xmrig | 83a324111ace2b17e6b5d1e561cd2c3a640ac8e1e548351990e985ddb097ccef

Analysis

max time kernel
17s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2023 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.5MB
MD5

57ffc58217a06cee47323a2fdf337da4
SHA1

a68e4d48bf9cb79adfac09808a49a1dca11aa5b9
SHA256

83a324111ace2b17e6b5d1e561cd2c3a640ac8e1e548351990e985ddb097ccef
SHA512

bc073cd8dcaaf51a006b930036ca8aced6cdcb1dfe6ec55b9089375156a8cd34658ba18c3b3400ccbe470693493812c9afb8992ed9aa7446d9d6605b4bc25f4e
SSDEEP

49152:dTNaLsxLy06NWtWN1u9Ij18Ca5Ym0+XezmIoq9sWIOCY3h3zUeW7tesTex9Xr:5NtWLNW+49A8C3mpemp/8dzU77teN

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral2/memory/1472-67-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-68-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-70-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-71-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-72-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-73-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-74-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-76-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-77-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-80-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-81-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-82-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1472-83-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2968	kcqzmlprzsem.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1472-62-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-65-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-66-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-64-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-63-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-67-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-68-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-70-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-71-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-72-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-73-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-74-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-76-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-77-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-80-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-81-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-82-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1472-83-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	tmp.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4040	sc.exe
4328	sc.exe
732	sc.exe
2920	sc.exe
2464	sc.exe
3872	sc.exe
1692	sc.exe
3860	sc.exe
2460	sc.exe
4004	sc.exe
3144	sc.exe
4144	sc.exe
2752	sc.exe
1216	sc.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
5064	tmp.exe
5004	powershell.exe
5004	powershell.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
5064	tmp.exe
2968	kcqzmlprzsem.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5064	tmp.exe
Token: SeShutdownPrivilege	4388	powercfg.exe
Token: SeCreatePagefilePrivilege	4388	powercfg.exe
Token: SeShutdownPrivilege	1224	powercfg.exe
Token: SeCreatePagefilePrivilege	1224	powercfg.exe
Token: SeShutdownPrivilege	4952	powercfg.exe
Token: SeCreatePagefilePrivilege	4952	powercfg.exe
Token: SeShutdownPrivilege	2940	powercfg.exe
Token: SeCreatePagefilePrivilege	2940	powercfg.exe
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4648	3888	cmd.exe	111
PID 3888 wrote to memory of 4648	3888	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4648
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3860
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2920
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4004
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4144
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "LSDGGSJY"
  2⤵
  - Launches sc.exe
  PID:3144
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "LSDGGSJY"
  2⤵
  - Launches sc.exe
  PID:2752
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2464
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "LSDGGSJY" binpath= "C:\ProgramData\kgaambdkeiog\kcqzmlprzsem.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2460

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\ProgramData\kgaambdkeiog\kcqzmlprzsem.exe
C:\ProgramData\kgaambdkeiog\kcqzmlprzsem.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3872
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4040
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:1472
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1240
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2036
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:4828
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:404
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:3860
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4328
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1216
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2824

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kgaambdkeiog\kcqzmlprzsem.exe

Filesize
119KB

MD5
ed90ba8a174f6939739a760a21ed32d7

SHA1
cbc453c7dcffc0b85274dbb624d786cf1b2d331b

SHA256
ea870fa65fab554f586c902d3a86bb471bed4c8e163d467598adbef648c2a3c0

SHA512
20ae39864c4d02ed848cba5d72d24304f14c845a439c8aa92a77b4f18a4929892dc1f1fc9ed16e8958a827a2408b8ef5d37866c845bdc0554676102913ad66fa

Download Submit
C:\ProgramData\kgaambdkeiog\kcqzmlprzsem.exe

Filesize
96KB

MD5
b8d016be6664a9e340d158bdadeedcab

SHA1
0ae14dc37af5a583f5c9ba5ab3d409631cce5bde

SHA256
592e0dfae974bbb611ca4cfc0fe845781dafe0d978f4de2fd070ad36c35dcc6a

SHA512
8ea5a94a7e9e887e70cfaa528fe73618c7ab5ad0838d1f1cc1eb3bc9f64d38e1c68b779c26305063d949666dbcc85a9b47720fe701eb6e36bfc545b620cd6271

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1etosirn.wim.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1240-55-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1240-54-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1240-56-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1240-58-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1240-60-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1240-57-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1472-73-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-76-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-87-0x00000000114A0000-0x00000000114C0000-memory.dmp

Filesize
128KB

Download
memory/1472-86-0x0000000011480000-0x00000000114A0000-memory.dmp

Filesize
128KB

Download
memory/1472-83-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-84-0x0000000011480000-0x00000000114A0000-memory.dmp

Filesize
128KB

Download
memory/1472-85-0x00000000114A0000-0x00000000114C0000-memory.dmp

Filesize
128KB

Download
memory/1472-82-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-81-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-80-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-79-0x0000000011680000-0x00000000116A0000-memory.dmp

Filesize
128KB

Download
memory/1472-78-0x0000000011680000-0x00000000116A0000-memory.dmp

Filesize
128KB

Download
memory/1472-77-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-75-0x0000000001340000-0x0000000001380000-memory.dmp

Filesize
256KB

Download
memory/1472-74-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-72-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-62-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-65-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-66-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-64-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-63-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-67-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-68-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-69-0x0000000000A00000-0x0000000000A20000-memory.dmp

Filesize
128KB

Download
memory/1472-70-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1472-71-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2040-46-0x0000018A6BC70000-0x0000018A6BC8A000-memory.dmp

Filesize
104KB

Download
memory/2040-42-0x0000018A6BA00000-0x0000018A6BAB5000-memory.dmp

Filesize
724KB

Download
memory/2040-30-0x0000018A68E90000-0x0000018A68EA0000-memory.dmp

Filesize
64KB

Download
memory/2040-41-0x0000018A6B9E0000-0x0000018A6B9FC000-memory.dmp

Filesize
112KB

Download
memory/2040-50-0x0000018A68E90000-0x0000018A68EA0000-memory.dmp

Filesize
64KB

Download
memory/2040-28-0x00007FF917A80000-0x00007FF918541000-memory.dmp

Filesize
10.8MB

Download
memory/2040-53-0x00007FF917A80000-0x00007FF918541000-memory.dmp

Filesize
10.8MB

Download
memory/2040-43-0x0000018A6BAC0000-0x0000018A6BACA000-memory.dmp

Filesize
40KB

Download
memory/2040-31-0x0000018A68E90000-0x0000018A68EA0000-memory.dmp

Filesize
64KB

Download
memory/2040-44-0x0000018A6BC30000-0x0000018A6BC4C000-memory.dmp

Filesize
112KB

Download
memory/2040-29-0x0000018A68E90000-0x0000018A68EA0000-memory.dmp

Filesize
64KB

Download
memory/2040-49-0x0000018A6BC60000-0x0000018A6BC6A000-memory.dmp

Filesize
40KB

Download
memory/2040-48-0x0000018A6BC50000-0x0000018A6BC56000-memory.dmp

Filesize
24KB

Download
memory/2040-47-0x0000018A6BC20000-0x0000018A6BC28000-memory.dmp

Filesize
32KB

Download
memory/2040-45-0x0000018A6BC10000-0x0000018A6BC1A000-memory.dmp

Filesize
40KB

Download
memory/5004-10-0x00007FF917A80000-0x00007FF918541000-memory.dmp

Filesize
10.8MB

Download
memory/5004-11-0x000001D02D2A0000-0x000001D02D2B0000-memory.dmp

Filesize
64KB

Download
memory/5004-6-0x000001D02F510000-0x000001D02F532000-memory.dmp

Filesize
136KB

Download
memory/5004-15-0x00007FF917A80000-0x00007FF918541000-memory.dmp

Filesize
10.8MB

Download
memory/5004-12-0x000001D02D2A0000-0x000001D02D2B0000-memory.dmp

Filesize
64KB

Download