xmrig | bd814e7ed78662f065287a80983a1846907fd443e654f38fca9001b66a6cfc00

General

Target

03e9cb07a5d44383f5b9bc58d8964fc0.exe
Size

2.3MB
MD5

03e9cb07a5d44383f5b9bc58d8964fc0
SHA1

9a0c811639b49afa29f7cf5f02541b52a4352f62
SHA256

bd814e7ed78662f065287a80983a1846907fd443e654f38fca9001b66a6cfc00
SHA512

d881636887ce9adefecad86e5132f369b4ec998b31f861081e01e97980e04b59d7d094190a882d8c3014f7215ddeb02f392d7f4cf7a25da96b3eac4558d9bc00
SSDEEP

49152:csPkmam6ZeFalhXhM6sxU4q/iTTXn+hJfyDtnvY9:cor60clhC6sxUN4y7I12

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral2/memory/3024-18-0x0000000000400000-0x000000000070F000-memory.dmp	xmrig
behavioral2/memory/3024-21-0x0000000000400000-0x000000000070F000-memory.dmp	xmrig
behavioral2/memory/3024-36-0x0000000000400000-0x000000000070F000-memory.dmp	xmrig

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3024-11-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral2/memory/3024-13-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral2/memory/3024-14-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral2/memory/3024-16-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral2/memory/3024-17-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral2/memory/3024-18-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral2/memory/3024-21-0x0000000000400000-0x000000000070F000-memory.dmp	upx
behavioral2/memory/3024-36-0x0000000000400000-0x000000000070F000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1876 set thread context of 2300	1876	03e9cb07a5d44383f5b9bc58d8964fc0.exe	89
PID 2300 set thread context of 3024	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1876	03e9cb07a5d44383f5b9bc58d8964fc0.exe
1876	03e9cb07a5d44383f5b9bc58d8964fc0.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1876	03e9cb07a5d44383f5b9bc58d8964fc0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe
Token: SeLockMemoryPrivilege	3024	notepad.exe
Token: SeLockMemoryPrivilege	3024	notepad.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2300	1876	03e9cb07a5d44383f5b9bc58d8964fc0.exe	89
PID 1876 wrote to memory of 2300	1876	03e9cb07a5d44383f5b9bc58d8964fc0.exe	89
PID 1876 wrote to memory of 2300	1876	03e9cb07a5d44383f5b9bc58d8964fc0.exe	89
PID 2300 wrote to memory of 3024	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe	90
PID 2300 wrote to memory of 3024	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe	90
PID 2300 wrote to memory of 3024	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe	90
PID 2300 wrote to memory of 3024	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe	90
PID 2300 wrote to memory of 3024	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe	90
PID 2300 wrote to memory of 3024	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe	90
PID 2300 wrote to memory of 3024	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe	90
PID 2300 wrote to memory of 3024	2300	03e9cb07a5d44383f5b9bc58d8964fc0.exe	90

C:\Users\Admin\AppData\Local\Temp\03e9cb07a5d44383f5b9bc58d8964fc0.exe
"C:\Users\Admin\AppData\Local\Temp\03e9cb07a5d44383f5b9bc58d8964fc0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\03e9cb07a5d44383f5b9bc58d8964fc0.exe
  "C:\Users\Admin\AppData\Local\Temp\03e9cb07a5d44383f5b9bc58d8964fc0.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\notepad.exe
    "C:\Windows\notepad.exe" -c "C:\ProgramData\rliQSisJaf\cfgi"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rliQSisJaf\cfgi

Filesize
1KB

MD5
b5f6e1fb86e75287e6c27cb226ca7054

SHA1
efcaa2abc30bcf0ff4026d9643a7df6942f85480

SHA256
9e4847c0078af63ce97eafa447d87aea3115a258181d85f2e8d8387cee9044ce

SHA512
754bbe401a3763a82ca9dcd048c3200043ae557d52a6590b4915e2d5835da01e345c5d00467dc4278f50569dfdcbc1d189d523059b40073dfaf0b54618bb7b4b

Download Submit
memory/1876-2-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/1876-3-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1876-8-0x0000000000400000-0x000000000064D000-memory.dmp

Filesize
2.3MB

Download
memory/1876-0-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2300-4-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2300-6-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2300-7-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2300-23-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3024-22-0x000001E32CC60000-0x000001E32CC70000-memory.dmp

Filesize
64KB

Download
memory/3024-30-0x000001E3C11F0000-0x000001E3C1200000-memory.dmp

Filesize
64KB

Download
memory/3024-17-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3024-18-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3024-19-0x000001E32CC40000-0x000001E32CC50000-memory.dmp

Filesize
64KB

Download
memory/3024-14-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3024-21-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3024-13-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3024-11-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3024-25-0x000001E32CC70000-0x000001E32CC80000-memory.dmp

Filesize
64KB

Download
memory/3024-26-0x000001E32CC80000-0x000001E32CC90000-memory.dmp

Filesize
64KB

Download
memory/3024-28-0x000001E3C0DB0000-0x000001E3C0DC0000-memory.dmp

Filesize
64KB

Download
memory/3024-27-0x000001E32CC90000-0x000001E32CCA0000-memory.dmp

Filesize
64KB

Download
memory/3024-16-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3024-29-0x000001E3C0FD0000-0x000001E3C0FE0000-memory.dmp

Filesize
64KB

Download
memory/3024-31-0x000001E3C1410000-0x000001E3C1420000-memory.dmp

Filesize
64KB

Download
memory/3024-32-0x000001E3C1630000-0x000001E3C1640000-memory.dmp

Filesize
64KB

Download
memory/3024-36-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/3024-38-0x000001E32CC70000-0x000001E32CC80000-memory.dmp

Filesize
64KB

Download
memory/3024-39-0x000001E32CC80000-0x000001E32CC90000-memory.dmp

Filesize
64KB

Download
memory/3024-40-0x000001E32CC90000-0x000001E32CCA0000-memory.dmp

Filesize
64KB

Download
memory/3024-42-0x000001E3C0DB0000-0x000001E3C0DC0000-memory.dmp

Filesize
64KB

Download
memory/3024-43-0x000001E3C0FD0000-0x000001E3C0FE0000-memory.dmp

Filesize
64KB

Download
memory/3024-45-0x000001E3C1410000-0x000001E3C1420000-memory.dmp

Filesize
64KB

Download
memory/3024-46-0x000001E3C1630000-0x000001E3C1640000-memory.dmp

Filesize
64KB

Download
memory/3024-44-0x000001E3C11F0000-0x000001E3C1200000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing