xmrig | eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675

General

Target

eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
Size

1.8MB
MD5

f92e1254e1a933a527e26140232721d6
SHA1

7b437180af319d4db464f7eaaed54e6bb9ce2526
SHA256

eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675
SHA512

ed67f804a13c86a648ad4be6cbe63402037d71598c259d3f02ddcede84fa5393e2ce5f7fb1cc58db7d9cce721c500d9b606f50a0e7deb926fc271e434ba8e6f5

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral1/memory/1176-68-0x0000000000624080-mapping.dmp	xmrig
behavioral1/memory/1176-71-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig
behavioral1/memory/1176-73-0x000000000058C000-0x0000000000625000-memory.dmp	xmrig
behavioral1/memory/1176-77-0x0000000000000000-0x0000000000200000-memory.dmp	xmrig
behavioral1/memory/1176-78-0x000000000058C000-0x0000000000625000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1176-63-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1176-65-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1176-66-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1176-70-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1176-69-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral1/memory/1176-71-0x0000000000400000-0x0000000000626000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WTeEqNLdqe.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1652 set thread context of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
Token: SeLockMemoryPrivilege	1176	notepad.exe
Token: SeLockMemoryPrivilege	1176	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 588	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	29
PID 1652 wrote to memory of 588	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	29
PID 1652 wrote to memory of 588	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	29
PID 1652 wrote to memory of 588	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	29
PID 588 wrote to memory of 1372	588	cmd.exe	31
PID 588 wrote to memory of 1372	588	cmd.exe	31
PID 588 wrote to memory of 1372	588	cmd.exe	31
PID 588 wrote to memory of 1372	588	cmd.exe	31
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32
PID 1652 wrote to memory of 1176	1652	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	32

C:\Users\Admin\AppData\Local\Temp\eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
"C:\Users\Admin\AppData\Local\Temp\eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\nEzJvZquBf\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\nEzJvZquBf\r.vbs"
    3⤵
    - Drops startup file
    PID:1372
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\nEzJvZquBf\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nEzJvZquBf\cfgi

Filesize
800B

MD5
f8945c0a4feabae1e07e9feae9c7512a

SHA1
7c08103724ae6b77d2cd4988f01225f188ae975b

SHA256
12d9774f777a60c906009eb902c831570caf68ebdc697037696efa11b898867a

SHA512
1eb4819ceecb8a82a1ccc6fc6f04ce1c9edc9a14c787a0ed0bec87bbe76ba7e6c2d7f48f7b59a6b59778de4f8edd730f82a958721113818bc5246e3daaf91568

Download Submit
C:\ProgramData\nEzJvZquBf\r.vbs

Filesize
660B

MD5
d409859af56603061a0b72e8f6535b79

SHA1
3d705a45d05e537f589c863440dbe60b1e5063b3

SHA256
29999515e6085335d6cfbec789387c36559c16a8675e5f1882fb28618ed6d794

SHA512
6754721373e400dcb3b3ce75fe7b6d67a4a077f6416efcf9c358b56f5eb9c2d40a0b59b1d8e4c173bff5a5ec9924a84c2fd3629fdbb6bca437f2763cea74b752

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WTeEqNLdqe.url

Filesize
73B

MD5
2d8b5417b1f66ae3a1f63884d9c487ff

SHA1
81e8455bb9150180f9846f3c445e695d06bd7463

SHA256
7cc41e8d2a8ff132f72cbfd0cc8a5bc904fe9ec217f95e61d31d63ce342abf20

SHA512
2adc356d1bf6050786276b3032f7ba1bc64150f36f6ae7fa6913a1f11322840d57dd649ec315d02238049c86d31d0e6b523fe07678b86743522cd2b6c08bab46

Download Submit
memory/1176-70-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1176-69-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1176-80-0x0000000000000000-0x0000000000200000-memory.dmp

Filesize
2.0MB

Download
memory/1176-79-0x0000000000000000-0x0000000000200000-memory.dmp

Filesize
2.0MB

Download
memory/1176-63-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1176-65-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1176-66-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1176-78-0x000000000058C000-0x0000000000625000-memory.dmp

Filesize
612KB

Download
memory/1176-77-0x0000000000000000-0x0000000000200000-memory.dmp

Filesize
2.0MB

Download
memory/1176-71-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1176-76-0x0000000000000000-0x0000000000200000-memory.dmp

Filesize
2.0MB

Download
memory/1176-73-0x000000000058C000-0x0000000000625000-memory.dmp

Filesize
612KB

Download
memory/1176-74-0x0000000000401000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1176-75-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/1652-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/1652-54-0x0000000002080000-0x0000000002231000-memory.dmp

Filesize
1.7MB

Download
memory/1652-56-0x0000000002080000-0x00000000021C5000-memory.dmp

Filesize
1.3MB

Download
memory/1652-57-0x0000000000400000-0x000000000065F000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing