xmrig | 4bd8648e1321262d988f1379ffc4d752dfffd5b0de4b16d2ece6fd5965bca31e

General

Target

file.exe
Size

2.5MB
MD5

a23e64ae9179c3bf6a1850591d541b29
SHA1

a2cac962fb9004a523a17251243b49d52046fc1d
SHA256

4bd8648e1321262d988f1379ffc4d752dfffd5b0de4b16d2ece6fd5965bca31e
SHA512

4c0706d8519fc5fff3fa0a32a18b2d027079dd323772db28c9753ae05e1af16072c66c6fadcaf9e13c6703f480174294d353ec0d3e2297145f052c70b43bd403
SSDEEP

49152:LBVf/W4kQiybZloH6WUgJAB+FTB0TH1bEwfUcLfBlJzHpr1StId:NVf/7bbZloHS/B+FTB/wfPnJz/S

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral2/memory/2224-9-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-12-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-20-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-22-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-23-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2224-21-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
3020	juqermtyedmi.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2224-4-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-12-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-20-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-22-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-23-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2224-21-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 2224	3020	juqermtyedmi.exe	101

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2756	sc.exe
2352	sc.exe
4920	sc.exe
396	sc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3336	file.exe
3336	file.exe
3336	file.exe
3336	file.exe
3020	juqermtyedmi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2224	explorer.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2224	3020	juqermtyedmi.exe	101
PID 3020 wrote to memory of 2224	3020	juqermtyedmi.exe	101
PID 3020 wrote to memory of 2224	3020	juqermtyedmi.exe	101
PID 3020 wrote to memory of 2224	3020	juqermtyedmi.exe	101
PID 3020 wrote to memory of 2224	3020	juqermtyedmi.exe	101

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "AFCCSAOG"
  2⤵
  - Launches sc.exe
  PID:2756
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "AFCCSAOG" binpath= "C:\ProgramData\wpiqbfamrwgt\juqermtyedmi.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2352
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:4920
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "AFCCSAOG"
  2⤵
  - Launches sc.exe
  PID:396

C:\ProgramData\wpiqbfamrwgt\juqermtyedmi.exe
C:\ProgramData\wpiqbfamrwgt\juqermtyedmi.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wpiqbfamrwgt\juqermtyedmi.exe

Filesize
2.0MB

MD5
820a350eea4f3678d14cb6e80700a457

SHA1
f845117514e3628b5e87ce7479014387b948c2e7

SHA256
a8ed8024e59910cce07f0be7d07930b6603b37bf400b88961a42431a6bcec20e

SHA512
2008dc383637b486d98e6ead5de9f1d72e7743b13453cf1fa03e63b5128e6210bfb0b986c77b1a32949bfca897f56abed8fe8f48e3773a742cb5219707faaf8d

Download Submit
C:\ProgramData\wpiqbfamrwgt\juqermtyedmi.exe

Filesize
1.1MB

MD5
c1c9fe11d067c74777887d6633a55a26

SHA1
d1762011a1d210a7cabfc0c588f2c5ee865af73d

SHA256
99e345fed42e9f6c9181a6cfda11782cef43c5a40d6ab5f58aceea95c532fa7c

SHA512
04eae0df37890bab95a38275906c48d4b7c6b884b6f6e1f96f956335241e2429abd5622b71baf2ff41adf82b6ca591cc64fba8f774b84d0370ced91393032bb8

Download Submit
memory/2224-4-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-11-0x0000000000980000-0x00000000009A0000-memory.dmp

Filesize
128KB

Download
memory/2224-12-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-19-0x00000000017E0000-0x0000000001800000-memory.dmp

Filesize
128KB

Download
memory/2224-20-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-22-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-23-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-25-0x0000000011920000-0x0000000011940000-memory.dmp

Filesize
128KB

Download
memory/2224-24-0x0000000011900000-0x0000000011920000-memory.dmp

Filesize
128KB

Download
memory/2224-21-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2224-26-0x0000000011900000-0x0000000011920000-memory.dmp

Filesize
128KB

Download
memory/2224-27-0x0000000011920000-0x0000000011940000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing