xmrig | e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2

General

Target

e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe
Size

4.7MB
MD5

b81617f91ae5dfc6ba926f807f908ec2
SHA1

569b4c96d628ac2fe57ba7851a28ff48eee19270
SHA256

e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2
SHA512

440220ad23d8313e8d59799bdc04c72b69e34831e9022f4897a4510556115912a295784baeeef82a17ab7ddedc5db41948e0722043eadff43a813d95fcd02545

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4780-156-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/4780-157-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/4780-158-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/4780-159-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/4780-161-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/4780-162-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

mmgaserver.exemmgaserver.exe

pid process

4580 mmgaserver.exe
2004 mmgaserver.exe

pid	process
4580	mmgaserver.exe
2004	mmgaserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mmgaserver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetVPUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\NetVPUpdater.exe\""	mmgaserver.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

mmgaserver.exemmgaserver.exe

description	pid	process	target process
PID 4580 set thread context of 2004	4580	mmgaserver.exe	mmgaserver.exe
PID 2004 set thread context of 4780	2004	mmgaserver.exe	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemmgaserver.exenotepad.exe

pid	process
2828	powershell.exe
2828	powershell.exe
2828	powershell.exe
4580	mmgaserver.exe
4580	mmgaserver.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exemmgaserver.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	4580	mmgaserver.exe
Token: SeShutdownPrivilege	4744	powercfg.exe
Token: SeCreatePagefilePrivilege	4744	powercfg.exe
Token: SeShutdownPrivilege	360	powercfg.exe
Token: SeCreatePagefilePrivilege	360	powercfg.exe
Token: SeShutdownPrivilege	3464	powercfg.exe
Token: SeCreatePagefilePrivilege	3464	powercfg.exe
Token: SeShutdownPrivilege	3544	powercfg.exe
Token: SeCreatePagefilePrivilege	3544	powercfg.exe
Token: SeLockMemoryPrivilege	4780	notepad.exe
Token: SeLockMemoryPrivilege	4780	notepad.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

notepad.exe

pid	process
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

notepad.exe

pid	process
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe
4780	notepad.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exemmgaserver.exemmgaserver.execmd.exe

description	pid	process	target process
PID 4556 wrote to memory of 4580	4556	e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe	mmgaserver.exe
PID 4556 wrote to memory of 4580	4556	e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe	mmgaserver.exe
PID 4580 wrote to memory of 2828	4580	mmgaserver.exe	powershell.exe
PID 4580 wrote to memory of 2828	4580	mmgaserver.exe	powershell.exe
PID 4580 wrote to memory of 2004	4580	mmgaserver.exe	mmgaserver.exe
PID 4580 wrote to memory of 2004	4580	mmgaserver.exe	mmgaserver.exe
PID 4580 wrote to memory of 2004	4580	mmgaserver.exe	mmgaserver.exe
PID 4580 wrote to memory of 2004	4580	mmgaserver.exe	mmgaserver.exe
PID 4580 wrote to memory of 2004	4580	mmgaserver.exe	mmgaserver.exe
PID 4580 wrote to memory of 2004	4580	mmgaserver.exe	mmgaserver.exe
PID 2004 wrote to memory of 5056	2004	mmgaserver.exe	cmd.exe
PID 2004 wrote to memory of 5056	2004	mmgaserver.exe	cmd.exe
PID 5056 wrote to memory of 4744	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 4744	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 360	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 360	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3464	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3464	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3544	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 3544	5056	cmd.exe	powercfg.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe
PID 2004 wrote to memory of 4780	2004	mmgaserver.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe
"C:\Users\Admin\AppData\Local\Temp\e01031275ef9cee42de309d2e23b5d8bb5831aaf8adfad8289472a27192331f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe
"C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe
C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe eibjreadarlwhqjb0 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKtAojfzUwjTQS8LU11cio3B91Dnx64uJpd+yv3ODgmKtlyHUG4wlRe6qD3C4hnccuCyfObt0sQRm3xP0XSv1OFHH30qIKppKf2w90wbt8GGZsj8u4ML7JuplmjYMl/cqWtRx56XoRsGk8kfCYoJkSJSqQfbO2wc/udqfRyVtvxkb+gHe+1PC0E+8tAVIzQyBaeqj88aWSku1DfJkpu4sDiwLbpA9r9ONPzc75XW+jSgPQvswv8ksqs4Tu0ZWY7rAandbpqmu8t2ISmE+8o+Em9NMn4LWpG81LxGs0LtD5F+1s9fVJt0ChwNtb835D5RStVJiYB7eHxgMpNT8bHWu2Btvm29pw6corXv39uviLDGenOCPpHFK71tjvtw7nmFTnW5T2+yRMlYWgiyOwVY1Z5EkDxgEO5RvIgS8rfPl7WH5TRXdeABsT239oc/4DLkhkUssmapzpnW9lrnvvgGXOEKiqHIdAssGmDJ00Yg5UFFA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mmgaserver.exe.log
Filesize
621B

MD5
431293de3fad018871bc380403c6f53c

SHA1
935699de6ea2086cec2612f7716d147ced286768

SHA256
1d7ced4ac3efd413157af7c0d8167ab87f1060c576dc86e5518283874df2b55f

SHA512
b33b49ffb96a325da7b6d77b3c95014b2b6ff985fd6553ce80487789a8d8b56e4e24d0f819108c271146ccd188d1a7d68ba630441b065f9ddb47602297fa6c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe
Filesize
462.4MB

MD5
dbf65eb46c976c3e33de7cfbfd87b3aa

SHA1
3b248dbfbd08de1bab883adc72007ef496acad44

SHA256
71b5c16523d15f48c71792701501cd65bc7bdf368ee104f6a71c6b0eb8bca372

SHA512
69020a4cce9e6f94a7bf16b77b902acebf133c8d5d6a2a34ffd35e2fcf74cfc55de7df22c5ab281fde82f693a0322081e8b7f8b3910fb76b3cbfa2064ff74193

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe
Filesize
454.5MB

MD5
aeff6084da46cb103be3aedbc9bb1996

SHA1
cbcc66e7db44cde92f0f7acadd81eaddc50f3fa5

SHA256
b113eb62a22afee2a209c7c4f3a14eb8fa4d62b57c1b3f72ae8279f40fc19128

SHA512
6d255550558794486b5b39dacd4063c89c453537562550276654e8b8f6c4de2b1db4562aeb83e3abfcad5cae3131d8ac3cebc49d87171f53e8c88b1ff8146c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmgaserver.exe
Filesize
202.1MB

MD5
fbde723c5279431edcb3afde8532f607

SHA1
59e6827e2e53c7beadf075e925f7e2d2c5ccbedd

SHA256
8b1258dc73f4f8450837ad97dcdea9515e2bd81d41e8db202ad8c2cc6f6c7821

SHA512
7b67ef1bbb4b56ceda6adc979faed70e3da9777a8f20cde8526310318fe6b9384e7fef951ba5e2cce5a4098dd954c865ba636a1c24a47a846a529c92ed61fbca

Download Submit
memory/360-151-0x0000000000000000-mapping.dmp

Download
memory/2004-153-0x0000025598DD0000-0x0000025598DE2000-memory.dmp

Filesize
72KB

Download
memory/2004-155-0x0000025598DF0000-0x0000025598DF6000-memory.dmp

Filesize
24KB

Download
memory/2004-145-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/2004-146-0x0000000000400000-mapping.dmp

Download
memory/2828-126-0x0000000000000000-mapping.dmp

Download
memory/2828-132-0x000002933FAA0000-0x000002933FAC2000-memory.dmp

Filesize
136KB

Download
memory/2828-136-0x000002935A740000-0x000002935A7B6000-memory.dmp

Filesize
472KB

Download
memory/3464-152-0x0000000000000000-mapping.dmp

Download
memory/3544-154-0x0000000000000000-mapping.dmp

Download
memory/4580-124-0x000001D918F30000-0x000001D91936E000-memory.dmp

Filesize
4.2MB

Download
memory/4580-119-0x0000000000000000-mapping.dmp

Download
memory/4580-125-0x000001D900220000-0x000001D90026C000-memory.dmp

Filesize
304KB

Download
memory/4580-123-0x000001D918AD0000-0x000001D918F2E000-memory.dmp

Filesize
4.4MB

Download
memory/4580-122-0x000001D973A80000-0x000001D973EDE000-memory.dmp

Filesize
4.4MB

Download
memory/4744-150-0x0000000000000000-mapping.dmp

Download
memory/4780-156-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/4780-157-0x000000014036EAC4-mapping.dmp

Download
memory/4780-158-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/4780-159-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/4780-160-0x000001AE015A0000-0x000001AE015C0000-memory.dmp

Filesize
128KB

Download
memory/4780-161-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/4780-162-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/5056-149-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads