wrote to memory of 580	1116	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
"C:\Users\Admin\AppData\Local\Temp\07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
3⤵
- Drops startup file
PID:1920

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GCxcrhlcfj\cfgi
Filesize
796B

MD5
08918d7a975799dffafe07001daca258

SHA1
afe0f00cc5edcd2ece7134befd8a9dc4585cd5a0

SHA256
00a9c0104130c58f34d1aa1e1cd67ef23a74d2540e3d6133d2ac1c0512c904ea

SHA512
655e2eda90e28b9ef349fdae74fd1dccdbcb155d00a686e5d5de2de919fb4e219254694dab7ea860fd8a3692b487ab0082f0bf79bf4bddb1eee8b99b38ca45e7

Download Submit
C:\ProgramData\GCxcrhlcfj\r.vbs
Filesize
662B

MD5
7cc317139a7d477bc8c5faf0fafed491

SHA1
3966c44cf9988e6cc6af135eac5b7ab93d2c4058

SHA256
c065f76aad68eedaf001ec5142e7bcaaba73916b3903037cc46a54eb67be77a8

SHA512
5e8f3bc963c690f4000349589fe11f08b4efadff7b8d56a9634692ec4fbbbce4330935ee3afbd8542e3c770f68cab4b9949ea7f06c9996e040b42969a7fb7fd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url
Filesize
74B

MD5
059ec62ae3c51a6ff8d0f02363e108e9

SHA1
24742ba20d3323718b0ee51c9efe166825b314a5

SHA256
117b0440b143c36cbe18a6b01f7f0c483a0a67a10600140e545d0c3c61634ac8

SHA512
62dafb2db57840cd0d0886dbe92af3a82f7f82902118a985e6baf81f3f3bc5dc5076d28c3a3ae601a83e7c2c9ee845c030752f36b02f586828bc427284989664

Download Submit
memory/580-72-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/580-69-0x0000000000502B90-mapping.dmp

Download
memory/580-75-0x0000000000401000-0x00000000004AD000-memory.dmp

Filesize
688KB

Download
memory/580-74-0x00000000004AD000-0x0000000000503000-memory.dmp

Filesize
344KB

Download
memory/580-71-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/580-70-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/580-64-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/580-66-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/580-67-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1116-56-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1116-58-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1116-57-0x00000000002D0000-0x0000000000395000-memory.dmp

Filesize
788KB

Download
memory/1116-54-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1116-55-0x00000000002D0000-0x0000000000395000-memory.dmp

Filesize
788KB

Download
memory/1116-76-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1920-60-0x0000000000000000-mapping.dmp

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads