xmrig | 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30

General

Target

tmp.exe
Size

6.4MB
MD5

2eafb4926d78feb0b61d5b995d0fe6ee
SHA1

f6e75678f1dafcb18408452ea948b9ad51b5d83e
SHA256

50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30
SHA512

1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e
SSDEEP

196608:1pznZ/ySos+NnrlQ5jrNoIgDJ0I6x/oAP:1pDZk9LQ5vNdeJ0IC

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1048-15-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-16-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-17-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-19-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-18-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-20-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-29-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iojmibhyhiws.exetmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe

Executes dropped EXE 1 IoCs

Processes:

iojmibhyhiws.exe

pid process

2360 iojmibhyhiws.exe

pid	process
2360	iojmibhyhiws.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

iojmibhyhiws.exe

description	pid	process	target process
PID 2360 set thread context of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 set thread context of 1048	2360	iojmibhyhiws.exe	conhost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1040 sc.exe
412 sc.exe
1808 sc.exe
1504 sc.exe

pid	process
1040	sc.exe
412	sc.exe
1808	sc.exe
1504	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exeiojmibhyhiws.execonhost.exe

pid	process
516	tmp.exe
516	tmp.exe
516	tmp.exe
516	tmp.exe
516	tmp.exe
2360	iojmibhyhiws.exe
2360	iojmibhyhiws.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe
1048	conhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

conhost.exe

description pid process

Token: SeLockMemoryPrivilege 1048 conhost.exe

description	pid	process
Token: SeLockMemoryPrivilege	1048	conhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cmd.exeiojmibhyhiws.exe

description	pid	process	target process
PID 816 wrote to memory of 4828	816	cmd.exe	choice.exe
PID 816 wrote to memory of 4828	816	cmd.exe	choice.exe
PID 2360 wrote to memory of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 2196	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe
PID 2360 wrote to memory of 1048	2360	iojmibhyhiws.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
PID:516
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:1040
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4828
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "FLWCUERA"
  2⤵
  - Launches sc.exe
  PID:1808
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:1504

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2196
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
451KB

MD5
26361799f681527faed4fdda35ea4c04

SHA1
d5dd56b73e18a78d45eab9ec5cf2ee9a6f579013

SHA256
d71162cf89b941f010d7160c692bc0a012d25540d162d7d7375219d7c79d3c9f

SHA512
3d5fe0b9a0de180e3ed2b36f2dc9607f804af6fd988b002690d838a27796905915f3c758e857e06e2838e052e5d2e7385ce5d0ad28a34e1e76dfc97ec6ad87c7

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

Filesize
553KB

MD5
619bb6bf7d5b25af646fb985a5de73f6

SHA1
b38c19865f651d29b6ad6f8320b648c2cb17da4f

SHA256
e7684466ce1a7098ea859e3f2f6fc2cb5001ed29ed19a7bb41664f88145c4c65

SHA512
a5356e0bc140115a2b8d952896ddc77665c8343b59aea7d757f5d36c73fe88c8bf281e521aeebdbc461d382edc4503838fbafbe7d45964297270d97620a3bffd

Download Submit
memory/516-0-0x00007FF75D7E0000-0x00007FF75E21D000-memory.dmp

Filesize
10.2MB

Download
memory/516-2-0x00007FF75D7E0000-0x00007FF75E21D000-memory.dmp

Filesize
10.2MB

Download
memory/1048-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-36-0x000001C556190000-0x000001C5561B0000-memory.dmp

Filesize
128KB

Download
memory/1048-35-0x000001C556190000-0x000001C5561B0000-memory.dmp

Filesize
128KB

Download
memory/1048-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-14-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-32-0x000001C556170000-0x000001C556190000-memory.dmp

Filesize
128KB

Download
memory/1048-15-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-16-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-17-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-19-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-18-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-26-0x000001C555AA0000-0x000001C555AC0000-memory.dmp

Filesize
128KB

Download
memory/1048-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-29-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2196-6-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2196-7-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2196-13-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2196-10-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2196-9-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2196-8-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2360-5-0x00007FF6F6D10000-0x00007FF6F774D000-memory.dmp

Filesize
10.2MB

Download
memory/2360-25-0x00007FF6F6D10000-0x00007FF6F774D000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads