xmrig | 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

General

Target

tmp.exe
Size

6.4MB
MD5

2eafb4926d78feb0b61d5b995d0fe6ee
SHA1

f6e75678f1dafcb18408452ea948b9ad51b5d83e
SHA256

50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30
SHA512

1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e
SSDEEP

196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2688-17-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-19-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-20-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-18-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-29-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-32-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2688-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exeiojmibhyhiws.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2824 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

iojmibhyhiws.exe

pid process

480
2804 iojmibhyhiws.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

480

pid	process
2824	cmd.exe

pid	process
480
2804	iojmibhyhiws.exe

pid	process
480

Suspicious use of SetThreadContext 2 IoCs

Processes:

iojmibhyhiws.exe

description	pid	process	target process
PID 2804 set thread context of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 set thread context of 2688	2804	iojmibhyhiws.exe	conhost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2808 sc.exe
2764 sc.exe
2404 sc.exe
2564 sc.exe

pid	process
2808	sc.exe
2764	sc.exe
2404	sc.exe
2564	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exeiojmibhyhiws.execonhost.exe

pid	process
2896	tmp.exe
2896	tmp.exe
2896	tmp.exe
2896	tmp.exe
2896	tmp.exe
2804	iojmibhyhiws.exe
2804	iojmibhyhiws.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe
2688	conhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

conhost.exe

description pid process

Token: SeLockMemoryPrivilege 2688 conhost.exe

description	pid	process
Token: SeLockMemoryPrivilege	2688	conhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cmd.exeiojmibhyhiws.exe

description	pid	process	target process
PID 2824 wrote to memory of 2852	2824	cmd.exe	choice.exe
PID 2824 wrote to memory of 2852	2824	cmd.exe	choice.exe
PID 2824 wrote to memory of 2852	2824	cmd.exe	choice.exe
PID 2804 wrote to memory of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2528	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe
PID 2804 wrote to memory of 2688	2804	iojmibhyhiws.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2896
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2404
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2852
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:2808
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2764

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
1⤵
PID:2528

C:\Windows\system32\conhost.exe
conhost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
212KB

MD5
852812f485ad3af21709b9dc48a502d7

SHA1
b20e5d91524f8e9767d0e92842ec6cc05a9cc890

SHA256
9d909fe7b56be06e3372ccfec2dae90c467221b00104a5b58691a60193ceaa74

SHA512
73d8e3a7a425621c1ca6d89b8358631dbb89e51d404394ced8beab40c1d6c0fbabfae43ed06b7f17735e852c6382c8cf35b911a95355f0d087e0ca7c7c4a33af

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
517KB

MD5
9fa7e887f34fa495d82c0c8aebe93bdf

SHA1
3d15f5995dfa114e2c724b602beb5e58b811ccbe

SHA256
bb8649aa669d1176239d9b4ccd8c7b69de4b8239ff613ccbca42107989f1251b

SHA512
48154702424573c927068498667b8626d089b36d040fb87e39aba40f75c8a25d02a70ac5c9fa9a91722d4f46a91783ffb58183292a6dd1a2369fb739fd138997

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
689KB

MD5
c7bf38597e5ae927b92dc39580e048d5

SHA1
46502dc83422fc5295e57b87263f45cb9d133daa

SHA256
42e60336c51b1ef0e725ed977a90f4e3624cc73b32cfa01ac2b8bbc1494ae315

SHA512
5c71542ff8f37f5123aecc1cc259693a430f4f10642b10ddd1c9854706b024e154a94ea7ed40dc6eb484366122f6aa7a7a2637ed0b6cbea86b432a9bad2b266e

Download Submit
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
309KB

MD5
c5a04cbf0a922c0c513449c6f8ced0f8

SHA1
29893e5b3aa91fbd0a93a2816b992ac8184da5be

SHA256
40fc874f0254fcc6a4fe9d2a586dc9e623ac136d8f48c57fc353a3758ba651f8

SHA512
7167e45c9645bf6ce55db5d9333e19ab29bf1a4e1e4909e6a10ce2638a03e4c0775675e78c822305485310a359e0987146b4aaa52265d768ec1e2174c75179a3

Download Submit
memory/2528-7-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2528-11-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2528-10-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2528-9-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2528-13-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2528-8-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2688-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-37-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/2688-16-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-17-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-19-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-36-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/2688-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-18-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-28-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2688-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-29-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-32-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2688-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2804-6-0x000000013FC60000-0x000000014069D000-memory.dmp

Filesize
10.2MB

Download
memory/2804-26-0x000000013FC60000-0x000000014069D000-memory.dmp

Filesize
10.2MB

Download
memory/2896-0-0x000000013F0B0000-0x000000013FAED000-memory.dmp

Filesize
10.2MB

Download
memory/2896-2-0x000000013F0B0000-0x000000013FAED000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads