xmrig | 07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3

General

Target

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
Size

1.1MB
MD5

b176cb3017b571848116d94415e2f5b5
SHA1

c3cbae2f86feb6262535e81ed6c3a04a86dec36a
SHA256

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3
SHA512

dc24ee1896bf1777a43c5456bc3646a5f634e24322c4a416736a7fa4e6cfa1b4ba89e0841b979a1e8e0717adab90fd9533a3f708a1ca499f5562206b74db4fd6

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4732-143-0x0000000000502B90-mapping.dmp	xmrig
behavioral2/memory/4732-146-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral2/memory/4732-148-0x00000000004AD000-0x0000000000503000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4732-138-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/4732-140-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/4732-141-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/4732-144-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/4732-145-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/4732-146-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe

description	pid	process	target process
PID 4060 set thread context of 4732	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe

pid	process
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
Token: SeLockMemoryPrivilege	4732	notepad.exe
Token: SeLockMemoryPrivilege	4732	notepad.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.execmd.exe

description	pid	process	target process
PID 4060 wrote to memory of 4824	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	cmd.exe
PID 4060 wrote to memory of 4824	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	cmd.exe
PID 4060 wrote to memory of 4824	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	cmd.exe
PID 4824 wrote to memory of 4408	4824	cmd.exe	wscript.exe
PID 4824 wrote to memory of 4408	4824	cmd.exe	wscript.exe
PID 4824 wrote to memory of 4408	4824	cmd.exe	wscript.exe
PID 4060 wrote to memory of 4732	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 4060 wrote to memory of 4732	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 4060 wrote to memory of 4732	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 4060 wrote to memory of 4732	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 4060 wrote to memory of 4732	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 4060 wrote to memory of 4732	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 4060 wrote to memory of 4732	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe
PID 4060 wrote to memory of 4732	4060	07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe
"C:\Users\Admin\AppData\Local\Temp\07b156cf4c311ee86d9f3785b5300ae9b936167cbe6b85977e7fe428603a43e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
3⤵
- Drops startup file
PID:4408

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GCxcrhlcfj\cfgi
Filesize
796B

MD5
ee6496b9c7d5f487cb599e8e3a848e79

SHA1
33eb9aa08bbf9455f6893ebf3faabfa0d5e681bc

SHA256
b3aba060786023c569ab23563fd17b63e1a0e7dc3cb208612e1958d6b4f0012c

SHA512
5fe0d5a886e718f062cae67168d8bd127da73f4538c2bdd830dac57f8be91e5f8106c0282d3e8851c6a52d44efb25a07427d2b407a7f994fd62c6eec5e83c211

Download Submit
C:\ProgramData\GCxcrhlcfj\r.vbs
Filesize
662B

MD5
7cc317139a7d477bc8c5faf0fafed491

SHA1
3966c44cf9988e6cc6af135eac5b7ab93d2c4058

SHA256
c065f76aad68eedaf001ec5142e7bcaaba73916b3903037cc46a54eb67be77a8

SHA512
5e8f3bc963c690f4000349589fe11f08b4efadff7b8d56a9634692ec4fbbbce4330935ee3afbd8542e3c770f68cab4b9949ea7f06c9996e040b42969a7fb7fd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url
Filesize
74B

MD5
059ec62ae3c51a6ff8d0f02363e108e9

SHA1
24742ba20d3323718b0ee51c9efe166825b314a5

SHA256
117b0440b143c36cbe18a6b01f7f0c483a0a67a10600140e545d0c3c61634ac8

SHA512
62dafb2db57840cd0d0886dbe92af3a82f7f82902118a985e6baf81f3f3bc5dc5076d28c3a3ae601a83e7c2c9ee845c030752f36b02f586828bc427284989664

Download Submit
memory/4060-130-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4060-131-0x0000000002259000-0x000000000231E000-memory.dmp

Filesize
788KB

Download
memory/4060-132-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4060-133-0x0000000002259000-0x000000000231E000-memory.dmp

Filesize
788KB

Download
memory/4060-150-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4408-135-0x0000000000000000-mapping.dmp

Download
memory/4732-144-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4732-141-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4732-143-0x0000000000502B90-mapping.dmp

Download
memory/4732-140-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4732-145-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4732-146-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4732-138-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4732-148-0x00000000004AD000-0x0000000000503000-memory.dmp

Filesize
344KB

Download
memory/4732-149-0x0000000000401000-0x00000000004AD000-memory.dmp

Filesize
688KB

Download
memory/4824-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads