xmrig | eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675

Analysis

max time kernel
175s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
31/07/2022, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
Size

1.8MB
MD5

f92e1254e1a933a527e26140232721d6
SHA1

7b437180af319d4db464f7eaaed54e6bb9ce2526
SHA256

eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675
SHA512

ed67f804a13c86a648ad4be6cbe63402037d71598c259d3f02ddcede84fa5393e2ce5f7fb1cc58db7d9cce721c500d9b606f50a0e7deb926fc271e434ba8e6f5

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral2/memory/1968-145-0x0000000000400000-0x0000000000626000-memory.dmp	xmrig
behavioral2/memory/1968-147-0x000000000058C000-0x0000000000625000-memory.dmp	xmrig
behavioral2/memory/1968-152-0x000000000058C000-0x0000000000625000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1968-137-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/1968-139-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/1968-140-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/1968-143-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/1968-144-0x0000000000400000-0x0000000000626000-memory.dmp	upx
behavioral2/memory/1968-145-0x0000000000400000-0x0000000000626000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WTeEqNLdqe.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4468 set thread context of 1968	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	93

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
Token: SeLockMemoryPrivilege	1968	notepad.exe
Token: SeLockMemoryPrivilege	1968	notepad.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 1164	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	89
PID 4468 wrote to memory of 1164	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	89
PID 4468 wrote to memory of 1164	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	89
PID 1164 wrote to memory of 2924	1164	cmd.exe	91
PID 1164 wrote to memory of 2924	1164	cmd.exe	91
PID 1164 wrote to memory of 2924	1164	cmd.exe	91
PID 4468 wrote to memory of 1968	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	93
PID 4468 wrote to memory of 1968	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	93
PID 4468 wrote to memory of 1968	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	93
PID 4468 wrote to memory of 1968	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	93
PID 4468 wrote to memory of 1968	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	93
PID 4468 wrote to memory of 1968	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	93
PID 4468 wrote to memory of 1968	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	93
PID 4468 wrote to memory of 1968	4468	eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe	93

C:\Users\Admin\AppData\Local\Temp\eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe
"C:\Users\Admin\AppData\Local\Temp\eb1e5037bd9801af8db8ab0830b56ba5b5fd28a4ffd2d3ab1bcb8bb3866fa675.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\nEzJvZquBf\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\nEzJvZquBf\r.vbs"
    3⤵
    - Drops startup file
    PID:2924
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\nEzJvZquBf\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nEzJvZquBf\cfgi

Filesize
800B

MD5
b30a8c50fd41a1fba0e147a132345bd1

SHA1
009984071571a35bf8fde8930bd34a175ecac4a8

SHA256
11e4116727dc29bd8e4ece5b293a94e571d34e149b60549f3434bc8f4e31cd60

SHA512
df93a37a1486bd69069dddab1c914e072b3bee29b42ce864241bd72ce06c4f0bd2205441607ff26496374d368bd72d9e1d2ee9399bec08e700537b5988579405

Download Submit
C:\ProgramData\nEzJvZquBf\r.vbs

Filesize
660B

MD5
d409859af56603061a0b72e8f6535b79

SHA1
3d705a45d05e537f589c863440dbe60b1e5063b3

SHA256
29999515e6085335d6cfbec789387c36559c16a8675e5f1882fb28618ed6d794

SHA512
6754721373e400dcb3b3ce75fe7b6d67a4a077f6416efcf9c358b56f5eb9c2d40a0b59b1d8e4c173bff5a5ec9924a84c2fd3629fdbb6bca437f2763cea74b752

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WTeEqNLdqe.url

Filesize
73B

MD5
2d8b5417b1f66ae3a1f63884d9c487ff

SHA1
81e8455bb9150180f9846f3c445e695d06bd7463

SHA256
7cc41e8d2a8ff132f72cbfd0cc8a5bc904fe9ec217f95e61d31d63ce342abf20

SHA512
2adc356d1bf6050786276b3032f7ba1bc64150f36f6ae7fa6913a1f11322840d57dd649ec315d02238049c86d31d0e6b523fe07678b86743522cd2b6c08bab46

Download Submit
memory/1968-145-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1968-153-0x00000155D9920000-0x00000155D9924000-memory.dmp

Filesize
16KB

Download
memory/1968-137-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1968-139-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1968-140-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1968-152-0x000000000058C000-0x0000000000625000-memory.dmp

Filesize
612KB

Download
memory/1968-143-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1968-144-0x0000000000400000-0x0000000000626000-memory.dmp

Filesize
2.1MB

Download
memory/1968-151-0x00000155D9B40000-0x00000155D9B44000-memory.dmp

Filesize
16KB

Download
memory/1968-150-0x00000155D9920000-0x00000155D9924000-memory.dmp

Filesize
16KB

Download
memory/1968-147-0x000000000058C000-0x0000000000625000-memory.dmp

Filesize
612KB

Download
memory/1968-148-0x0000000000401000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1968-149-0x00000155D9700000-0x00000155D9710000-memory.dmp

Filesize
64KB

Download
memory/4468-131-0x0000000000400000-0x000000000065F000-memory.dmp

Filesize
2.4MB

Download
memory/4468-130-0x00000000025B8000-0x00000000026FD000-memory.dmp

Filesize
1.3MB

Download
memory/4468-132-0x00000000025B8000-0x00000000026FD000-memory.dmp

Filesize
1.3MB

Download