xmrig | 334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52

General

Target

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
Size

1.2MB
MD5

b82262bcba8aa1c99ddb3983fd084a7b
SHA1

7bc27b6d3bf5d4adfe6fa103184e578d6996b383
SHA256

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52
SHA512

288e8f267c4968dd70b002143294348a608893cdb0371645c22d03715ffb4609ac4ddd5d0ad1580ae7ca3c1f95e1854f61109162924646e8149259dc005b496c

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1000-61-0x0000000000502B90-mapping.dmp	xmrig
behavioral1/memory/1000-65-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral1/memory/1000-69-0x00000000004AD000-0x0000000000503000-memory.dmp	xmrig
behavioral1/memory/1000-70-0x00000000004AD000-0x0000000000503000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1000-56-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1000-58-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1000-59-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1000-62-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1000-65-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1000-63-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe

description	pid	process	target process
PID 916 set thread context of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe

pid	process
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
Token: SeLockMemoryPrivilege	1000	notepad.exe
Token: SeLockMemoryPrivilege	1000	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.execmd.exe

description	pid	process	target process
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 1000	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 916 wrote to memory of 272	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	cmd.exe
PID 916 wrote to memory of 272	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	cmd.exe
PID 916 wrote to memory of 272	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	cmd.exe
PID 916 wrote to memory of 272	916	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	cmd.exe
PID 272 wrote to memory of 1368	272	cmd.exe	wscript.exe
PID 272 wrote to memory of 1368	272	cmd.exe	wscript.exe
PID 272 wrote to memory of 1368	272	cmd.exe	wscript.exe
PID 272 wrote to memory of 1368	272	cmd.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
"C:\Users\Admin\AppData\Local\Temp\334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\migVCTGVwf\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\migVCTGVwf\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\migVCTGVwf\r.vbs"
    3⤵
    - Drops startup file
    PID:1368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\migVCTGVwf\cfgi

Filesize
796B

MD5
520e6281bed049119c6dc5da1c32688a

SHA1
d82ea58591318eb62d087e70e59f0f72053086b3

SHA256
e9563aa20f4e6b25aeb74db882ab957677a16efe9500ca16951a0f5c968a5b51

SHA512
7282ddd5d488fd7b4a02371eedbdb6056a389478412151aad54068a3d61f179255aa7cb813b8ba559a11ec104cf95619d498650b98eaf02c13dba9584188aaca

Download Submit
C:\ProgramData\migVCTGVwf\r.vbs

Filesize
664B

MD5
a76a565aee502a607ea922a45df0edcf

SHA1
07fe2d9f2b8358dc8f450fa3abac3512ee44daa1

SHA256
407ec23e6501b06a33c3790daad7f3b53c94cfcef282b8516830f8012a072840

SHA512
fc961e881c3c68dfabde9faf0a4678b8cb59dd764e3a0d5597e6d51f4f83a52e2d7918c2e9a23459100f771ea98710e1a1b43c331773ef08de7d9d83803701e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url

Filesize
75B

MD5
1bb370d3b6d4629347208410b8d2ae45

SHA1
b140baf8f73dc76128567f7316960a2df53658a1

SHA256
c51b1a9feae6da21da9e9005efdd2313560be5b97787aa8dd7dd01da55a1aead

SHA512
19b827a7b8fba48ba58a5f3d36e7df4b6b62422d768421504f446ba7fe34dde0302c0d8cebb247181471e1c88a781848a4659f6e3dceac4692629d14bf541a8a

Download Submit
memory/272-71-0x0000000000000000-mapping.dmp

Download
memory/916-66-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/916-55-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/916-54-0x0000000001E60000-0x0000000001F67000-memory.dmp

Filesize
1.0MB

Download
memory/916-64-0x0000000001E60000-0x0000000001F25000-memory.dmp

Filesize
788KB

Download
memory/1000-59-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1000-62-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1000-67-0x0000000000401000-0x00000000004AD000-memory.dmp

Filesize
688KB

Download
memory/1000-65-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1000-63-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1000-69-0x00000000004AD000-0x0000000000503000-memory.dmp

Filesize
344KB

Download
memory/1000-70-0x00000000004AD000-0x0000000000503000-memory.dmp

Filesize
344KB

Download
memory/1000-61-0x0000000000502B90-mapping.dmp

Download
memory/1000-58-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1000-56-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1368-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads