xmrig | 334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52

General

Target

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
Size

1.2MB
MD5

b82262bcba8aa1c99ddb3983fd084a7b
SHA1

7bc27b6d3bf5d4adfe6fa103184e578d6996b383
SHA256

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52
SHA512

288e8f267c4968dd70b002143294348a608893cdb0371645c22d03715ffb4609ac4ddd5d0ad1580ae7ca3c1f95e1854f61109162924646e8149259dc005b496c

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3960-135-0x0000000000502B90-mapping.dmp	xmrig
behavioral2/memory/3960-138-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral2/memory/3960-142-0x00000000004AD000-0x0000000000503000-memory.dmp	xmrig
behavioral2/memory/3960-144-0x00000000004AD000-0x0000000000503000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3960-130-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/3960-132-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/3960-133-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/3960-136-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/3960-137-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral2/memory/3960-138-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe

description	pid	process	target process
PID 1464 set thread context of 3960	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe

pid	process
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
Token: SeLockMemoryPrivilege	3960	notepad.exe
Token: SeLockMemoryPrivilege	3960	notepad.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.execmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 3960	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 1464 wrote to memory of 3960	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 1464 wrote to memory of 3960	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 1464 wrote to memory of 3960	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 1464 wrote to memory of 3960	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 1464 wrote to memory of 3960	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 1464 wrote to memory of 3960	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 1464 wrote to memory of 3960	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	notepad.exe
PID 1464 wrote to memory of 2836	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	cmd.exe
PID 1464 wrote to memory of 2836	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	cmd.exe
PID 1464 wrote to memory of 2836	1464	334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe	cmd.exe
PID 2836 wrote to memory of 4024	2836	cmd.exe	wscript.exe
PID 2836 wrote to memory of 4024	2836	cmd.exe	wscript.exe
PID 2836 wrote to memory of 4024	2836	cmd.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe
"C:\Users\Admin\AppData\Local\Temp\334261cfaaedfd30382aa7096fb783ab11d32159cb3e6fc3f7e777c80b858a52.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\migVCTGVwf\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\migVCTGVwf\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\migVCTGVwf\r.vbs"
    3⤵
    - Drops startup file
    PID:4024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\migVCTGVwf\cfgi

Filesize
796B

MD5
afe3f8991f794ff281188055d6055ddb

SHA1
7da942ed5b2e18e0df5d14e50cceede011beb38d

SHA256
14055abbbe3ecc649e79a88c47b0bc55dabe94140e081190e2328e956aa97984

SHA512
942882d722d84bfd4f1bdba7e692d37828e0571a5d38d5a4ca3b68c6136c0a8f491bd41ad5cde099d8660c9d6b8bc654b5d8f55709ba3afe61f250d70159e270

Download Submit
C:\ProgramData\migVCTGVwf\r.vbs

Filesize
664B

MD5
a76a565aee502a607ea922a45df0edcf

SHA1
07fe2d9f2b8358dc8f450fa3abac3512ee44daa1

SHA256
407ec23e6501b06a33c3790daad7f3b53c94cfcef282b8516830f8012a072840

SHA512
fc961e881c3c68dfabde9faf0a4678b8cb59dd764e3a0d5597e6d51f4f83a52e2d7918c2e9a23459100f771ea98710e1a1b43c331773ef08de7d9d83803701e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAUnSdlCkw.url

Filesize
75B

MD5
1bb370d3b6d4629347208410b8d2ae45

SHA1
b140baf8f73dc76128567f7316960a2df53658a1

SHA256
c51b1a9feae6da21da9e9005efdd2313560be5b97787aa8dd7dd01da55a1aead

SHA512
19b827a7b8fba48ba58a5f3d36e7df4b6b62422d768421504f446ba7fe34dde0302c0d8cebb247181471e1c88a781848a4659f6e3dceac4692629d14bf541a8a

Download Submit
memory/1464-140-0x0000000002147000-0x000000000220C000-memory.dmp

Filesize
788KB

Download
memory/1464-141-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/2836-145-0x0000000000000000-mapping.dmp

Download
memory/3960-137-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/3960-138-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/3960-135-0x0000000000502B90-mapping.dmp

Download
memory/3960-130-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/3960-142-0x00000000004AD000-0x0000000000503000-memory.dmp

Filesize
344KB

Download
memory/3960-143-0x0000000000401000-0x00000000004AD000-memory.dmp

Filesize
688KB

Download
memory/3960-144-0x00000000004AD000-0x0000000000503000-memory.dmp

Filesize
344KB

Download
memory/3960-136-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/3960-133-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/3960-132-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4024-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads