xmrig | e038d93033cc8788027ff5c045b6bd2beab9b34ef79b80e61d6d1c587bd86e16

General

Target

956117586181a15056ff4420076301c3.exe
Size

3.4MB
MD5

956117586181a15056ff4420076301c3
SHA1

e8ec0f2435bfbb699d944ad86a634c33d509107c
SHA256

e038d93033cc8788027ff5c045b6bd2beab9b34ef79b80e61d6d1c587bd86e16
SHA512

8d299ecc49741ec341e34459ae5e4b6472e190c994a47ba3cdd29d309a169baf54f12451675d1af22fc38c0aed6037d7861e8d9cf60dc664e75981ccbfcfdf35
SSDEEP

98304:ch0ywRz70/W9+68ZBtKe3oWFGNc+sA5loQwMEp+ou/HJ:3yf/W9+DfFGNv5lnEMoOJ

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

956117586181a15056ff4420076301c3.exe

description	pid	process	target process
PID 3364 created 376	3364	956117586181a15056ff4420076301c3.exe	Explorer.EXE
PID 3364 created 376	3364	956117586181a15056ff4420076301c3.exe	Explorer.EXE
PID 3364 created 376	3364	956117586181a15056ff4420076301c3.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4992-140-0x00007FF693910000-0x00007FF694104000-memory.dmp	xmrig
behavioral2/memory/4992-142-0x00007FF693910000-0x00007FF694104000-memory.dmp	xmrig

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4992-140-0x00007FF693910000-0x00007FF694104000-memory.dmp	upx
behavioral2/memory/4992-142-0x00007FF693910000-0x00007FF694104000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

956117586181a15056ff4420076301c3.exe

description pid process target process

PID 3364 set thread context of 4992 3364 956117586181a15056ff4420076301c3.exe dwm.exe

description	pid	process	target process
PID 3364 set thread context of 4992	3364	956117586181a15056ff4420076301c3.exe	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

956117586181a15056ff4420076301c3.exedwm.exe

pid	process
3364	956117586181a15056ff4420076301c3.exe
3364	956117586181a15056ff4420076301c3.exe
3364	956117586181a15056ff4420076301c3.exe
3364	956117586181a15056ff4420076301c3.exe
3364	956117586181a15056ff4420076301c3.exe
3364	956117586181a15056ff4420076301c3.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

powercfg.exeWMIC.exepowercfg.exepowercfg.exepowercfg.exedwm.exe

description	pid	process
Token: SeShutdownPrivilege	2264	powercfg.exe
Token: SeCreatePagefilePrivilege	2264	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3724	WMIC.exe
Token: SeSecurityPrivilege	3724	WMIC.exe
Token: SeTakeOwnershipPrivilege	3724	WMIC.exe
Token: SeLoadDriverPrivilege	3724	WMIC.exe
Token: SeSystemProfilePrivilege	3724	WMIC.exe
Token: SeSystemtimePrivilege	3724	WMIC.exe
Token: SeProfSingleProcessPrivilege	3724	WMIC.exe
Token: SeIncBasePriorityPrivilege	3724	WMIC.exe
Token: SeCreatePagefilePrivilege	3724	WMIC.exe
Token: SeBackupPrivilege	3724	WMIC.exe
Token: SeRestorePrivilege	3724	WMIC.exe
Token: SeShutdownPrivilege	3724	WMIC.exe
Token: SeDebugPrivilege	3724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3724	WMIC.exe
Token: SeRemoteShutdownPrivilege	3724	WMIC.exe
Token: SeUndockPrivilege	3724	WMIC.exe
Token: SeManageVolumePrivilege	3724	WMIC.exe
Token: 33	3724	WMIC.exe
Token: 34	3724	WMIC.exe
Token: 35	3724	WMIC.exe
Token: 36	3724	WMIC.exe
Token: SeShutdownPrivilege	4224	powercfg.exe
Token: SeCreatePagefilePrivilege	4224	powercfg.exe
Token: SeShutdownPrivilege	1576	powercfg.exe
Token: SeCreatePagefilePrivilege	1576	powercfg.exe
Token: SeShutdownPrivilege	2888	powercfg.exe
Token: SeCreatePagefilePrivilege	2888	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3724	WMIC.exe
Token: SeSecurityPrivilege	3724	WMIC.exe
Token: SeTakeOwnershipPrivilege	3724	WMIC.exe
Token: SeLoadDriverPrivilege	3724	WMIC.exe
Token: SeSystemProfilePrivilege	3724	WMIC.exe
Token: SeSystemtimePrivilege	3724	WMIC.exe
Token: SeProfSingleProcessPrivilege	3724	WMIC.exe
Token: SeIncBasePriorityPrivilege	3724	WMIC.exe
Token: SeCreatePagefilePrivilege	3724	WMIC.exe
Token: SeBackupPrivilege	3724	WMIC.exe
Token: SeRestorePrivilege	3724	WMIC.exe
Token: SeShutdownPrivilege	3724	WMIC.exe
Token: SeDebugPrivilege	3724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3724	WMIC.exe
Token: SeRemoteShutdownPrivilege	3724	WMIC.exe
Token: SeUndockPrivilege	3724	WMIC.exe
Token: SeManageVolumePrivilege	3724	WMIC.exe
Token: 33	3724	WMIC.exe
Token: 34	3724	WMIC.exe
Token: 35	3724	WMIC.exe
Token: 36	3724	WMIC.exe
Token: SeLockMemoryPrivilege	4992	dwm.exe
Token: SeLockMemoryPrivilege	4992	dwm.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

dwm.exe

pid	process
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe

Suspicious use of SendNotifyMessage 63 IoCs

Processes:

dwm.exe

pid	process
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe
4992	dwm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.execmd.exe956117586181a15056ff4420076301c3.exe

description	pid	process	target process
PID 1996 wrote to memory of 3724	1996	cmd.exe	WMIC.exe
PID 1996 wrote to memory of 3724	1996	cmd.exe	WMIC.exe
PID 2356 wrote to memory of 2264	2356	cmd.exe	powercfg.exe
PID 2356 wrote to memory of 2264	2356	cmd.exe	powercfg.exe
PID 2356 wrote to memory of 4224	2356	cmd.exe	powercfg.exe
PID 2356 wrote to memory of 4224	2356	cmd.exe	powercfg.exe
PID 2356 wrote to memory of 1576	2356	cmd.exe	powercfg.exe
PID 2356 wrote to memory of 1576	2356	cmd.exe	powercfg.exe
PID 2356 wrote to memory of 2888	2356	cmd.exe	powercfg.exe
PID 2356 wrote to memory of 2888	2356	cmd.exe	powercfg.exe
PID 3364 wrote to memory of 4992	3364	956117586181a15056ff4420076301c3.exe	dwm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\956117586181a15056ff4420076301c3.exe
"C:\Users\Admin\AppData\Local\Temp\956117586181a15056ff4420076301c3.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe ilomnyjxaqxbdyoj 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUOWlLosYbrY2pwtQQU1JTuikNmZuGmV+6BbKlyKFD6zdAaaNcQqky2iJHSWRIHnss9X/nab3QoNVM/Ta0kPMjvUxJH02YjP5XrdviLouahJX3Q1zD8omsKRft5FC/3aHRX5nzuLKj6v+l1hD7RDcnRlZOinraqnGRmc1rfZVBSryXdWQXUdRaex46bFg0DdbEVFMZ4l0pshLxALGam+crSqgmoA+SAgVTiLqPU5NWi5uz8p9/Px4ZVwH3rGiyQeauAdOPHdWjMSLjdPXQwzIiHwOAjFFE5CqTkW9rgSKBlevE7bTasEexce14S+TdxAbNPSrsW2DMq8LcazEG7sh428X1gT4o5W2jpf5fY/EMDWCsJla29dmLn/CAr49BWQFG1/pwNMU6xh2tqJf8WnFCSEU3eXDu2G8zQ9IwK7MpQkB1D9krTLyt7WoPvOZQOh0lkfSckQ6jxQVRjaMclifx2Mi/zUH96ZVLzydQh6xfv78=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
memory/1576-135-0x0000000000000000-mapping.dmp

Download
memory/2264-133-0x0000000000000000-mapping.dmp

Download
memory/2888-136-0x0000000000000000-mapping.dmp

Download
memory/3724-132-0x0000000000000000-mapping.dmp

Download
memory/4224-134-0x0000000000000000-mapping.dmp

Download
memory/4992-140-0x00007FF693910000-0x00007FF694104000-memory.dmp

Filesize
8.0MB

Download
memory/4992-139-0x000002C520A10000-0x000002C520A30000-memory.dmp

Filesize
128KB

Download
memory/4992-138-0x00007FF694102120-mapping.dmp

Download
memory/4992-141-0x000002C520A50000-0x000002C520A90000-memory.dmp

Filesize
256KB

Download
memory/4992-142-0x00007FF693910000-0x00007FF694104000-memory.dmp

Filesize
8.0MB

Download
memory/4992-143-0x000002C520BE0000-0x000002C520C00000-memory.dmp

Filesize
128KB

Download
memory/4992-144-0x000002C520BE0000-0x000002C520C00000-memory.dmp

Filesize
128KB

Download
memory/4992-145-0x000002C520BE0000-0x000002C520C00000-memory.dmp

Filesize
128KB

Download
memory/4992-146-0x000002C520C20000-0x000002C520C40000-memory.dmp

Filesize
128KB

Download
memory/4992-147-0x000002C520BE0000-0x000002C520C00000-memory.dmp

Filesize
128KB

Download
memory/4992-148-0x000002C520C20000-0x000002C520C40000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads