xmrig | 5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717

General

Target

5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
Size

904KB
MD5

903bd7b89548605115d214e7ee2f877f
SHA1

831c4b9ebb534983d1fc94fd740f053c69f0d29d
SHA256

5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717
SHA512

55fc3a8081d972cc46aecaeb5e615bb219e327feee9b934cbbc1a9e5dbb1c074a48f1368e9971531652c559950e774e39b037a75bde971c90d8f269c41e2ccbc

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/1276-71-0x0000000000400000-0x0000000000504000-memory.dmp	xmrig
behavioral1/memory/1276-73-0x00000000004AD000-0x0000000000503000-memory.dmp	xmrig
behavioral1/memory/1276-75-0x00000000004AD000-0x0000000000503000-memory.dmp	xmrig

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1276-63-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1276-65-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1276-66-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1276-69-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1276-70-0x0000000000400000-0x0000000000504000-memory.dmp	upx
behavioral1/memory/1276-71-0x0000000000400000-0x0000000000504000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 600 set thread context of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
Token: SeLockMemoryPrivilege	1276	notepad.exe
Token: SeLockMemoryPrivilege	1276	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 600 wrote to memory of 1924	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	29
PID 600 wrote to memory of 1924	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	29
PID 600 wrote to memory of 1924	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	29
PID 600 wrote to memory of 1924	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	29
PID 1924 wrote to memory of 524	1924	cmd.exe	31
PID 1924 wrote to memory of 524	1924	cmd.exe	31
PID 1924 wrote to memory of 524	1924	cmd.exe	31
PID 1924 wrote to memory of 524	1924	cmd.exe	31
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32
PID 600 wrote to memory of 1276	600	5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe	32

C:\Users\Admin\AppData\Local\Temp\5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe
"C:\Users\Admin\AppData\Local\Temp\5ebf11052803eab2accd50cce6d78fe40fb23a3cfa39ee29b09f8e8872577717.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
    3⤵
    - Drops startup file
    PID:524
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GCxcrhlcfj\cfgi

Filesize
796B

MD5
c882a2e55d29a1632f5ee00b22c943ff

SHA1
f3604929a65cd7ecff87eef74075826910d98fb6

SHA256
9c8fb1a9768bde6f3f052e065b94561d0aaa42049101f9b356cbd3d3b39ec72f

SHA512
615cc95eff9013f02acbd6f43b1c9f4a50bd13f91826d521c3190b0f2eecb9f7076b320774bb2c486edeec77314b32fdef4cd9dbea5a7da9ac1e95c3107b7f4d

Download Submit
C:\ProgramData\GCxcrhlcfj\r.vbs

Filesize
662B

MD5
7cc317139a7d477bc8c5faf0fafed491

SHA1
3966c44cf9988e6cc6af135eac5b7ab93d2c4058

SHA256
c065f76aad68eedaf001ec5142e7bcaaba73916b3903037cc46a54eb67be77a8

SHA512
5e8f3bc963c690f4000349589fe11f08b4efadff7b8d56a9634692ec4fbbbce4330935ee3afbd8542e3c770f68cab4b9949ea7f06c9996e040b42969a7fb7fd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url

Filesize
74B

MD5
059ec62ae3c51a6ff8d0f02363e108e9

SHA1
24742ba20d3323718b0ee51c9efe166825b314a5

SHA256
117b0440b143c36cbe18a6b01f7f0c483a0a67a10600140e545d0c3c61634ac8

SHA512
62dafb2db57840cd0d0886dbe92af3a82f7f82902118a985e6baf81f3f3bc5dc5076d28c3a3ae601a83e7c2c9ee845c030752f36b02f586828bc427284989664

Download Submit
memory/600-54-0x0000000000720000-0x00000000007E5000-memory.dmp

Filesize
788KB

Download
memory/600-55-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/600-56-0x0000000000720000-0x00000000007E5000-memory.dmp

Filesize
788KB

Download
memory/600-57-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1276-69-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1276-65-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1276-66-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1276-63-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1276-70-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1276-71-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/1276-73-0x00000000004AD000-0x0000000000503000-memory.dmp

Filesize
344KB

Download
memory/1276-74-0x0000000000401000-0x00000000004AD000-memory.dmp

Filesize
688KB

Download
memory/1276-75-0x00000000004AD000-0x0000000000503000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing