xmrig | 5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e

General

Target

5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
Size

890KB
MD5

39235e9dc0c41d1c834311205707decb
SHA1

fbd32d7135ef784e94b8b0271b846392f7dce36e
SHA256

5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e
SHA512

93cb831f6c1a085741fc8e70dd19ac37d3a76e7b3d5a0f6798c6c8ae8e4e1b3ceb9d88be16438739f31528baa272179c4d0f07aad3668d73c8f090ee10114001

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\holystone.exe"	msiexec.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/636-78-0x0000000000400000-0x00000000004ED000-memory.dmp	xmrig
behavioral1/memory/636-80-0x0000000000400000-0x00000000004ED000-memory.dmp	xmrig
behavioral1/memory/636-81-0x0000000000400000-0x00000000004ED000-memory.dmp	xmrig

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/636-74-0x0000000000400000-0x00000000004ED000-memory.dmp	upx
behavioral1/memory/636-76-0x0000000000400000-0x00000000004ED000-memory.dmp	upx
behavioral1/memory/636-77-0x0000000000400000-0x00000000004ED000-memory.dmp	upx
behavioral1/memory/636-78-0x0000000000400000-0x00000000004ED000-memory.dmp	upx
behavioral1/memory/636-80-0x0000000000400000-0x00000000004ED000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe

pid	process
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe

description	pid	process	target process
PID 2016 set thread context of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 1376 set thread context of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe

pid	process
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
Token: SeLockMemoryPrivilege	636	notepad.exe
Token: SeLockMemoryPrivilege	636	notepad.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe

description	pid	process	target process
PID 2016 wrote to memory of 1640	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	msiexec.exe
PID 2016 wrote to memory of 1640	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	msiexec.exe
PID 2016 wrote to memory of 1640	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	msiexec.exe
PID 2016 wrote to memory of 1640	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	msiexec.exe
PID 2016 wrote to memory of 1640	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	msiexec.exe
PID 2016 wrote to memory of 1640	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	msiexec.exe
PID 2016 wrote to memory of 1640	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	msiexec.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 2016 wrote to memory of 1640	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	msiexec.exe
PID 2016 wrote to memory of 1640	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	msiexec.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 2016 wrote to memory of 1376	2016	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe
PID 1376 wrote to memory of 636	1376	5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
"C:\Users\Admin\AppData\Local\Temp\5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
2⤵
- Modifies WinLogon for persistence
PID:1640

C:\Users\Admin\AppData\Local\Temp\5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe
"C:\Users\Admin\AppData\Local\Temp\5b5fb7165b3b08c4bb203335cca2a8b10863ce3624ea5382771092967660a14e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\sHrhJDaCBu\cfgi"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sHrhJDaCBu\cfgi

Filesize
548B

MD5
d84b60d37ea5e8fdb8f69f872f77ed5f

SHA1
6dd312b42ebd731f96f4580d687bb2125d9ddb4b

SHA256
503f536489bc9e69e8f472786690a4da9f69a293fe1788d1165eff0cc90ae01d

SHA512
819d2b0504dab5556c9a8d8be473fcebf48e367220e4a019b4ff422c9c9ecb6d14fc3e6ea840e2d9294f541e8110241af61bc401840668bc8071890336560960

Download Submit
\Users\Admin\AppData\Local\Temp\Hottentot.dll

Filesize
68KB

MD5
bebddeb593fa1302cea66faac25a9e3c

SHA1
9e8cce6ffa83fdc147b6dc83811db52d20261191

SHA256
d7f58fd413f4976dace7b5e6c4c5dd5987a9d919e7c050052060c30a7d169b34

SHA512
0e18ca3bd3c01c6b80301c83c9d964607e5df21bf5536e6f332b9cf84cc9a7c100a8a47deebd9ced8fbefd61549df13473139a2f23f3b98df2ba9f54c6c6fc6a

Download Submit
\Users\Admin\AppData\Local\Temp\nso65C7.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/636-75-0x00000000004E78B0-mapping.dmp

Download
memory/636-81-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/636-80-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/636-78-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/636-77-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/636-76-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/636-74-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1376-59-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1376-69-0x0000000000403EF0-mapping.dmp

Download
memory/1376-72-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1376-73-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1376-68-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1376-65-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1376-63-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1376-61-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1376-60-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1640-58-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/2016-57-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads