xmrig | e038d93033cc8788027ff5c045b6bd2beab9b34ef79b80e61d6d1c587bd86e16

General

Target

956117586181a15056ff4420076301c3.exe
Size

3.4MB
MD5

956117586181a15056ff4420076301c3
SHA1

e8ec0f2435bfbb699d944ad86a634c33d509107c
SHA256

e038d93033cc8788027ff5c045b6bd2beab9b34ef79b80e61d6d1c587bd86e16
SHA512

8d299ecc49741ec341e34459ae5e4b6472e190c994a47ba3cdd29d309a169baf54f12451675d1af22fc38c0aed6037d7861e8d9cf60dc664e75981ccbfcfdf35
SSDEEP

98304:ch0ywRz70/W9+68ZBtKe3oWFGNc+sA5loQwMEp+ou/HJ:3yf/W9+DfFGNv5lnEMoOJ

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

956117586181a15056ff4420076301c3.exe

description	pid	process	target process
PID 1488 created 1416	1488	956117586181a15056ff4420076301c3.exe	Explorer.EXE
PID 1488 created 1416	1488	956117586181a15056ff4420076301c3.exe	Explorer.EXE
PID 1488 created 1416	1488	956117586181a15056ff4420076301c3.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1796-63-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1796-65-0x0000000000000000-0x0000000001000000-memory.dmp	xmrig

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1796-61-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1796-63-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

956117586181a15056ff4420076301c3.exe

description pid process target process

PID 1488 set thread context of 1796 1488 956117586181a15056ff4420076301c3.exe dwm.exe

description	pid	process	target process
PID 1488 set thread context of 1796	1488	956117586181a15056ff4420076301c3.exe	dwm.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

956117586181a15056ff4420076301c3.exedwm.exe

pid	process
1488	956117586181a15056ff4420076301c3.exe
1488	956117586181a15056ff4420076301c3.exe
1488	956117586181a15056ff4420076301c3.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

powercfg.exeWMIC.exepowercfg.exepowercfg.exepowercfg.exedwm.exe

description	pid	process
Token: SeShutdownPrivilege	1320	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2024	WMIC.exe
Token: SeSecurityPrivilege	2024	WMIC.exe
Token: SeTakeOwnershipPrivilege	2024	WMIC.exe
Token: SeLoadDriverPrivilege	2024	WMIC.exe
Token: SeSystemProfilePrivilege	2024	WMIC.exe
Token: SeSystemtimePrivilege	2024	WMIC.exe
Token: SeProfSingleProcessPrivilege	2024	WMIC.exe
Token: SeIncBasePriorityPrivilege	2024	WMIC.exe
Token: SeCreatePagefilePrivilege	2024	WMIC.exe
Token: SeBackupPrivilege	2024	WMIC.exe
Token: SeRestorePrivilege	2024	WMIC.exe
Token: SeShutdownPrivilege	2024	WMIC.exe
Token: SeDebugPrivilege	2024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2024	WMIC.exe
Token: SeRemoteShutdownPrivilege	2024	WMIC.exe
Token: SeUndockPrivilege	2024	WMIC.exe
Token: SeManageVolumePrivilege	2024	WMIC.exe
Token: 33	2024	WMIC.exe
Token: 34	2024	WMIC.exe
Token: 35	2024	WMIC.exe
Token: SeShutdownPrivilege	1524	powercfg.exe
Token: SeShutdownPrivilege	1780	powercfg.exe
Token: SeShutdownPrivilege	1464	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2024	WMIC.exe
Token: SeSecurityPrivilege	2024	WMIC.exe
Token: SeTakeOwnershipPrivilege	2024	WMIC.exe
Token: SeLoadDriverPrivilege	2024	WMIC.exe
Token: SeSystemProfilePrivilege	2024	WMIC.exe
Token: SeSystemtimePrivilege	2024	WMIC.exe
Token: SeProfSingleProcessPrivilege	2024	WMIC.exe
Token: SeIncBasePriorityPrivilege	2024	WMIC.exe
Token: SeCreatePagefilePrivilege	2024	WMIC.exe
Token: SeBackupPrivilege	2024	WMIC.exe
Token: SeRestorePrivilege	2024	WMIC.exe
Token: SeShutdownPrivilege	2024	WMIC.exe
Token: SeDebugPrivilege	2024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2024	WMIC.exe
Token: SeRemoteShutdownPrivilege	2024	WMIC.exe
Token: SeUndockPrivilege	2024	WMIC.exe
Token: SeManageVolumePrivilege	2024	WMIC.exe
Token: 33	2024	WMIC.exe
Token: 34	2024	WMIC.exe
Token: 35	2024	WMIC.exe
Token: SeLockMemoryPrivilege	1796	dwm.exe
Token: SeLockMemoryPrivilege	1796	dwm.exe

Suspicious use of FindShellTrayWindow 57 IoCs

Processes:

dwm.exe

pid	process
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe

Suspicious use of SendNotifyMessage 57 IoCs

Processes:

dwm.exe

pid	process
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe
1796	dwm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.execmd.exe956117586181a15056ff4420076301c3.exe

description	pid	process	target process
PID 1076 wrote to memory of 1320	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1320	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1320	1076	cmd.exe	powercfg.exe
PID 112 wrote to memory of 2024	112	cmd.exe	WMIC.exe
PID 112 wrote to memory of 2024	112	cmd.exe	WMIC.exe
PID 112 wrote to memory of 2024	112	cmd.exe	WMIC.exe
PID 1076 wrote to memory of 1524	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1524	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1524	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1780	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1780	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1780	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1464	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1464	1076	cmd.exe	powercfg.exe
PID 1076 wrote to memory of 1464	1076	cmd.exe	powercfg.exe
PID 1488 wrote to memory of 1796	1488	956117586181a15056ff4420076301c3.exe	dwm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\956117586181a15056ff4420076301c3.exe
"C:\Users\Admin\AppData\Local\Temp\956117586181a15056ff4420076301c3.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe ilomnyjxaqxbdyoj 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUOWlLosYbrY2pwtQQU1JTuikNmZuGmV+6BbKlyKFD6zdAaaNcQqky2iJHSWRIHnss9X/nab3QoNVM/Ta0kPMjvUxJH02YjP5XrdviLouahJX3Q1zD8omsKRft5FC/3aHRX5nzuLKj6v+l1hD7RDcnRlZOinraqnGRmc1rfZVBSryXdWQXUdRaex46bFg0DdbEVFMZ4l0pshLxALGam+crSqgmoA+SAgVTiLqPU5NWi5uz8p9/Px4ZVwH3rGiyQeauAdOPHdWjMSLjdPXQwzIiHwOAjFFE5CqTkW9rgSKBlevE7bTasEexce14S+TdxAbNPSrsW2DMq8LcazEG7sh428X1gT4o5W2jpf5fY/EMDWCsJla29dmLn/CAr49BWQFG1/pwNMU6xh2tqJf8WnFCSEU3eXDu2G8zQ9IwK7MpQkB1D9krTLyt7WoPvOZQOh0lkfSckQ6jxQVRjaMclifx2Mi/zUH96ZVLzydQh6xfv78=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
memory/1320-54-0x0000000000000000-mapping.dmp

Download
memory/1464-58-0x0000000000000000-mapping.dmp

Download
memory/1524-56-0x0000000000000000-mapping.dmp

Download
memory/1780-57-0x0000000000000000-mapping.dmp

Download
memory/1796-60-0x00000001407F2120-mapping.dmp

Download
memory/1796-61-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1796-62-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/1796-63-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1796-64-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1796-65-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2024-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads