xmrig | bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

General

Target

file.exe
Size

2.6MB
MD5

34d4591575fdbde20d36469f54b0022f
SHA1

0a938faca18c4733bc5fad3b1ae8c523eebcba86
SHA256

bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f
SHA512

daf858837283aa9a7f211ecbad745640070645099cbf84a73bd4a23cd166f86a884e8156fa7e76da3d2866dd8ce8fc0e3fe6d983c90558c9a1ab5ddb29f23643
SSDEEP

49152:CrifRBLHC9vvGmkPqzwhzcVUjEBjALZSIlvPfcM/uW8/ae89VqyJBbtKn7:CrALHC9vGm6hILBjALUIlvPUM2W3e89I

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2584-11-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2584-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2584-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2584-15-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2584-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2584-16-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2584-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2584-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2584-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2584	cmd.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
484	Process not Found
3004	uyzpsnbeowaz.exe

Loads dropped DLL 1 IoCs

pid	Process
484	Process not Found

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-8-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-11-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-15-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-16-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2584-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 2584	3004	uyzpsnbeowaz.exe	49

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2712	sc.exe
2856	sc.exe
2428	sc.exe
2792	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2180	file.exe
2180	file.exe
2180	file.exe
2180	file.exe
2180	file.exe
2180	file.exe
2180	file.exe
2180	file.exe
3004	uyzpsnbeowaz.exe
3004	uyzpsnbeowaz.exe
3004	uyzpsnbeowaz.exe
3004	uyzpsnbeowaz.exe
3004	uyzpsnbeowaz.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeShutdownPrivilege	2992	powercfg.exe
Token: SeShutdownPrivilege	2084	powercfg.exe
Token: SeShutdownPrivilege	2876	powercfg.exe
Token: SeShutdownPrivilege	2800	powercfg.exe
Token: SeShutdownPrivilege	2620	powercfg.exe
Token: SeShutdownPrivilege	2608	powercfg.exe
Token: SeShutdownPrivilege	2808	powercfg.exe
Token: SeLockMemoryPrivilege	2584	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2584	3004	uyzpsnbeowaz.exe	49
PID 3004 wrote to memory of 2584	3004	uyzpsnbeowaz.exe	49
PID 3004 wrote to memory of 2584	3004	uyzpsnbeowaz.exe	49
PID 3004 wrote to memory of 2584	3004	uyzpsnbeowaz.exe	49
PID 3004 wrote to memory of 2584	3004	uyzpsnbeowaz.exe	49

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "EUJBTPMK" binpath= "C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2792
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2712
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "EUJBTPMK"
  2⤵
  - Launches sc.exe
  PID:2856

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
1.3MB

MD5
262ba6622a04f60a1e9f77a1352ef683

SHA1
e5eb7bff7f467a6adb8e2d7b82ec07c14b225da7

SHA256
c4ee68203eec34239f93849018a0c2312d03747e908dda96ef120f58dd29d49d

SHA512
16d3c4e7ce7288db3dde123ee1d366603e01ea5c0863f45f6280fdd580895b35c2bfa187cdecebe2e15deff7641dda16db66c0c96e639515baeb5ffe29c5553e

Download Submit
\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
1.3MB

MD5
44990a2b3f1ae344a1aecd8395f82239

SHA1
714366e1d068c6fa7b2ccb2a527b4778701f1563

SHA256
29fb2148560009034623d26fa18d6739490b4f3ba43fc1dba3dffb809a7e8bd3

SHA512
dac22f6c52819f02e866f6f1153eb7aeb8f12ceb4957e876720037124dd85065ad77f3b67a8f2566aa10cc32c4c6398a9993cac0e7986f8c658fcf9206182ea4

Download Submit
\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe

Filesize
992KB

MD5
78ad82a3495267fce625d1027fc33881

SHA1
4015eac1cc43654eab70c01090a5672503fc74c8

SHA256
3b951be34b4881523dd931b4b4ecd0a598001ed54b5f474504c7ad6650f82349

SHA512
546d32974e03a81d89eee413410bfb18b756f82b16f8ef91d04656b4187002a6c61e7ccbe82e785f01b6856b790a85f1d613df641b4be3a0232bd12958292764

Download Submit
memory/2584-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-15-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-8-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-11-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-12-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2584-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-16-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-20-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/2584-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2584-21-0x0000000000840000-0x0000000000860000-memory.dmp

Filesize
128KB

Download
memory/2584-22-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/2584-23-0x0000000000840000-0x0000000000860000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing