xmrig | 388de88bdd7a04e719487b10de6103ded5c88e354f8c269e012901884ee7527d

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
Size

6.4MB
MD5

2eafb4926d78feb0b61d5b995d0fe6ee
SHA1

f6e75678f1dafcb18408452ea948b9ad51b5d83e
SHA256

50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30
SHA512

1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e
SSDEEP

196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/1408-15-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-16-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-17-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-18-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-19-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-20-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-29-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1408-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe

Executes dropped EXE 1 IoCs

pid	Process
4140	iojmibhyhiws.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4140 set thread context of 3824	4140	iojmibhyhiws.exe	100
PID 4140 set thread context of 1408	4140	iojmibhyhiws.exe	101

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5560	sc.exe
5956	sc.exe
5308	sc.exe
5252	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4032	50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
4032	50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
4032	50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
4032	50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
4032	50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
4140	iojmibhyhiws.exe
4140	iojmibhyhiws.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe
1408	conhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1408	conhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5360 wrote to memory of 2480	5360	cmd.exe	98
PID 5360 wrote to memory of 2480	5360	cmd.exe	98
PID 4140 wrote to memory of 3824	4140	iojmibhyhiws.exe	100
PID 4140 wrote to memory of 3824	4140	iojmibhyhiws.exe	100
PID 4140 wrote to memory of 3824	4140	iojmibhyhiws.exe	100
PID 4140 wrote to memory of 3824	4140	iojmibhyhiws.exe	100
PID 4140 wrote to memory of 3824	4140	iojmibhyhiws.exe	100
PID 4140 wrote to memory of 3824	4140	iojmibhyhiws.exe	100
PID 4140 wrote to memory of 3824	4140	iojmibhyhiws.exe	100
PID 4140 wrote to memory of 3824	4140	iojmibhyhiws.exe	100
PID 4140 wrote to memory of 3824	4140	iojmibhyhiws.exe	100
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101
PID 4140 wrote to memory of 1408	4140	iojmibhyhiws.exe	101

C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe
"C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4032
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:5560
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:5956
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:5308
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:5252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5360
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2480

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3824
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
2.9MB

MD5
b80bcdc0379796ceb862fdcdc710153d

SHA1
9a8376f8eecefda3b8c69a036cab7920c0445a93

SHA256
4bd6697d8010b90a04486a0ccc27743bf5beb7849a0962c22d00c0dbe941c661

SHA512
411d7bd2b05d45ad26e9637dd6777889e1a51b6613b1ea4ccba6bc02b8201df8939e00cf83e99bea646709dc38aeb42e46a4963164e61e625f219934635e9752

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
2.0MB

MD5
5ffcde0b799cb4c5b040022752ea3649

SHA1
dbe51533d24881e9afb7c8cdc3e5d55049ee3320

SHA256
a9a3fd82ffc55eae7d0c3a0912f71c119cdb46156ac771e24fbdd2d48f87d8b3

SHA512
09d3bf6ff1565d8625229f69a11e0379df0b38e8adab47ad80928f98aedafcc120073df6e095ad23501a0941775ba76a2352ac479b88426329ef1e6492a87d8f

Download Submit
memory/1408-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-16-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-19-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-35-0x000001D985D20000-0x000001D985D40000-memory.dmp

Filesize
128KB

Download
memory/1408-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-32-0x000001D985D00000-0x000001D985D20000-memory.dmp

Filesize
128KB

Download
memory/1408-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-14-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-15-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-17-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-18-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-36-0x000001D985D20000-0x000001D985D40000-memory.dmp

Filesize
128KB

Download
memory/1408-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-29-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1408-26-0x000001D985510000-0x000001D985530000-memory.dmp

Filesize
128KB

Download
memory/1408-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3824-13-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3824-5-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3824-10-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3824-9-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3824-8-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3824-7-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4032-0-0x00007FF65FD70000-0x00007FF6607AD000-memory.dmp

Filesize
10.2MB

Download
memory/4032-2-0x00007FF65FD70000-0x00007FF6607AD000-memory.dmp

Filesize
10.2MB

Download
memory/4140-24-0x00007FF71DF90000-0x00007FF71E9CD000-memory.dmp

Filesize
10.2MB

Download
memory/4140-6-0x00007FF71DF90000-0x00007FF71E9CD000-memory.dmp

Filesize
10.2MB

Download