xmrig | ea153b96720e1b4aa3254461b4590c8001741bf7d3175eb4cf408a8491ef1b2c

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jfoexoooossy.exe
Size

2.1MB
MD5

b30732b41cee8453c47f69226ca99092
SHA1

65ea374ed8353ec8d350c8533e27364affe8aa73
SHA256

ea153b96720e1b4aa3254461b4590c8001741bf7d3175eb4cf408a8491ef1b2c
SHA512

dec23d3d468b98edf8b5541d71d82ed096d1df6ff09f1eb81292d2f88ac7512c8214665ae0292bc1a1622fabd833feb6b4a17a1007315e929c84aa977fa05fcd
SSDEEP

49152:j6a0HybMEGOpFJ6YnI6e14DxoPWjmXNA0i+OawIiRIzH4ALTockr:j90HybsOpFJ6YnMyDyPWyHtwIieDLTir

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2824-23-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2824-24-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2824-26-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2824-27-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2824-28-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2824-29-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2824-30-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2824-31-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2824-32-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
472	Process not Found
2648	jfoexoooossy.exe

Loads dropped DLL 1 IoCs

pid	Process
472	Process not Found

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2472-0-0x000000013F230000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2472-1-0x000000013F230000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2472-3-0x000000013F230000-0x000000013F4C1000-memory.dmp	upx
behavioral1/files/0x0031000000015609-6.dat	upx
behavioral1/files/0x0031000000015609-5.dat	upx
behavioral1/files/0x0031000000015609-4.dat	upx
behavioral1/memory/2648-7-0x000000013FB20000-0x000000013FDB1000-memory.dmp	upx
behavioral1/files/0x0031000000015609-17.dat	upx
behavioral1/memory/2824-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-21-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-22-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2648-20-0x000000013FB20000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/2824-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-23-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-24-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-26-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-27-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-28-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-29-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-30-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-31-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2824-32-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2820	2648	jfoexoooossy.exe	38
PID 2648 set thread context of 2824	2648	jfoexoooossy.exe	37

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2680	sc.exe
2768	sc.exe
2776	sc.exe
2632	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2472	jfoexoooossy.exe
2472	jfoexoooossy.exe
2472	jfoexoooossy.exe
2472	jfoexoooossy.exe
2648	jfoexoooossy.exe
2648	jfoexoooossy.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2824	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2820	2648	jfoexoooossy.exe	38
PID 2648 wrote to memory of 2820	2648	jfoexoooossy.exe	38
PID 2648 wrote to memory of 2820	2648	jfoexoooossy.exe	38
PID 2648 wrote to memory of 2820	2648	jfoexoooossy.exe	38
PID 2648 wrote to memory of 2820	2648	jfoexoooossy.exe	38
PID 2648 wrote to memory of 2820	2648	jfoexoooossy.exe	38
PID 2648 wrote to memory of 2820	2648	jfoexoooossy.exe	38
PID 2648 wrote to memory of 2820	2648	jfoexoooossy.exe	38
PID 2648 wrote to memory of 2820	2648	jfoexoooossy.exe	38
PID 2648 wrote to memory of 2824	2648	jfoexoooossy.exe	37
PID 2648 wrote to memory of 2824	2648	jfoexoooossy.exe	37
PID 2648 wrote to memory of 2824	2648	jfoexoooossy.exe	37
PID 2648 wrote to memory of 2824	2648	jfoexoooossy.exe	37
PID 2648 wrote to memory of 2824	2648	jfoexoooossy.exe	37

C:\Users\Admin\AppData\Local\Temp\jfoexoooossy.exe
"C:\Users\Admin\AppData\Local\Temp\jfoexoooossy.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "DCUZTBOO"
  2⤵
  - Launches sc.exe
  PID:2632
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "DCUZTBOO" binpath= "C:\ProgramData\eqosagsnmxua\jfoexoooossy.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2680
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2768
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "DCUZTBOO"
  2⤵
  - Launches sc.exe
  PID:2776

C:\ProgramData\eqosagsnmxua\jfoexoooossy.exe
C:\ProgramData\eqosagsnmxua\jfoexoooossy.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eqosagsnmxua\jfoexoooossy.exe

Filesize
325KB

MD5
5964717b677b301ef0879f27bf37594c

SHA1
fdca43854dcaa395e305544335202484c8228896

SHA256
b23917cbab066e90bf3942d905761dd9c28270c363c6a56aa372cdfe1bb19655

SHA512
364600b252d46ec431a0db793bca6ca54cc09034474fdc90f75dc6857e7f16c1989a86e1f09912e6be98963072b09079b0630f62f7fa33ada625a6c417e376c6

Download Submit
C:\ProgramData\eqosagsnmxua\jfoexoooossy.exe

Filesize
105KB

MD5
787b4e84de0eafa0d30c19607abf900e

SHA1
81c4fb3dae6d9df245097a002ba1002f811566a3

SHA256
c0a878872f9984dc9ecc7ccbaa4c5e66c40c15840db3034b27d450b5f5a0e521

SHA512
984f8f7f3f76825716f131593806ec65689de39eb4265210ba4b11d67616e2cae707204890335cfce085a01c7155101a33326495eb8304a3b89017f984a31438

Download Submit
\ProgramData\eqosagsnmxua\jfoexoooossy.exe

Filesize
96KB

MD5
d957c7cc8c25d26d9232af5d8d14f274

SHA1
0e74186c7f457369f4c787d8d59ff3d84306e6fe

SHA256
03f9d1d90a3b148ec89145ff3292aa25f807a8e15d89d4e361edf81ae1ed54f7

SHA512
4b3f397fd174adf59c4700dd64fca23a239f036853e11cedf63ad21f45458720b0edba4891a6688f29a88b908a62eff9c3d90f954954697d98165cdcf9796d5f

Download Submit
\ProgramData\eqosagsnmxua\jfoexoooossy.exe

Filesize
128KB

MD5
5c6bed18005498dc2937ec0f3c010a18

SHA1
0416b8a73b444b4a7fe1de75a956f6c0b369ce3b

SHA256
10ea023d6694ae3f5fa2bbb0960a83db199bb81f43362498cfb78c125ba867e8

SHA512
042c79554f05f6340e992821e0b2e568cb18815f284282a600b8a293ab6795b1f157e3768fee6a1093006718f3a2992c6cc907c187c47dbeeff98c56c005bd44

Download Submit
memory/2472-1-0x000000013F230000-0x000000013F4C1000-memory.dmp

Filesize
2.6MB

Download
memory/2472-0-0x000000013F230000-0x000000013F4C1000-memory.dmp

Filesize
2.6MB

Download
memory/2472-3-0x000000013F230000-0x000000013F4C1000-memory.dmp

Filesize
2.6MB

Download
memory/2648-20-0x000000013FB20000-0x000000013FDB1000-memory.dmp

Filesize
2.6MB

Download
memory/2648-7-0x000000013FB20000-0x000000013FDB1000-memory.dmp

Filesize
2.6MB

Download
memory/2820-15-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2820-9-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2820-8-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2820-12-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2820-11-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2820-10-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2824-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-27-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-21-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-23-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-24-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-25-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/2824-26-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-22-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-28-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-29-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-30-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-31-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-32-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2824-33-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download
memory/2824-34-0x0000000000300000-0x0000000000320000-memory.dmp

Filesize
128KB

Download