xmrig | 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

General

Target

tmp.exe
Size

6.4MB
MD5

2eafb4926d78feb0b61d5b995d0fe6ee
SHA1

f6e75678f1dafcb18408452ea948b9ad51b5d83e
SHA256

50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30
SHA512

1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e
SSDEEP

196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3572-15-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-16-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-18-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-17-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-19-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-20-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-29-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3572-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exeiojmibhyhiws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe

Executes dropped EXE 1 IoCs

Processes:

iojmibhyhiws.exe

pid process

3096 iojmibhyhiws.exe

pid	process
3096	iojmibhyhiws.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

iojmibhyhiws.exe

description	pid	process	target process
PID 3096 set thread context of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 set thread context of 3572	3096	iojmibhyhiws.exe	conhost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3724 sc.exe
4856 sc.exe
4144 sc.exe
1144 sc.exe

pid	process
3724	sc.exe
4856	sc.exe
4144	sc.exe
1144	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exeiojmibhyhiws.execonhost.exe

pid	process
1960	tmp.exe
1960	tmp.exe
1960	tmp.exe
1960	tmp.exe
1960	tmp.exe
3096	iojmibhyhiws.exe
3096	iojmibhyhiws.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe
3572	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

conhost.exe

description pid process

Token: SeLockMemoryPrivilege 3572 conhost.exe

pid	process
672

description	pid	process
Token: SeLockMemoryPrivilege	3572	conhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.exeiojmibhyhiws.exe

description	pid	process	target process
PID 4692 wrote to memory of 1844	4692	cmd.exe	choice.exe
PID 4692 wrote to memory of 1844	4692	cmd.exe	choice.exe
PID 3096 wrote to memory of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 2708	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe
PID 3096 wrote to memory of 3572	3096	iojmibhyhiws.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1960
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:3724
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1844
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:4144
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:1144

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2708
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
418KB

MD5
bf387f2a46be730b21a01b2fc5b7274e

SHA1
a17861e9d14f9cbb9f36ad193c93f00b21923e57

SHA256
c71c1e7a38a43cd3af0b5856440ce52644ee80f6840435ea09a8e4f6480b1577

SHA512
2d88db8e51ba5f39e213a46191805de5afee282b57cc19ca7fe245f2b8ca2fafe524467590aae40d4b4e1a4023dc11dbef492df4e836bea3766656a1f1a30170

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
304KB

MD5
ae95a471b33b54f092f769592f425214

SHA1
51d4c06912c6008936e1bee7827cc917edbfb5ba

SHA256
691ab63ff7f5cf002c94386adb70e3795d85b2d2eb7dab0da4c5e7fdaa401f27

SHA512
141c70f3f62ae3a4c8805de9b796115c843bfb1f87802b620d8b11d44b43f29bc53575b4381e722889cc7069c352fbf985b257130d0d1da2bd17a3918cf0987e

Download Submit
memory/1960-0-0x00007FF627CD0000-0x00007FF62870D000-memory.dmp

Filesize
10.2MB

Download
memory/1960-2-0x00007FF627CD0000-0x00007FF62870D000-memory.dmp

Filesize
10.2MB

Download
memory/2708-6-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2708-7-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2708-9-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2708-10-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2708-13-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2708-8-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3096-5-0x00007FF668D20000-0x00007FF66975D000-memory.dmp

Filesize
10.2MB

Download
memory/3096-24-0x00007FF668D20000-0x00007FF66975D000-memory.dmp

Filesize
10.2MB

Download
memory/3572-19-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-18-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-17-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-15-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-14-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-26-0x00000195E99F0000-0x00000195E9A10000-memory.dmp

Filesize
128KB

Download
memory/3572-16-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-29-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-32-0x00000195E9B60000-0x00000195E9BA0000-memory.dmp

Filesize
256KB

Download
memory/3572-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3572-35-0x00000195E9BB0000-0x00000195E9BD0000-memory.dmp

Filesize
128KB

Download
memory/3572-36-0x00000195E9BB0000-0x00000195E9BD0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads