xmrig | dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806

General

Target

file.exe
Size

2.5MB
MD5

5dec9f02f7067194f9928e37ed05c8f6
SHA1

06f13ca068514d08f0595ded4ef140078888235a
SHA256

dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806
SHA512

98f980ab103c54c4b1b344b738bcaccd10a35923749a730dd3386355897156d382f01715d07a056ff7451e876898a76268328f92d1e8203b254bb7a082f18e7c
SSDEEP

49152:A0jhMlqDbsynliN2InCFvy0l2aMEBLWw/3Ry0rP3Fga/EO7xhbAIXdTBpox:QyliNjnCFvxMEWw/hy0bFga/d7vbASB2

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2772-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2772-11-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2772-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2772-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2772-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2772-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2772-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2772-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2772-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

uwgxswmtctao.exe

pid process

468
2788 uwgxswmtctao.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

468

pid	process
468
2788	uwgxswmtctao.exe

pid	process
468

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2772-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-11-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2772-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

uwgxswmtctao.exe

description pid process target process

PID 2788 set thread context of 2772 2788 uwgxswmtctao.exe explorer.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2036 sc.exe
2676 sc.exe
2420 sc.exe
2240 sc.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

file.exeuwgxswmtctao.exe

pid process

2004 file.exe
2004 file.exe
2004 file.exe
2004 file.exe
2788 uwgxswmtctao.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

explorer.exe

description pid process

Token: SeLockMemoryPrivilege 2772 explorer.exe

description	pid	process	target process
PID 2788 set thread context of 2772	2788	uwgxswmtctao.exe	explorer.exe

pid	process
2036	sc.exe
2676	sc.exe
2420	sc.exe
2240	sc.exe

pid	process
2004	file.exe
2004	file.exe
2004	file.exe
2004	file.exe
2788	uwgxswmtctao.exe

pid	process
468

description	pid	process
Token: SeLockMemoryPrivilege	2772	explorer.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

uwgxswmtctao.exe

description	pid	process	target process
PID 2788 wrote to memory of 2772	2788	uwgxswmtctao.exe	explorer.exe
PID 2788 wrote to memory of 2772	2788	uwgxswmtctao.exe	explorer.exe
PID 2788 wrote to memory of 2772	2788	uwgxswmtctao.exe	explorer.exe
PID 2788 wrote to memory of 2772	2788	uwgxswmtctao.exe	explorer.exe
PID 2788 wrote to memory of 2772	2788	uwgxswmtctao.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "ACULXOBT"
  2⤵
  - Launches sc.exe
  PID:2240
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2036
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "ACULXOBT"
  2⤵
  - Launches sc.exe
  PID:2420

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

Filesize
2.2MB

MD5
09f8a4e0014fd1a8cce243421636e902

SHA1
a3d194c6e8e9fb490c0aa29710ef37d5ab2bd5b7

SHA256
3f8052a8269cbb14b95b716314d5fa5ea6e2868ca92030f098d4f76110c56b8f

SHA512
556fb52831eee566ff6eac9f2314229dd1174ac2319038e50593cbd3c5a5016d86056fec8e739719ab829e636fcf30b67dcac9dce825366e84c5fdb8b1eb0934

Download Submit
\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

Filesize
2.3MB

MD5
309e1aed82bda4ea4091cdbf8c515391

SHA1
984e57e9aa44b8575f49792ea7c3159811fb0eb7

SHA256
b75abca8af89ebb007fdc6f680b56f1439b0bfbd2087022d6e4fdf975d617e36

SHA512
770dee23540d4d395078c8ad851fdc0a4887899c9050d8bf642d7c27e0e314d25cba42722354b64c0b500d44b835484004fca50e9bdb6f4a4b1472d36952ea05

Download Submit
\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

Filesize
2.5MB

MD5
5dec9f02f7067194f9928e37ed05c8f6

SHA1
06f13ca068514d08f0595ded4ef140078888235a

SHA256
dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806

SHA512
98f980ab103c54c4b1b344b738bcaccd10a35923749a730dd3386355897156d382f01715d07a056ff7451e876898a76268328f92d1e8203b254bb7a082f18e7c

Download Submit
memory/2772-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-11-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2772-20-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/2772-21-0x00000000007E0000-0x0000000000800000-memory.dmp

Filesize
128KB

Download
memory/2772-22-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/2772-23-0x00000000007E0000-0x0000000000800000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads